Title: [Hardening] F-06: 2FA Field Set as Password Causes Password Manager Issues. · Issue #13337 · apache/cloudstack · GitHub
Open Graph Title: [Hardening] F-06: 2FA Field Set as Password Causes Password Manager Issues. · Issue #13337 · apache/cloudstack
X Title: [Hardening] F-06: 2FA Field Set as Password Causes Password Manager Issues. · Issue #13337 · apache/cloudstack
Description: The required feature described as a wish Description: The 2FA input is defined as type="password". Password managers treat it like a regular password field, so they may save or autofill the 2FA code. This can overwrite the stored passwor...
Open Graph Description: The required feature described as a wish Description: The 2FA input is defined as type="password". Password managers treat it like a regular password field, so they may save or autofill the 2FA cod...
X Description: The required feature described as a wish Description: The 2FA input is defined as type="password". Password managers treat it like a regular password field, so they may save or autofill t...
Opengraph URL: https://github.com/apache/cloudstack/issues/13337
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Hardening] F-06: 2FA Field Set as Password Causes Password Manager Issues.","articleBody":"### The required feature described as a wish\n\n\u003cimg width=\"473\" height=\"612\" alt=\"Image\" src=\"https://github.com/user-attachments/assets/b624e9d2-08f0-4593-8446-3214e93d68a6\" /\u003e\n\n**Description:** The 2FA input is defined as type=\"password\". Password managers treat it like a regular password field, so they may save or autofill the 2FA code. This can overwrite the stored password and lock the user out of their account. The field was likely set this way to hide the Static PIN from bystanders or during screen sharing.\n\n**Affected Components:** Management UI\n\n**Impact:** Password managers may replace saved passwords with 2FA codes. This can lock users out and lead them to choose weaker passwords or store them insecurely.\n\n**Steps to Reproduce:**\n- Log in to the CloudStack Management UI with a user that has 2FA enabled.\n- Enter valid credentials and continue to the 2FA screen.\n- Inspect the 2FA input field in the browser’s developer tools.\n- Confirm it is set to type=\"password\".\n\n**Recommended Remediation:** Change the 2FA input field to type=\"number\" and add autocomplete=\"one-time-code\". This informs password managers of the field's actual meaning.\n\nAlso, consider combining the password and 2FA into a single form. This way, attackers can’t tell which part failed, making password attacks harder.","author":{"url":"https://github.com/davift","@type":"Person","name":"davift"},"datePublished":"2026-06-04T00:56:27.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13337/cloudstack/issues/13337"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:145a55ca-e7c9-9034-b0a8-9eb4d34aa145 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | BCCA:1E53DB:8A300E:8D4F5B:6A4DAE93 |
| html-safe-nonce | 83606c6757eebacdbad6855e080699c37b93663aff64abc1ef5dd03a3616ca5e |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCQ0NBOjFFNTNEQjo4QTMwMEU6OEQ0RjVCOjZBNERBRTkzIiwidmlzaXRvcl9pZCI6Ijc4NTQxODQxNDc0MDAzNzE4NTkiLCJyZWdpb25fZWRnZSI6InNlYSIsInJlZ2lvbl9yZW5kZXIiOiJzZWEifQ== |
| visitor-hmac | d887b425d165e50b24b28831ec186f813259accbde760b27d992edd7e30c1f5c |
| hovercard-subject-tag | issue:4584828847 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13337/issue_layout |
| twitter:image | https://opengraph.githubassets.com/f162ba7321f551739f519ea4d97a3bb56dd2611e5189ed6f0ab3c29a74566db0/apache/cloudstack/issues/13337 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/f162ba7321f551739f519ea4d97a3bb56dd2611e5189ed6f0ab3c29a74566db0/apache/cloudstack/issues/13337 |
| og:image:alt | The required feature described as a wish Description: The 2FA input is defined as type="password". Password managers treat it like a regular password field, so they may save or autofill the 2FA cod... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | davift |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 32f7b614aca06e6bbd89842b1370df1328264f68 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width