The Firefox password manager vulnerability [LWN.net]

The Firefox password manager vulnerability

Posted Nov 30, 2006 8:47 UTC (Thu) by beejaybee (guest, #1581)
In reply to: The Firefox password manager vulnerability by rsw
Parent article: The Firefox password manager vulnerability

Actually passwords are fine _provided they're used only once_. The point being that disclosing a password for any reason compromises it, even if the reason is to gain access to the password-protected service.

What we really need is something like a smartcard which will generate one-time passwords and automatically communicate the next valid password to the service provider once access has been granted.

Firefox has fallen into the "convenience trap" here & urgently needs to be fixed. The quick (?) hack of copying the Opera "magic wand" procedure is probably the best mechanism for low to medium security requirements in the short term.

(Log in to post comments)

The Firefox password manager vulnerability

Posted Nov 30, 2006 21:05 UTC (Thu) by rriggs (subscriber, #11598) [Link]

Unless I misunderstand what you are saying, your logic is flawed. One has to disclose the password to set it in the first place.

The Firefox password manager vulnerability

Posted Dec 3, 2006 16:02 UTC (Sun) by k8to (subscriber, #15413) [Link]

I believe your parent is referring to the idea of having a password which is never set, but it is merely pre-arranged.

That is, a one-time password system where both parties can generate an unending linear set of passwords, so each password is generated by, and known to both parties in advance, but is only disclosed the once to authenticate. Traditional passwords become less secure as they are used. One-time passwords are discarded on use, so there is no lessening of security.

The downside of one-time passwords of course is they take even more effort than regular passwords, and at the rate at which passwords (ab)use is multiplying, I think neither is sustainable.