User: Password:
|
|
Subscribe / Log in / New account

The Firefox password manager vulnerability

The Firefox password manager vulnerability

Posted Nov 29, 2006 21:49 UTC (Wed) by emkey (guest, #144)
Parent article: The Firefox password manager vulnerability

Some day people will learn that the only safe place to store passwords is in your head. I've never trusted any of these systems for anything but the most trivial use. I never will.


(Log in to post comments)

The Firefox password manager vulnerability

Posted Nov 29, 2006 22:21 UTC (Wed) by kirkengaard (guest, #15022) [Link]

On the pat yourself on the back side of things, yes, good security practice does suggest that this sort of crutch is just like writing down your passwords anywhere else. Raise your hand if you know someone who has their login written on the computer or monitor (or a post it attached thereunto). The unwary user who simply says, "Oh! A labor saving device! I hate forgetting the password for that website!" is foolish, but common.

Post-It notes

Posted Nov 30, 2006 13:11 UTC (Thu) by Richard_J_Neill (subscriber, #23093) [Link]

Often, post-it notes are quite sensible for storing passwords. It all depends on who has physical access, and for domestic users, writing the password down is no bad thing, especially if it helps them remember it. Of course it depends on what the password is for, but in most cases, if someone can break into your house, you have bigger problems than losing your passwords!

The real danger is when a user uses the same password in multiple different places. Then, say their slashdot login might also work for their bank.

Post-It notes

Posted Nov 30, 2006 17:53 UTC (Thu) by emkey (guest, #144) [Link]

Post its are never a good idea. Why have passwords if they are? Passwords exists to limit access and provide auditing. Making it easy for somebody in your group or company to use your identity is not a good thing.

The main reason I don't store passwords beyond the obvious security issues is that I WILL forget a password if I don't have to type it in regularly.

Post-It notes

Posted Dec 3, 2006 15:55 UTC (Sun) by k8to (subscriber, #15413) [Link]

As the post you are responding to pointed out, post-it notes are useful because access to them is restricted to a physical domain, which can be quite small. A post it note on my computer here, for example, will be viewable by myself and a few close friends who visit my apartment. The risk is _quite_ small, and it would be fine for most applications.

The Firefox password manager vulnerability

Posted Nov 29, 2006 22:45 UTC (Wed) by sward (guest, #6416) [Link]

Bear in mind, however, that many site passwords are not there for your security - they are there to "protect" the content on the site against unauthorized viewing. So as long as you do not use the password manager (or postit notes) for truly sensitive passwords, why would you even care about this exploit?

I agree with you, for important passwords (my email login, finances, etc.) - I don't store those at all. But I have no qualms about storing my assorted subscription logins (like lwn.net) in the password manager.

The Firefox password manager vulnerability

Posted Nov 30, 2006 15:37 UTC (Thu) by k8to (subscriber, #15413) [Link]

I agree. Part of the problem is that so much "web security" is valueless. Some of it is valueless to the user, but not the site. Some of it is just plain valueless in its entirety.

The spawn of unnecessary 'security' is what begat this feature to paper over the problem. I think it's just fine that hackers will find out my login is "user" and my password is "password" at all these silly web domains.

Sure, some people do end up using this feature where security is actually important, but I think the crying wolf that websites do unnecessarily might be as big a security problem, in the long run, as anything else.

The Firefox password manager vulnerability

Posted Nov 29, 2006 22:47 UTC (Wed) by johnkarp (guest, #39285) [Link]

Ideally, yes, people would easily remember dozens of unique psuedorandom
passwords. But even security expert Bruce Schneier
seems to acknowledge the usefulness of encrypted password databases... he
even maintains one:

http://www.schneier.com/passsafe.html

The Firefox password manager vulnerability

Posted Nov 30, 2006 1:35 UTC (Thu) by proski (subscriber, #104) [Link]

The best thing is, you can actually put a passpoem there.

The Firefox password manager vulnerability

Posted Nov 30, 2006 3:59 UTC (Thu) by roelofs (guest, #2599) [Link]

The best thing is, you can actually put a passpoem there.

An epic passpoem!

The Firefox password manager vulnerability

Posted Dec 12, 2007 22:27 UTC (Wed) by riches2rags (guest, #49525) [Link]

Bear in mind, that if the user has been brought to a "poser" web site, no password manager
client-side bug is gonna matter if he/she is clicking "OK" anyway. The data has been
deliberately sent (ie. exposed). The client maintained list is not, in and of itself,
compromised. The hidden form field phishing is a bit less culpable for the client. Simplest
solution might be to add a "paranoia" setting to the PM that presents a DB exposing the fqdn
about to receive the sensitive submission asking "Are you sure this is a valid authentication
request?<continue><cancel>
The onus is on the user to double check the validity of the transaction one last time.
IMHO, any truly sensitive authentication should be using encrypted transmission with mutual
trust verification anyway, or the user should seriously consider doing business elsewhere.

The Firefox password manager vulnerability

Posted Nov 29, 2006 23:05 UTC (Wed) by NAR (subscriber, #1313) [Link]

The head might be safe against attackers, but definitely not safe against forgetting passwords (actually we use computers to store data instead of our heads). There are a couple of services in the company intranet which I use at most twice in a month, but the password expires every 60 days - I tend to ask for new passwords from IT at least once a month for one of these services.

Bye,NAR


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds