User: Password:
|
|
Subscribe / Log in / New account

The Firefox password manager vulnerability

The Firefox password manager vulnerability

Posted Nov 29, 2006 22:47 UTC (Wed) by johnkarp (guest, #39285)
In reply to: The Firefox password manager vulnerability by emkey
Parent article: The Firefox password manager vulnerability

Ideally, yes, people would easily remember dozens of unique psuedorandom
passwords. But even security expert Bruce Schneier
seems to acknowledge the usefulness of encrypted password databases... he
even maintains one:

http://www.schneier.com/passsafe.html


(Log in to post comments)

The Firefox password manager vulnerability

Posted Nov 30, 2006 1:35 UTC (Thu) by proski (subscriber, #104) [Link]

The best thing is, you can actually put a passpoem there.

The Firefox password manager vulnerability

Posted Nov 30, 2006 3:59 UTC (Thu) by roelofs (guest, #2599) [Link]

The best thing is, you can actually put a passpoem there.

An epic passpoem!

The Firefox password manager vulnerability

Posted Dec 12, 2007 22:27 UTC (Wed) by riches2rags (guest, #49525) [Link]

Bear in mind, that if the user has been brought to a "poser" web site, no password manager
client-side bug is gonna matter if he/she is clicking "OK" anyway. The data has been
deliberately sent (ie. exposed). The client maintained list is not, in and of itself,
compromised. The hidden form field phishing is a bit less culpable for the client. Simplest
solution might be to add a "paranoia" setting to the PM that presents a DB exposing the fqdn
about to receive the sensitive submission asking "Are you sure this is a valid authentication
request?<continue><cancel>
The onus is on the user to double check the validity of the transaction one last time.
IMHO, any truly sensitive authentication should be using encrypted transmission with mutual
trust verification anyway, or the user should seriously consider doing business elsewhere.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds