Holes Remain Open in Firefox Password Manager

juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"

It's evolution baby

Only the brightest survive (e.g. we, who use NoScript).

Re:Firefox password manager

[jedidiah]

You aren't trying to keep it secret from yourself. You're trying to keep it secret from others. At the very least you could run the relevant password saving program in a debugger on your own machine to extract the data in question.

The fact that a program running on your machine as you can read your passwords is only marginally disturbing.

Password Managers and Simple Passwords

[andrewd18]

On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.

Don't tell me that the presence of an in-browser password manager has anything to do with the strength of the password. The only thing stopping people from using simplistic passwords is the quality of the IT department's restrictions. I bet every salesperson in my office would use "gocubsgo" as their password if our IT department didn't demand at least one capital letter and a number. As such, their passwords are now "goCubsgo2007".

Don't tell me that an in-browser password manager stops people from using the same password everywhere. The average person sees "password" and a single phrase comes to mind. "Oh, my password is '12345'", they say to themselves, and enter that. They don't sit there and think, "Oh, I should keep my bank account password separate from my MySpace password."

Those two issues aside, people always use password managers of some kind or another. The difference is whether or not they are vulnerable to an attack. I happen to manage my passwords by memorizing them, whereas my father keeps his monitor covered in sticky notes. My password manager is more secure against people sitting at my desk, while his is more secure against old age, and both of them are safe from internet crackers.

I don't think there's much we can do about increasing people's password security other than increasing awareness and forcing better password standards.

Re:Password Managers and Simple Passwords

[Otter]

Don't tell me that the presence of an in-browser password manager has anything to do with the strength of the password....Don't tell me that an in-browser password manager stops people from using the same password everywhere.

You're right. The real advantage of the password manager is that it's the only reasonable alternative to writing down all of those unique, complex, constantly changing passwords.

Re:Clarification

[flitty]

Easy. Don't use Myspace.

Usually my NoScript when blocking Java has a list of about 5 or 6 current sites running scripts (ad-servers and whatnot, ads.google.com comes up on almost every page), and anything other than the trusted site i'm at NEVER gets whitelisted, it's just not worth the risk. It's a hell of a lot better running a crippled 2.0 website than losing control of what's coming into my computer. I don't need to see all your pretty java crap, and a good site doesn't rely on java to display correctly anyway.

Re:stupid features

[dvice_null]

> Don't want to remember all your passwords? Don't use sites that require passwords.

Or more specificly: Don't use internet. How many webmails you know that don't use password? You couldn't even write to Slashdot, except anonymously.

> Do you trust the your real life keys to be managed by a third party, then wonder how someone broke in your house without forced entry?

Yes, 3rd party has keys to our home. It is quite common with the apartment houses where I live. It is however quite unlikely that they would steal from us, as they would be number one suspects. So far I have never been robbed by they key holders, nor have I ever heard of a case that someone else had been.

> Having something "remember" your passwords defeats the purpose of having passwords.

Not really. It just makes the password behave more like client sertificates that automatically identify client to the server.

Re:Firefox no longer safe?

[dvice_null]

It is not about safety of the Firefox. It is about safety of websites that allows users to insert Javascript code to their sites. It's like a bank which would allow anyone to step behind the desk and act as an employee of the bank.

But they can only "steal" the passwords of that website. They can't steal your all passwords. So just remember to select different passwords for websites that might allow users to insert Javascript code on the site. So it doesn't matter that much if they manage to steal your passwords.

Or use Noscript as suggested. Or simply don't use such websites, as they clearly don't think much about user's security.

Challenge/Response

[oldmacdonald]

The "right" solution is to have a challenge/response protocol where your secret key is never sent out of your computer at all. The current password situation is a huge mess since you need a different password for every site or risk one compromised trusted site giving away your password to everything. Most users, even when using a password manager, aren't going to have unique passwords for every site, let alone strong ones. It wouldn't surprise me at all if such a protocol already exists in the HTML standard. It certainly should.

The downsides to this solution? 1) You need to have a browser that supports the protocol (no browsing in telnet). 2) You need to carry around your keys if you want to use them on more than one computer. 3) You need to explain it to users (but hopefully it can be almost transparent). I'm sure there are other problems but the current situation is untenable.

Re:Firefox no longer safe?

[CastrTroy]

Which outlines the whole strength of having a password manager. You can have a different password for each website. Without a password manager, it's hard to do this because there are so many sites that require passwords. For my password management, I use passwordsafe, because it lets me manage all my passwords, not just ones for websites, and I can put it on a usb memory stick, and carry all my passwords with me.

This brings up another thought. If the websites in question allow users to post javascript, and there happens to be a login section on that page, then couldn't the user posting the script add an onchange or onkeypress event to the username and password fields to capture the username and password, and then forward the information to their server by creating an img element, and having the username and password passed as GET variables appended to the URL of the img src, which is in fact just a php page that stores the username and password in a database. Seems to me that any site that allows people to post executable javascript is just asking for trouble.

Re:Lies, damned lies

What does Window Snyder have to say now? How many times have we shown you the exploits (and demonstrated fully) and got shot down for it? Well, now that the real exploits are gaining attention (thanks to some clever tactics), we'll see her reaction later. Her constant smartass remarks, and devs hiding certain bug exploits and fixes from the ones that found them in order to save face is just making Mozilla look worse and worse. When you have to rely on third party software to keep Firefox safe now, well, it's starting to sound more like IE now, huh? Please, lets save Mozilla by ridiculing the people in it causing the problems and not allowing change to happen instead of piling bloat over bloat (It's pretty bad when you have such horrible memory leaks in Firefox now).

I am not a Microsoft shill, I support fixing Firefox but the masters don't care.

Re:Lies, damned lies

[g4sy]

Fanboy here. You're right. Got that outta the way

The problem is not really with the firefox password manager, because

1. Even if you only automatically entered a password with a push mechanism (right-click to fill in password information) then people would still do that on the "bad" scripts. The problem, like most things, is a problem of social hacking. Education is what is needed... maybe make firefox educational as it's logging into various login pages?

2. Remember the problem boils down to using your fileserver password for your myspace account: that's what this is talking about. It's not like an attacker can read your whole password manager, it can only get the password for a certain site that they have ALREADY compromised (myspace and facebook are sites that are compromised by design). If you use one password for all those inherently insecure sites, and another one for your email, and another one for your banking then this attack, even if successful, will not hurt you as much as you think it would Oh no! Some script kiddy finally managed to get my facebook password! He might upload pictures... and people would think I have a life.

Re:Defending stupidity...

[iago-vL]

You do realize that a 4-character password is useless, right?

Ideally, you should have 8 or more characters in every password (12 or more is good, 16 or more is great), they shouldn't be based on English words or names (or anything else familiar), they should contain non-English characters, and so on. Plus, you should have a unique one for every use and site. I don't know about you, but I visit at least 20 - 30 sites with some regularity. So should I really remember hundreds of randomesque characters?

My point is, you have a choice between sacrificing security one way or the other.

calling BS - should be classed as phishing

[bl8n8r]

"an attacker may emulate the login form "

This is the same old whore in new shoes. A javascript text entry masquerading as something else. You may as well point in apache's direction for htaccess too then.

As long as people do not think about what they are doing with their web browser, you will always have this problem. If people would think about web sites the same way they think about crossing a busy street the problem would be solved.

Re:Firefox no longer safe?

[EvanED]

Or simply don't use such websites, as they clearly don't think much about user's security.

Because it's always clear what sites these are?

Re:Firefox no longer safe?

[Falstius]

So just remember to select different passwords for websites that might allow users to insert Javascript code on the site. So it doesn't matter that much if they manage to steal your passwords.
I use the same crappy password on a whole bunch of sites. If someone steals it, they can deface my Facebook page, use my nick on IRC, post on Slashdot under my name. Who knows, it might get modded up for once. There are a limited number of nonguessable, easy to remember passwords in my life, I won't waste them on wikis, forums, and myspace.
My bank, bills and credit card each have their own password and username however. As do my computer and email.