Slashdot Mirror
Holes Remain Open in Firefox Password Manager
juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"
Don't tell me that an in-browser password manager stops people from using the same password everywhere. The average person sees "password" and a single phrase comes to mind. "Oh, my password is '12345'", they say to themselves, and enter that. They don't sit there and think, "Oh, I should keep my bank account password separate from my MySpace password."
Those two issues aside, people always use password managers of some kind or another. The difference is whether or not they are vulnerable to an attack. I happen to manage my passwords by memorizing them, whereas my father keeps his monitor covered in sticky notes. My password manager is more secure against people sitting at my desk, while his is more secure against old age, and both of them are safe from internet crackers.
I don't think there's much we can do about increasing people's password security other than increasing awareness and forcing better password standards.
> Don't want to remember all your passwords? Don't use sites that require passwords.
Or more specificly: Don't use internet. How many webmails you know that don't use password? You couldn't even write to Slashdot, except anonymously.
> Do you trust the your real life keys to be managed by a third party, then wonder how someone broke in your house without forced entry?
Yes, 3rd party has keys to our home. It is quite common with the apartment houses where I live. It is however quite unlikely that they would steal from us, as they would be number one suspects. So far I have never been robbed by they key holders, nor have I ever heard of a case that someone else had been.
> Having something "remember" your passwords defeats the purpose of having passwords.
Not really. It just makes the password behave more like client sertificates that automatically identify client to the server.
It is not about safety of the Firefox. It is about safety of websites that allows users to insert Javascript code to their sites. It's like a bank which would allow anyone to step behind the desk and act as an employee of the bank.
But they can only "steal" the passwords of that website. They can't steal your all passwords. So just remember to select different passwords for websites that might allow users to insert Javascript code on the site. So it doesn't matter that much if they manage to steal your passwords.
Or use Noscript as suggested. Or simply don't use such websites, as they clearly don't think much about user's security.