Slashdot Mirror
Safari and Chrome: Tied For the Worst Password Manager
Startled Hippo writes "Safari and Chrome are tied for the worst password manager built into a major Web browser, according to a new study on the issue produced by Chapin Information Services. One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site. The bug has been fixed in Firefox, but Chrome and Safari are still vulnerable to this kind of attack."
http://www.bash.org/?244321
Luckikly, all my passwords are exactly the same, so I'm fine.
...So I'm safe, right? ;-)
"from the avoid-saving-passwords dept." ???
.sig: No such file or directory
To be honest, when the best browser is only scoring 7/21 they *all* need some work. Focusing on Chrome just means you're ignoring the bigger picture.
If you can't remember your password then write it on paper and hide it. Putting it on your computer, especially your Windows PC, is asking for someone take it.
Even if they aren't in clear text the downside to using a password manager is everyone's passwords will be in the same place and in the same format. It's easy pickings.
"How can this be exploited" when some subtree memeber of a domain can read credentials that should only be given to the top level member, read http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug.
To save the others the hassle, allow me to sketch something. It's trivial to get the domain a000001.amazon.com under your control. It is, believe me, if you don't, just read it up. Well, maybe not exactly a0000001... but something to the quality of $foo.amazon.com can easily be made to point back to a webpage you control.
Next, create a page for the internets most sought after resource: pr0n. Do like the missionaries, spread the word, unlike them you have ICQ and spam at your disposal to get people to visit your page. On this page, refer to $foo.amazon.com
Then have $foo.amazon.com ask for the credentials.
It's not so much that the threat of hijacking a "real" domain name (i.e. amazon.com itself) is too big after a few ISPs toughened their DNS lookups when the patches didn't come quickly. Few ISPs are left that are actually vulnerable to having their caches completely rewritten. Subdomains can still be hijacked (even after the half-assed patch we got lately), and in combination with browsers that send credentials to whatever subdomain, it's a serious security problem.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Who??
Seriously, this looks like a typical "storm in a teacup to get people to take me seriously as a security researcher" notification.
Who here really lets any password manager save any password they care about? I have Opera save details for systems that don't matter, everything else I just remember.
Check out the website for more information about this astounding company.
Oh arse
I don't do commerce online, so the only passwords I need are two email accounts, slashdot, and half a dozen idiot-run newspapers. I use the same password for all the idiot newspapers: 111111. That password is for their page counts and advertising and has nothing whatever to do with my own security, I have no reason to worry about them. And I never forget my password. If somebody logs on to the Chicago Tribune using my password, why should I care? Requiring a password to read a newspaper is stupid.
Email and slashdot, of course, are a horse of a different color.
Safari and Chrome are the last two browsers I would expect (well second last) to have this sort of problems.
Free Martian Whores!
I'm the password man, the password man, I'm the password man, the password man.
I can password back as fast as you can! I can password back as fast as you can!
Belief? Hope? Preference?The Existential Vortex
Putting passwords in your web browser isn't just like hiding your house keys under the doormat, it's like taping the keys of your house to the front door.
I don't keep full passwords on paper, nor do I use one of those password vault devices. Using truly random characters just means I have to write it down in full somewhere. I do have a text file that gives me *just* enough info that my mind can recall the password. For example, I might write "B`" and I recall that means "b1ZZare`" or I might use "W.P" to remember "To1.st0y". I know the rules I use to spell or punctuate words. I use different sorts of passwords for different tiers of security, from web forum, web merchant, web banking, private data, estate data, etc.
[
I keep my passwords online but where people don't think to look. On you tube of all places!
http://www.youtube.com/watch?v=ebSspdgm70E
I never understood the appeal of password managers. And they tend to be obnoxious, getting in your face until you disable them.
If I have a high security password, I'm not going to want to store it in a browser for two reasons: 1) Someone else with physical accesse to my machine, has access to my stuff; 2) If I don't ever have to type my password, I'll often forget it.
For lower-security passwords, I, like many, simply use the same one that's easy to remember, and used for all those stupid forums and other lightweight places that make you register.
I've just never seen the need... It's definitely one of the most hyped up features that seems to have zero utility to me.
Love many, trust a few, do harm to none.
Reading the article, this doesn't seem to be about real HTTP authentication passwords, but rather about the interaction of form autofilling and fields that an application might consider to be a password. (Like slashdot uses.)
Granted, somewhere the HTTP standards committee failed the community making ad hoc form based passwords more common than real authentication. I suspect the lack of a "logout" concept has a lot to do with that, though designers' desire to spread their "look and feel" over all elements also contributes.
If you use HTTP authentication this does not apply. If you use <input type=password ...> then, yeah, autofillers may autofill.
Are also tied for the worst browsers :)
"The difference between genius and stupidity is that genius has it's limits" - Albert Einstein
Comment removed based on user account deletion
I've always thought storing passwords in your computer is dumb. (1) It makes it extremely easy for people to steal your PC or laptop and get into your sites. (2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were. (3) I think the safest place to store them is in your head.
FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
How exactly is Chrome (which is backed by a major company) a major browser?
"The majority is always sane, Louis." -- Nessus
http://slashdot.jp
And that's a "trick" because...? Surely there are times when you want to have different passwords in different areas. I've got basic HTTP authentication on an admin area of one of my sites. From there I've then got a number of tools, at least one of which requires a separate login. There's situations like that where you want different passwords for different areas.
What annoys me with password managers at the moment is Firefox filling in too many passwords! If you record a password for one set of login forms and then go to any other page on the same domain with a password box with a text box just above it then Firefox blindly guesses that they're a login box (even if they're called "foo" and "bar" when you recorded the details for the fields "username" and "password"). That can really start to cock up some of your settings in things like phpBB's admin control panel if you don't notice what it has auto-filled.
Incidentally, has anyone actually tried out the "Password Manager Evaluator v2.0" link from the FA with any other browsers? The author(s) claim Opera comes closest to addressing their criteria, which automatically sent the needle of my bullshitometer climbing. I was about to run it with Firefox but stopped at stage 1 where it told me to clear my existing saved passwords, and I didn't want to do that.
Not that I save any of my high-value passwords at all, but I still manage to accumulate others that I would otherwise forget...
Why are the passwords stored in the browser? If we need some on-PC storage it should be a completely separate service which browser could kindly ask for a password. Do the job right and do it just once.
Don't usually agree with some of the tags put on articles lately, but this one I do. "Canthackthebrain" and "useyourmemory" pretty much sum up my reaction to this post and the whole password thing in general. Your brain is the best place to store passwords, especially those that are used regularly. I have four or five strong passwords that I use on a regular basis, for different purposes. I used to use a password manager in the browser to keep track of them, but that quickly became a flawed strategy. Remembering four or five password and username combinations is not that difficult if you use them on at least a monthly basis. I have long known the cognitive principles behind memory with a primary being, in essence: Use it or lose it! The best way to remember something is to apply that stored information regularly.
I use phrases with numbers and special characters in them to replace certain letters. These are either phrases from literature, songs or movie lines that I liked. I use four or five of them and rotate between them for a couple years, then up and change them all with a new set and use those for a couple years. I just found myself more comfortable typing in my passwords (once anyway, multiple times in a session gets rough...patch day!), than relying on a single master password that was often longer than the one needed for the particular login.
Use your brain! It's the safest place to keep a password, and it helps keep your memory abilities sharp. Now, where did I put my effing car keys?!?!
http://www.bash.org/?244321
I don't need to go there. I know the answer is "hunter2" (if you're the guy, I just copy-pasted the ***s from bash.org, that's why it shows up as hunter2 on your screen).
Is that a sign I should get out more often? ;)
One thing that really pisses me off about just about every browser is being asked if I want it to remember my password. I mean honestly do people really trust Internet Explorer or Firefox to store their valuable passwords in a massively secure way? Call me Mr Paranoid if you like but I don't trust anything that stores more than a hash.
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
I use PasswordMaker for my password stuff. I don't really see password management as the browser's job anyway. Convenience can be an issue with this, but fortunately there is a plugin for Firefox that helps.
df -h
Apparently not all of their tests test the security for your stored passwords. I completed the test with Firefox. It failed 8 of the tests. But I did not even have the password remember function active..
I think the "real" solution, if you want good password security, is to use the following scheme:
pwd = hash(master_secret || site_id || site_counter).
That is, use as a password the hash value of your master password, something that identifies the site you're logging in at (say, "slashdot" for everything at slashdot.org), and a generation counter such that if your slashdot password gets stolen you can make a new one without changing your master password (and without changing password on your ~gazillion accounts).
There's a firefox plugin which does something like this, at http://crypto.stanford.edu/PwdHash/. It has the advantage that it doesn't require you to store any information [except your master password in your brain], and so you can compute your password on a friend's computer by visiting their webpage.
I think a solution based on this idea provides the best combination of usability and security. Note that you can of course still use different master passwords for different sites if you want.
Comment removed based on user account deletion
So Opera can't be better than Firefox or any other browser on certain aspect for what reason?
You should see my BS meter when I see someone at /. bitches about Opera and I am not a Opera Desktop user, I use Safari with 1Password and I don't really know 99% of my passwords at all.
I love Chapin. They are the best ever, and I pay attention to everything they say. I particularly enjoy their Data Entry services that they rendered to Unified Natural Gas group way back in 1994. Wow, they were doing like 1000 words per minute!
And then they ran RoboNet BBS! Amazing!
I look to Chapin for all security analysis. I love Chapin. And they have those great songs, too! "If I could save time in a bottle/I'd drink until I turned into poo/And if I could sing/A little ding ding/I'm sure that you'd go achoo"...
A neat feature of the pssword manager is that you can use a master password. Without a master password, a trojan horse running on your system can steal all your passwords.
How come there is no master password to protect the cookies? Nowadays as most sites remember who I am in a cookie, a cookie seems just as useful as a password. Did no one else figure this out or did I get it wrong?
Clear your saved passwords *for their site*:
Part 1: Delete all saved passwords for www.info-svc.com
I use Opera and there you have the ability to provide a master password. I'm sure Firefox has this feature too. (But I have to admit that due to Opera's proprietary nature I don't know whether the passwords are actually encrypted or not.)
For me a password manager is just a matter of convenience. I know all my passwords but I hate typing in my credentials every time I have to log in somewhere. So I just enter one password at the beginning of the session and have them all.
But I think you are right when it comes to the really important passwords. Everything with money for example I always type in myself (bank account or eBay or stuff like that).
I avoid storing passwords in most sites, where I can remember them - I have a few "tiers" of passwords, the low-security, medium-security, high-security etc. Except some sites require "no punctuation characters" or "password must include at least 3 digits and at least 3 letters." or "password must be lowercase".
In these cases I make up something to match and let the password manager remember that. I don't care about these sites anyway, they usually suck - I just register with disposable email, grab the info I need and never return.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Amen. 1Password is great (and seems to keep coming up at discount prices at Maczot, MUPromo, etc.) Now, the iPhone version seems to need work. And by "needs work" I mean "I can't seem to figure out the damn thing ;)
Is there any way to run it through the test (or Safari/Camino/Whatever through the test while it uses 1Password?
Bark less. Wag more.
For most sites I frequently visit (like /.) I don't care if somebody steals my account, logs in as me, and starts spewing crap.
For throwaway passwords on the above sites I like to use "ps -A |md5sum" I like it better then pwgen (don't ask why).
For my serious accounts (like banking) I keep it in my head.
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
And that is not to store your passwords in your browser in the first place.
What is not stored in the browser is much harder for a random web page attacker to trick your browser into turning over.
Instead, use Password Gorilla: http://www.fpx.de/fp/Software/Gorilla/ It stores your passwords for you, allows copy/paste of login id/passwords into browser entry fields, and by being independent (100%) of the browser, no browser attack will be able to leach our your passwords.
Plus, it's cross platform, windows/linux, same files, same interface.
And for those with multiple computers, it allows you to merge other password safe files from your other computers to keep things synchronized (think a "rsync" like merge of two password files). That is very handy when you need to change a PW for site X and you do so on your laptop. Then later, the change will propagate to your desktop when you do a sync/merge.
It is designed that way.
I find Safari's password manager perfectly sec^H^HONLINE MEDS, CHEAP V1AGRA, NO PRESCRIPT1ON REQUIRED
Actually, how he came up with the password was: "Hmm, what shall I put as my password? Physics? Astro? No, my *lover*!"
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
This is kind of stupid. The entire point of a password manager is convenience, not security. People who are truly concerned about security would not even be using a browser's password manager anyway. If you try to secure a browser's password manager, you'll probably end up making it useless.
Yeah, so I have a different password for every account I have. There is no friggin' way I'm going to remember them, so I keep them in a gpg encrypted file, which I consult when I need to. But the point of the password manager is not that you don't have to remember the password; it's that you don't have to type it. I do not want to type any passwords. All the sites these days are so paranoid about security, they make you type passwords all the time. Without a password manager I'd have to type a dozen passwords every day as I check all the sites on my morning list. You are welcome to be paranoid and type (don't forget the keyloggers!), but I'd rather not even have to click through. The computer knows who I am; it should be able to keep track of all that authentication info and negotiate connections automatically.
I've gone through a lot of password managers and have always had the same problem, they all store passwords in a database. So now I've landed on supergenpass, which is a javascript md5 password generator with no random seed. The hash's seed is your master password combined with a colon and the site's domain.
The thing I like about it is the fact that there's no database, the database is math. No matter what computer I'm on, the same password is always generated for the same domain, and each domain gets a different, complex password.
It's not perfect, but it's the least vulnerable and most portable password manager I've ever seen. Since it's javascript it works on any browser with no addons. I do keep a downloaded file of the mobile html version on a USB key incase supergenpass.com is compromised. I do the same for the SGP.js file required for the internet explorer version for the same reason. I'd like to write a python version and an iphone version for experimental purposes, I'd also like to see it keep a loose/optional database to store each domain's last-use date and compare it with the master password's last use date so that changing the master password is easier.
Any thoughts?
One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site.
Don't you mean "password managers can be tricked into submitting the same password credentials to different parts of the same Web site"?
I wish Firefox would use the Keychain, or I wish Camino would fix the bug where a laggy proxy locks the whole thing up for minutes at a time.
(2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were.
I just restore ~/Library/Keychains from backup. Don't you keep backups?
Tied for
Worst Browser Functionality Idea
The Admin and the Engineer
I'm still waiting for a browser extension that either bypasses password requirements altogether, or just fills some bogus combo in and keeps it in memory and uses it every time I revisit. Passwords are getting ridiculous. I would say probably less than 5% of all my required passwords really need a password. PayPal and my bank are the only two things I give a rats ass about (and maybe my kids' WoW account). Frankly, I don't think a password should be required to pay my stupid electric bill online. As far as I care, let somebody else log in and pay it for me. Since that's the only thing you can do at the site, I fail to see why a password is necessary, other than CYA by the City.
Anyone using Wordpress admin + Safari can see this for themselves. Embedded in the Wordpress admin "dashboard" is a frame with a wordpress.com source. This frame will show you statistics about your blog if you're logged in to wordpress.com. The problem is, that in Safari when you have auto fill turned on, it puts the login credentials from myblog.com(i.e. your own blog login credentials) into this form which is hosted on wordpress.com
In browser studies from performance to compliance to security, IE either comes in last or close to last, and Opera comes in either first or close to first. But still IE has over 50% market share, and Opera has less than 3%. http://marketshare.hitslink.com/report.aspx?qprid=0 http://www.w3schools.com/browsers/browsers_stats.asp
Well to be fair his BS meter probably went off over the "wipe your existing passwords" crap. I mean I have passwords in FF and Seamonkey going back 4 years, who the hell wants to deal with that for a stupid little test?
But for those that don't mind a tiny bit of extra work, and wouldn't mind a really nice backup extension when they are through, I would suggest that they download and use FEBE and have it do a full backup first. Then after taking the little test restoring all your passwords back is as easy as tools/FEBE/Restore/Usernames and Passwords. It is a great little extension if you are someone like me and has FF on a flash. With FEBE before I go out on a service call I can backup my FF and restore it on the stick so i have all my latest links in case I need them.
Which kinda brings me to my final point, which is this: Who really cares if your browser has a little better password manager or can render JScript quicker if I have to do everything YOUR way? With FF Mozilla just builds the basic browser and then gets the hell out of my way so I can make a browser that acts like how I WANT to surf and has the features that I WANT, not what Google or Apple thinks is best for me. If I don't want ads? Adblock makes them go bye bye whether Google would like it or not. With Noscript I don't need to worry about the "Javascript hole o' the day" which to me is a lot more important than whether my browser can render said hole 40% faster or not. FEBE, Cookie Culler, ForecastFox, and my "mission critical" iMacros which lets me script any repetitive web task in a few easy clicks straight from my flash, make the web just so much more pleasant for me to use.
So while I am glad there are plenty of free choices out there, and would never put anyone down for going with what works for them, for me there just is no comparison to FF. It lets me interact with the web on my terms without trying to fit me into a "one size fits all" solution. And that to me is more important than any password manager or JScript renderer.
ACs don't waste your time replying, your posts are never seen by me.
http://www.roboform.com/
Worse still, Chrome has the nasty habit of sticking UserName and Password details into ANY field with a name that sounds like username or password, regardless of whether it's on a Login page.
I noticed this after users of one of my sites started getting quietly renamed to "jason" after I had made manual changes to their accounts via the site's admin tools. Yeah, one of the text fields on that admin screen was indeed named "username", and Chrome overwrote it even though it was populated with something else. Fortunately for everybody involved, the "reset password" section on that admin screen required that the password be typed twice.
Yikes!
Expat Software Consulting Services
I strongly suggest to all Firefox users to learn about the Profile Manager, it's useful for trying out new extensions or running tests while minimizing the risk your current setup will get permanently bollixed up.
"Safari and Chrome are tied for the worst password manager built..." Yeah, but Chrome is still in beta. What's Safari's excuse?
Roboform is a brilliant piece of software, can't recommend it highly enough. I'm surprised it isn't mentioned elsewhere in the comments.
"Because it's there." - George Mallory, when asked why he wanted to climb Mt Everest, March 18, 1923 (New York Times)
Safari? I haven't used safari since elementary computer lab
So Opera can't be better than Firefox or any other browser on certain aspect for what reason?
I never said Opera was a crap browser. It isn't my first choice, but I am completely aware that it clearly works, and that it often has advantages over some of the current alternatives.
I am, however, troubled by the fanboyism that any mention of Opera generates, and I see no reason why I should not allude to this in a related post. This seems to be borne out by the fact that my oblique reference to Opera is apparently of more import than the general thrust of my post referring to the claims in the article.
Agreed. It's one of the nets must under-rated software IMHO. I'm surprised that the people that make the software haven't petitioned to get it included/bundled with browsers. Sure makes better sense then those yahoo/googe/etc toolbars.
"Who here really lets any password manager save any password they care about? ..."
All my passwords are stored in my password manager. I use 1Password. Windows users have RoboForm. The on-disk store is encrypted. My account is protected by a strong password, stored only in my cranium, and by FileVault. That's two levels of strong encryption on the disk. I only need to remember two passwords - my login and the 1Password master password. That's why my passwords look like SKzdaZhW6cUiMqj3-AVyCG (just generated), and why they're all different. Before someone jumps all over this, I'll mention that good password security is only one facet of secure computing.