Safari and Chrome: Tied For the Worst Password Manager

Startled Hippo writes "Safari and Chrome are tied for the worst password manager built into a major Web browser, according to a new study on the issue produced by Chapin Information Services. One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site. The bug has been fixed in Firefox, but Chrome and Safari are still vulnerable to this kind of attack."

Missing department

[Atti+K.]

"from the avoid-saving-passwords dept." ???

Re:Missing department

[maxume]

It seems more correct to say that your computer has 780 random passwords.

Why focus on Chrome?

[myxiplx]

To be honest, when the best browser is only scoring 7/21 they *all* need some work. Focusing on Chrome just means you're ignoring the bigger picture.

Re:Why focus on Chrome?

[tomknight]

You're assuming that the metric used by this company/person actually means something...

Is this really worth noting?

[tomknight]

"Chapin Information Services."

Who??

Seriously, this looks like a typical "storm in a teacup to get people to take me seriously as a security researcher" notification.

Who here really lets any password manager save any password they care about? I have Opera save details for systems that don't matter, everything else I just remember.

Check out the website for more information about this astounding company.

Re:Is this really worth noting?

[qoncept]

Who here really lets any password manager save any password they care about?

I do. And I bet at least one other person does.

My password manager is in my wallet

[mcgrew]

I don't do commerce online, so the only passwords I need are two email accounts, slashdot, and half a dozen idiot-run newspapers. I use the same password for all the idiot newspapers: 111111. That password is for their page counts and advertising and has nothing whatever to do with my own security, I have no reason to worry about them. And I never forget my password. If somebody logs on to the Chicago Tribune using my password, why should I care? Requiring a password to read a newspaper is stupid.

Email and slashdot, of course, are a horse of a different color.

Safari and Chrome are the last two browsers I would expect (well second last) to have this sort of problems.

Re:My password manager is in my wallet

[clone53421]

Idiot-run newspapers are why bugmenot was invented.

don't save passwords

[Speare]

Putting passwords in your web browser isn't just like hiding your house keys under the doormat, it's like taping the keys of your house to the front door.

I don't keep full passwords on paper, nor do I use one of those password vault devices. Using truly random characters just means I have to write it down in full somewhere. I do have a text file that gives me *just* enough info that my mind can recall the password. For example, I might write "B`" and I recall that means "b1ZZare`" or I might use "W.P" to remember "To1.st0y". I know the rules I use to spell or punctuate words. I use different sorts of passwords for different tiers of security, from web forum, web merchant, web banking, private data, estate data, etc.

Re:I Use A Mac...

Yeah, relatively - OS X stores passwords in a proper way: in the central "Keychain", to which you may only get access to by supplying your user credidentials. Does your Linux or Windows have anything like that? No? Trolling failed, then, you Linux/Windows luser of ignoramus stance.

On that note, it should be time for Firefox to finally start making use of this great feature.

Why?

[PhotoGuy]

I never understood the appeal of password managers. And they tend to be obnoxious, getting in your face until you disable them.

If I have a high security password, I'm not going to want to store it in a browser for two reasons: 1) Someone else with physical accesse to my machine, has access to my stuff; 2) If I don't ever have to type my password, I'll often forget it.

For lower-security passwords, I, like many, simply use the same one that's easy to remember, and used for all those stupid forums and other lightweight places that make you register.

I've just never seen the need... It's definitely one of the most hyped up features that seems to have zero utility to me.

Re:Why?

[JSBiff]

That's one solution. I began looking into seperate password managers a year or two ago. The two solutions I found looked the best, at the time, were KeePass, and Bruce Schneier's Password Safe.

Ultimately, though, I decided against either one. The problem with using something like that is that, now, I don't actually know the passwords for all of my accounts. If something goes wrong, or I just don't have access to the safe (like maybe I am away from home and forgot to bring my USB key along, or I'm using a computer which I don't want to stick the key into (because the key might get infected with some virus/trojan if I stick it into a public PC, or maybe their is malware on the PC which, once I've unlocked the password safe, grabs all the account/password info), I can't get into my accounts.

The real, true, ultimate problem isn't that people need a password safe. It's that people need fewer accounts/passwords. We need something like OpenId to become more widespread. Now, you probably wouldn't use OpenId (or some analog) for very sensitive accounts like bank/paypal/amazon.com/etc, but how many times have you been to a site where you wanted to post in a forum, or add a comment to a blog, but then you were confronted with being forced to register an account? On the one hand, that might cut down on spam/noise/trolls (or it might not; if you are a troll or spammer, you just register an account without worrying about every using it again, so you don't care what the password is or if you remember it), but it also cuts down, I'm sure, on worthwhile posts because people can't be bothered to try to remember yet another password (or they just end up using a very small number of passwords everywhere).

I wish more sites used OpenId. Seems like only a very small minority of sites I've visited offer that as an option.

Re:Never use password managers

[skeeto]

It depends on the account type.

Yeah, don't let the browser store your bank and e-mail passwords.

But your /. account, where logins are done in plaintext rather than https? Go for it. As soon as you log in wirelessly you have broadcasted your password to the world anyway. The password manager is not the weak link here.

Plus, you know, it's only your /. account, not your life savings. The consequences for losing the password are small, so shifting the trade-off towards convenience will be more reasonable.

Storing passwords is dumb

[theaveng]

I've always thought storing passwords in your computer is dumb. (1) It makes it extremely easy for people to steal your PC or laptop and get into your sites. (2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were. (3) I think the safest place to store them is in your head.

MAJOR browser?

[jedie]

How exactly is Chrome (which is backed by a major company) a major browser?

Re:Never use password managers

[Paradigm_Complex]

A few months back I did some computer help for someone who had all his passwords in post-it notes stuck around his monitor. I still remember some of them today.

Don't put your password on your windows computer, or on your windows computer. Both are easy pickings.

All Password mangers suck

[Big+Hairy+Ian]

One thing that really pisses me off about just about every browser is being asked if I want it to remember my password. I mean honestly do people really trust Internet Explorer or Firefox to store their valuable passwords in a massively secure way? Call me Mr Paranoid if you like but I don't trust anything that stores more than a hash.

Re:Please!

[Ilgaz]

So Opera can't be better than Firefox or any other browser on certain aspect for what reason?

You should see my BS meter when I see someone at /. bitches about Opera and I am not a Opera Desktop user, I use Safari with 1Password and I don't really know 99% of my passwords at all.

Re:Never use password managers

[tomknight]

Hmm... could someone use your /. account to commit a crime in your name?

Think:
* Libel
* "Possessing information of use to a terrorist organisation"
* "Inciting racial hatred"
Not sure about US laws, but you can't say whatever you like in the UK...

Of course the same goes for newpaper sites that let people leave comments etc.

Re:Aha!

[genner]

I was very confused, for a moment, as to why someone who was lit on fire would be screaming their passwords.

It's a perfectly cromulant method of torture.