Slashdot Mirror
Safari and Chrome: Tied For the Worst Password Manager
Startled Hippo writes "Safari and Chrome are tied for the worst password manager built into a major Web browser, according to a new study on the issue produced by Chapin Information Services. One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site. The bug has been fixed in Firefox, but Chrome and Safari are still vulnerable to this kind of attack."
http://www.bash.org/?244321
Luckikly, all my passwords are exactly the same, so I'm fine.
...So I'm safe, right? ;-)
"from the avoid-saving-passwords dept." ???
.sig: No such file or directory
To be honest, when the best browser is only scoring 7/21 they *all* need some work. Focusing on Chrome just means you're ignoring the bigger picture.
If you can't remember your password then write it on paper and hide it. Putting it on your computer, especially your Windows PC, is asking for someone take it.
Even if they aren't in clear text the downside to using a password manager is everyone's passwords will be in the same place and in the same format. It's easy pickings.
"How can this be exploited" when some subtree memeber of a domain can read credentials that should only be given to the top level member, read http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug.
To save the others the hassle, allow me to sketch something. It's trivial to get the domain a000001.amazon.com under your control. It is, believe me, if you don't, just read it up. Well, maybe not exactly a0000001... but something to the quality of $foo.amazon.com can easily be made to point back to a webpage you control.
Next, create a page for the internets most sought after resource: pr0n. Do like the missionaries, spread the word, unlike them you have ICQ and spam at your disposal to get people to visit your page. On this page, refer to $foo.amazon.com
Then have $foo.amazon.com ask for the credentials.
It's not so much that the threat of hijacking a "real" domain name (i.e. amazon.com itself) is too big after a few ISPs toughened their DNS lookups when the patches didn't come quickly. Few ISPs are left that are actually vulnerable to having their caches completely rewritten. Subdomains can still be hijacked (even after the half-assed patch we got lately), and in combination with browsers that send credentials to whatever subdomain, it's a serious security problem.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Who??
Seriously, this looks like a typical "storm in a teacup to get people to take me seriously as a security researcher" notification.
Who here really lets any password manager save any password they care about? I have Opera save details for systems that don't matter, everything else I just remember.
Check out the website for more information about this astounding company.
Oh arse
I don't do commerce online, so the only passwords I need are two email accounts, slashdot, and half a dozen idiot-run newspapers. I use the same password for all the idiot newspapers: 111111. That password is for their page counts and advertising and has nothing whatever to do with my own security, I have no reason to worry about them. And I never forget my password. If somebody logs on to the Chicago Tribune using my password, why should I care? Requiring a password to read a newspaper is stupid.
Email and slashdot, of course, are a horse of a different color.
Safari and Chrome are the last two browsers I would expect (well second last) to have this sort of problems.
Free Martian Whores!
I'm the password man, the password man, I'm the password man, the password man.
I can password back as fast as you can! I can password back as fast as you can!
Belief? Hope? Preference?The Existential Vortex
Putting passwords in your web browser isn't just like hiding your house keys under the doormat, it's like taping the keys of your house to the front door.
I don't keep full passwords on paper, nor do I use one of those password vault devices. Using truly random characters just means I have to write it down in full somewhere. I do have a text file that gives me *just* enough info that my mind can recall the password. For example, I might write "B`" and I recall that means "b1ZZare`" or I might use "W.P" to remember "To1.st0y". I know the rules I use to spell or punctuate words. I use different sorts of passwords for different tiers of security, from web forum, web merchant, web banking, private data, estate data, etc.
[
I never understood the appeal of password managers. And they tend to be obnoxious, getting in your face until you disable them.
If I have a high security password, I'm not going to want to store it in a browser for two reasons: 1) Someone else with physical accesse to my machine, has access to my stuff; 2) If I don't ever have to type my password, I'll often forget it.
For lower-security passwords, I, like many, simply use the same one that's easy to remember, and used for all those stupid forums and other lightweight places that make you register.
I've just never seen the need... It's definitely one of the most hyped up features that seems to have zero utility to me.
Love many, trust a few, do harm to none.
Comment removed based on user account deletion
I've always thought storing passwords in your computer is dumb. (1) It makes it extremely easy for people to steal your PC or laptop and get into your sites. (2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were. (3) I think the safest place to store them is in your head.
FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
How exactly is Chrome (which is backed by a major company) a major browser?
"The majority is always sane, Louis." -- Nessus
http://slashdot.jp
And that's a "trick" because...? Surely there are times when you want to have different passwords in different areas. I've got basic HTTP authentication on an admin area of one of my sites. From there I've then got a number of tools, at least one of which requires a separate login. There's situations like that where you want different passwords for different areas.
What annoys me with password managers at the moment is Firefox filling in too many passwords! If you record a password for one set of login forms and then go to any other page on the same domain with a password box with a text box just above it then Firefox blindly guesses that they're a login box (even if they're called "foo" and "bar" when you recorded the details for the fields "username" and "password"). That can really start to cock up some of your settings in things like phpBB's admin control panel if you don't notice what it has auto-filled.
Incidentally, has anyone actually tried out the "Password Manager Evaluator v2.0" link from the FA with any other browsers? The author(s) claim Opera comes closest to addressing their criteria, which automatically sent the needle of my bullshitometer climbing. I was about to run it with Firefox but stopped at stage 1 where it told me to clear my existing saved passwords, and I didn't want to do that.
Not that I save any of my high-value passwords at all, but I still manage to accumulate others that I would otherwise forget...
Why are the passwords stored in the browser? If we need some on-PC storage it should be a completely separate service which browser could kindly ask for a password. Do the job right and do it just once.
http://www.bash.org/?244321
I don't need to go there. I know the answer is "hunter2" (if you're the guy, I just copy-pasted the ***s from bash.org, that's why it shows up as hunter2 on your screen).
Is that a sign I should get out more often? ;)
One thing that really pisses me off about just about every browser is being asked if I want it to remember my password. I mean honestly do people really trust Internet Explorer or Firefox to store their valuable passwords in a massively secure way? Call me Mr Paranoid if you like but I don't trust anything that stores more than a hash.
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Apparently not all of their tests test the security for your stored passwords. I completed the test with Firefox. It failed 8 of the tests. But I did not even have the password remember function active..
I think the "real" solution, if you want good password security, is to use the following scheme:
pwd = hash(master_secret || site_id || site_counter).
That is, use as a password the hash value of your master password, something that identifies the site you're logging in at (say, "slashdot" for everything at slashdot.org), and a generation counter such that if your slashdot password gets stolen you can make a new one without changing your master password (and without changing password on your ~gazillion accounts).
There's a firefox plugin which does something like this, at http://crypto.stanford.edu/PwdHash/. It has the advantage that it doesn't require you to store any information [except your master password in your brain], and so you can compute your password on a friend's computer by visiting their webpage.
I think a solution based on this idea provides the best combination of usability and security. Note that you can of course still use different master passwords for different sites if you want.
Comment removed based on user account deletion
So Opera can't be better than Firefox or any other browser on certain aspect for what reason?
You should see my BS meter when I see someone at /. bitches about Opera and I am not a Opera Desktop user, I use Safari with 1Password and I don't really know 99% of my passwords at all.
A neat feature of the pssword manager is that you can use a master password. Without a master password, a trojan horse running on your system can steal all your passwords.
How come there is no master password to protect the cookies? Nowadays as most sites remember who I am in a cookie, a cookie seems just as useful as a password. Did no one else figure this out or did I get it wrong?
Clear your saved passwords *for their site*:
Part 1: Delete all saved passwords for www.info-svc.com
I use Opera and there you have the ability to provide a master password. I'm sure Firefox has this feature too. (But I have to admit that due to Opera's proprietary nature I don't know whether the passwords are actually encrypted or not.)
For me a password manager is just a matter of convenience. I know all my passwords but I hate typing in my credentials every time I have to log in somewhere. So I just enter one password at the beginning of the session and have them all.
But I think you are right when it comes to the really important passwords. Everything with money for example I always type in myself (bank account or eBay or stuff like that).
I avoid storing passwords in most sites, where I can remember them - I have a few "tiers" of passwords, the low-security, medium-security, high-security etc. Except some sites require "no punctuation characters" or "password must include at least 3 digits and at least 3 letters." or "password must be lowercase".
In these cases I make up something to match and let the password manager remember that. I don't care about these sites anyway, they usually suck - I just register with disposable email, grab the info I need and never return.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Amen. 1Password is great (and seems to keep coming up at discount prices at Maczot, MUPromo, etc.) Now, the iPhone version seems to need work. And by "needs work" I mean "I can't seem to figure out the damn thing ;)
Is there any way to run it through the test (or Safari/Camino/Whatever through the test while it uses 1Password?
Bark less. Wag more.
For most sites I frequently visit (like /.) I don't care if somebody steals my account, logs in as me, and starts spewing crap.
For throwaway passwords on the above sites I like to use "ps -A |md5sum" I like it better then pwgen (don't ask why).
For my serious accounts (like banking) I keep it in my head.
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
I find Safari's password manager perfectly sec^H^HONLINE MEDS, CHEAP V1AGRA, NO PRESCRIPT1ON REQUIRED
Actually, how he came up with the password was: "Hmm, what shall I put as my password? Physics? Astro? No, my *lover*!"
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
This is kind of stupid. The entire point of a password manager is convenience, not security. People who are truly concerned about security would not even be using a browser's password manager anyway. If you try to secure a browser's password manager, you'll probably end up making it useless.
Yeah, so I have a different password for every account I have. There is no friggin' way I'm going to remember them, so I keep them in a gpg encrypted file, which I consult when I need to. But the point of the password manager is not that you don't have to remember the password; it's that you don't have to type it. I do not want to type any passwords. All the sites these days are so paranoid about security, they make you type passwords all the time. Without a password manager I'd have to type a dozen passwords every day as I check all the sites on my morning list. You are welcome to be paranoid and type (don't forget the keyloggers!), but I'd rather not even have to click through. The computer knows who I am; it should be able to keep track of all that authentication info and negotiate connections automatically.
One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site.
Don't you mean "password managers can be tricked into submitting the same password credentials to different parts of the same Web site"?
I wish Firefox would use the Keychain, or I wish Camino would fix the bug where a laggy proxy locks the whole thing up for minutes at a time.
(2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were.
I just restore ~/Library/Keychains from backup. Don't you keep backups?
Tied for
Worst Browser Functionality Idea
The Admin and the Engineer
I'm still waiting for a browser extension that either bypasses password requirements altogether, or just fills some bogus combo in and keeps it in memory and uses it every time I revisit. Passwords are getting ridiculous. I would say probably less than 5% of all my required passwords really need a password. PayPal and my bank are the only two things I give a rats ass about (and maybe my kids' WoW account). Frankly, I don't think a password should be required to pay my stupid electric bill online. As far as I care, let somebody else log in and pay it for me. Since that's the only thing you can do at the site, I fail to see why a password is necessary, other than CYA by the City.
Anyone using Wordpress admin + Safari can see this for themselves. Embedded in the Wordpress admin "dashboard" is a frame with a wordpress.com source. This frame will show you statistics about your blog if you're logged in to wordpress.com. The problem is, that in Safari when you have auto fill turned on, it puts the login credentials from myblog.com(i.e. your own blog login credentials) into this form which is hosted on wordpress.com
Well to be fair his BS meter probably went off over the "wipe your existing passwords" crap. I mean I have passwords in FF and Seamonkey going back 4 years, who the hell wants to deal with that for a stupid little test?
But for those that don't mind a tiny bit of extra work, and wouldn't mind a really nice backup extension when they are through, I would suggest that they download and use FEBE and have it do a full backup first. Then after taking the little test restoring all your passwords back is as easy as tools/FEBE/Restore/Usernames and Passwords. It is a great little extension if you are someone like me and has FF on a flash. With FEBE before I go out on a service call I can backup my FF and restore it on the stick so i have all my latest links in case I need them.
Which kinda brings me to my final point, which is this: Who really cares if your browser has a little better password manager or can render JScript quicker if I have to do everything YOUR way? With FF Mozilla just builds the basic browser and then gets the hell out of my way so I can make a browser that acts like how I WANT to surf and has the features that I WANT, not what Google or Apple thinks is best for me. If I don't want ads? Adblock makes them go bye bye whether Google would like it or not. With Noscript I don't need to worry about the "Javascript hole o' the day" which to me is a lot more important than whether my browser can render said hole 40% faster or not. FEBE, Cookie Culler, ForecastFox, and my "mission critical" iMacros which lets me script any repetitive web task in a few easy clicks straight from my flash, make the web just so much more pleasant for me to use.
So while I am glad there are plenty of free choices out there, and would never put anyone down for going with what works for them, for me there just is no comparison to FF. It lets me interact with the web on my terms without trying to fit me into a "one size fits all" solution. And that to me is more important than any password manager or JScript renderer.
ACs don't waste your time replying, your posts are never seen by me.
http://www.roboform.com/
Worse still, Chrome has the nasty habit of sticking UserName and Password details into ANY field with a name that sounds like username or password, regardless of whether it's on a Login page.
I noticed this after users of one of my sites started getting quietly renamed to "jason" after I had made manual changes to their accounts via the site's admin tools. Yeah, one of the text fields on that admin screen was indeed named "username", and Chrome overwrote it even though it was populated with something else. Fortunately for everybody involved, the "reset password" section on that admin screen required that the password be typed twice.
Yikes!
Expat Software Consulting Services
I strongly suggest to all Firefox users to learn about the Profile Manager, it's useful for trying out new extensions or running tests while minimizing the risk your current setup will get permanently bollixed up.
"Safari and Chrome are tied for the worst password manager built..." Yeah, but Chrome is still in beta. What's Safari's excuse?
Roboform is a brilliant piece of software, can't recommend it highly enough. I'm surprised it isn't mentioned elsewhere in the comments.
"Because it's there." - George Mallory, when asked why he wanted to climb Mt Everest, March 18, 1923 (New York Times)
Safari? I haven't used safari since elementary computer lab
So Opera can't be better than Firefox or any other browser on certain aspect for what reason?
I never said Opera was a crap browser. It isn't my first choice, but I am completely aware that it clearly works, and that it often has advantages over some of the current alternatives.
I am, however, troubled by the fanboyism that any mention of Opera generates, and I see no reason why I should not allude to this in a related post. This seems to be borne out by the fact that my oblique reference to Opera is apparently of more import than the general thrust of my post referring to the claims in the article.
Agreed. It's one of the nets must under-rated software IMHO. I'm surprised that the people that make the software haven't petitioned to get it included/bundled with browsers. Sure makes better sense then those yahoo/googe/etc toolbars.