Safari and Chrome: Tied For the Worst Password Manager

← Back to Stories (view on slashdot.org)

Safari and Chrome: Tied For the Worst Password Manager

Posted by CmdrTaco on Monday December 15, 2008 @02:35AM from the remember-this dept.

Startled Hippo writes "Safari and Chrome are tied for the worst password manager built into a major Web browser, according to a new study on the issue produced by Chapin Information Services. One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site. The bug has been fixed in Firefox, but Chrome and Safari are still vulnerable to this kind of attack."

51 of 218 comments (clear)

users can be tricked too... by Anonymous Coward · 2008-12-15 02:38 · Score: 5, Funny

http://www.bash.org/?244321
Aha! by fbish · 2008-12-15 02:39 · Score: 5, Funny

Luckikly, all my passwords are exactly the same, so I'm fine.
1. Re:Aha! by fbish · 2008-12-15 02:50 · Score: 5, Funny
  
  Luckily, I also cannot spell.
2. Re:Aha! by Yvan256 · 2008-12-15 03:02 · Score: 4, Funny
  
  "exactly the same" is a bit strange for a password, isn't it?
3. Re:Aha! by Poltras · 2008-12-15 03:20 · Score: 2, Informative
  
  Space is technically a symbol when talking about password strength.
  
  --
  Of Code And Men
4. Re:Aha! by genner · 2008-12-15 04:03 · Score: 4, Funny
  
  "exactly the same" is a bit strange for a password, isn't it?
  No it's perfect. If you get torchered you'll be screaming that all your passwords are extactly the same and your captors will be clueless as to why they can't break you.
5. Re:Aha! by deroby · 2008-12-15 04:29 · Score: 3, Funny
  
  Some years ago we used to have a stand-alone machine for testing using a local account. As most members of the team needed to be able to log on to it now and then I came up with "just leave it empty" as a password. Whenever someone forgot and had to ask for it, we simply would yell across the floor : that password ? Just leave it empty ! Those who 'knew' remembered then and were able to log in. Others who had overheard it and wanted to use our mega-powerful-machine tried logging in using a blank password, but were stumped to find out they couldn't..
  Aaahh, all the fun one can have in the office =)
  
  --
  If there is one thing to be learned on slashdot, it has to be sarcasm.
6. Re:Aha! by S.O.B. · 2008-12-15 05:18 · Score: 3, Funny
  
  I think my old, ex-password is rather strange: "physicsastronomylover" - dates all the way back to my first BBS in 1987. My two favorite subjects in school.
  
  I thought it was because you make love with a lever and a planetary body (insert joke here).
  
  --
  Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
7. Re:Aha! by genner · 2008-12-15 07:08 · Score: 2, Insightful
  
  I was very confused, for a moment, as to why someone who was lit on fire would be screaming their passwords.
  It's a perfectly cromulant method of torture.
8. Re:Aha! by clone53421 · 2008-12-15 07:46 · Score: 2, Informative
  
  That's a quotation by Archimedes: "Give me a place to stand and with a lever I will move the whole world."
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
9. Re:Aha! by Tony+Hoyle · 2008-12-15 08:03 · Score: 2, Funny
  
  Confess! Or I'll shine this Maglite in your face again!
I Use A Mac... by Telephone+Sanitizer · 2008-12-15 02:41 · Score: 5, Funny

...So I'm safe, right? ;-)
1. Re:I Use A Mac... by goombah99 · 2008-12-15 02:46 · Score: 5, Informative
  
  macs do get credit for putting the passwords where they belong: in a centralized password keychain. Firefox rolls it's own separate password manager. At various time firefox's keychain has been found to be insecure and it's separate from your other keychains. There's no simple keychain brownser interface like the centralized keychain protection system safari uses.
  If you want to encrypt or hide or transport all your passwords it's easy in safari but hard in firefox since how it's done changes.
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
2. Re:I Use A Mac... by Jugalator · 2008-12-15 02:49 · Score: 5, Interesting
  
  Isn't it time Firefox supported the Mac Keychain? :-/
  
  --
  Beware: In C++, your friends can see your privates!
3. Re:I Use A Mac... by fuzzyfuzzyfungus · 2008-12-15 03:04 · Score: 3, Informative
  
  Both gnome and KDE have had centralized password management as a standard feature for some time. I don't know whether they predate or postdate the OSX implementation; but they are there.
  
  Windows is an ambiguous case. As best I understand it, MS decided not to implement a flexible system for centralized storage of third party passwords because they wanted everybody to use their .NET Passport authentication, which would interact, through IE, with the windows authentication system. Luckily, the "All your base are belong to Microsoft" theory of authentication largely fell flat, so Passport is only used on a few sites, mostly MS's own properties, so Windows essentially has no centralized credentials mechanism that is of real world use. The sophistication of their mechanism, in environments it was designed for (MS monoculture), should not be underestimated.
4. Re:I Use A Mac... by BrokenHalo · 2008-12-15 03:24 · Score: 2, Informative
  
  Does your Linux or Windows have anything like that? No? Trolling failed, then, you Linux/Windows luser of ignoramus stance.
  
  I have no idea about Windows, but there are several such applications available for Linux or any other unices.
  
  For Gnome users, there is Gnome Keyring, and I believe the equivalent for KDE is KDE Wallet. I dare say there are others I haven't heard of.
5. Re:I Use A Mac... by techprophet · 2008-12-15 04:57 · Score: 2, Informative
  
  Actually the Gnome keyring works with Firefox for me. Not the KDE 4.2 one though. Not without patches anyway. [/joke] No, seriously? Linux FF is always faster for me than Windows FF. And Gnome integration + QT4 theme makes it look nice with KDE.
6. Re:I Use A Mac... by Ilgaz · 2008-12-15 08:07 · Score: 3, Informative
  
  In real life, near all OS X native browsers and even commercial password manager 1Password uses keychain. On Gnome and KDE, only their own default browsers use their subsystems.
  Apple made it somehow easy to integrate with keychain no matter how your application is coded in whatever language. Even AppleScript/OSAScript "Apps" use Keychain very effectively.
  Firefox and Opera doesn't use it because they don't feel like it, that is all. I mean, that is why both browsers can't be "tried" on a up and running OS X since nobody would bother to type in 200 passwords while they got them recorded elsewhere and perfectly used by Omniweb etc.
7. Re:I Use A Mac... by MobileTatsu-NJG · 2008-12-15 10:00 · Score: 2, Funny
  
  Isn't it time Firefox supported the Mac Keychain? :-/
  It'll happen pretty quickly once Opera supports it! :D
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Missing department by Atti+K. · 2008-12-15 02:41 · Score: 3, Insightful

"from the avoid-saving-passwords dept." ???

--
.sig: No such file or directory
1. Re:Missing department by maxume · 2008-12-15 04:02 · Score: 2, Insightful
  
  It seems more correct to say that your computer has 780 random passwords.
  
  --
  Nerd rage is the funniest rage.
Why focus on Chrome? by myxiplx · 2008-12-15 02:44 · Score: 5, Insightful

To be honest, when the best browser is only scoring 7/21 they *all* need some work. Focusing on Chrome just means you're ignoring the bigger picture.
1. Re:Why focus on Chrome? by tomknight · 2008-12-15 02:49 · Score: 5, Insightful
  
  You're assuming that the metric used by this company/person actually means something...
  
  --
  Oh arse
Never use password managers by thetoadwarrior · 2008-12-15 02:44 · Score: 4, Interesting

If you can't remember your password then write it on paper and hide it. Putting it on your computer, especially your Windows PC, is asking for someone take it.

Even if they aren't in clear text the downside to using a password manager is everyone's passwords will be in the same place and in the same format. It's easy pickings.
1. Re:Never use password managers by skeeto · 2008-12-15 03:11 · Score: 4, Insightful
  
  It depends on the account type.
  Yeah, don't let the browser store your bank and e-mail passwords.
  But your /. account, where logins are done in plaintext rather than https? Go for it. As soon as you log in wirelessly you have broadcasted your password to the world anyway. The password manager is not the weak link here.
  Plus, you know, it's only your /. account, not your life savings. The consequences for losing the password are small, so shifting the trade-off towards convenience will be more reasonable.
2. Re:Never use password managers by yttrstein · 2008-12-15 03:31 · Score: 4, Interesting
  
  First place a local black hat looks? Under keyboards. One of the things its fun to do with new clients is to walk around their offices and grab every password-slip you can find. All the usual places -- under keyboards, in the desk drawer next to the pens, on the back of a monitor facing a cube wall.. And this one is my favorite:
  
  In a desk drawer but fastened to the underside of the desk surface. Very clever.
3. Re:Never use password managers by Paradigm_Complex · 2008-12-15 03:34 · Score: 3, Insightful
  
  A few months back I did some computer help for someone who had all his passwords in post-it notes stuck around his monitor. I still remember some of them today.
  
  Don't put your password on your windows computer, or on your windows computer. Both are easy pickings.
  
  --
  "A witty saying proves nothing." - Voltaire
4. Re:Never use password managers by thetoadwarrior · 2008-12-15 03:40 · Score: 2, Informative
  
  Work is a public area. It'd be silly to leave passwords anywhere other than in your wallet in that instance.
  
  And if you leave that lying around I think you should be more worried about card numbers being pinched.
5. Re:Never use password managers by poopdeville · 2008-12-15 04:38 · Score: 5, Funny
  
  I often leave notes for desk-Nazi's like you: "e@t_a_d1ck" or "Stop looking under my keyboard, asshole"
  
  --
  After all, I am strangely colored.
6. Re:Never use password managers by tomknight · 2008-12-15 04:53 · Score: 2, Insightful
  
  Hmm... could someone use your /. account to commit a crime in your name?
  Think:
  * Libel
  * "Possessing information of use to a terrorist organisation"
  * "Inciting racial hatred"
  Not sure about US laws, but you can't say whatever you like in the UK...
  Of course the same goes for newpaper sites that let people leave comments etc.
  
  --
  Oh arse
Before someone asks by Opportunist · 2008-12-15 02:46 · Score: 5, Informative

"How can this be exploited" when some subtree memeber of a domain can read credentials that should only be given to the top level member, read http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug.
To save the others the hassle, allow me to sketch something. It's trivial to get the domain a000001.amazon.com under your control. It is, believe me, if you don't, just read it up. Well, maybe not exactly a0000001... but something to the quality of $foo.amazon.com can easily be made to point back to a webpage you control.
Next, create a page for the internets most sought after resource: pr0n. Do like the missionaries, spread the word, unlike them you have ICQ and spam at your disposal to get people to visit your page. On this page, refer to $foo.amazon.com
Then have $foo.amazon.com ask for the credentials.
It's not so much that the threat of hijacking a "real" domain name (i.e. amazon.com itself) is too big after a few ISPs toughened their DNS lookups when the patches didn't come quickly. Few ISPs are left that are actually vulnerable to having their caches completely rewritten. Subdomains can still be hijacked (even after the half-assed patch we got lately), and in combination with browsers that send credentials to whatever subdomain, it's a serious security problem.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Is this really worth noting? by tomknight · 2008-12-15 02:47 · Score: 5, Insightful

"Chapin Information Services."
Who??
Seriously, this looks like a typical "storm in a teacup to get people to take me seriously as a security researcher" notification.
Who here really lets any password manager save any password they care about? I have Opera save details for systems that don't matter, everything else I just remember.
Check out the website for more information about this astounding company.

--
Oh arse
1. Re:Is this really worth noting? by qoncept · 2008-12-15 03:13 · Score: 4, Insightful
  
  Who here really lets any password manager save any password they care about?
  
  I do. And I bet at least one other person does.
  
  --
  Whale
2. Re:Is this really worth noting? by tomknight · 2008-12-15 04:04 · Score: 4, Funny
  
  I can see why you post anonymously!
  
  --
  Oh arse
3. Re:Is this really worth noting? by asdfghjklqwertyuiop · 2008-12-15 08:38 · Score: 3, Funny
  
  trust no one with your passwords.
  Really? Not even the people who wrote your web browser?
My password manager is in my wallet by mcgrew · 2008-12-15 02:48 · Score: 2, Insightful

I don't do commerce online, so the only passwords I need are two email accounts, slashdot, and half a dozen idiot-run newspapers. I use the same password for all the idiot newspapers: 111111. That password is for their page counts and advertising and has nothing whatever to do with my own security, I have no reason to worry about them. And I never forget my password. If somebody logs on to the Chicago Tribune using my password, why should I care? Requiring a password to read a newspaper is stupid.
Email and slashdot, of course, are a horse of a different color.
Safari and Chrome are the last two browsers I would expect (well second last) to have this sort of problems.

--
Free Martian Whores!
1. Re:My password manager is in my wallet by clone53421 · 2008-12-15 04:19 · Score: 4, Insightful
  
  Idiot-run newspapers are why bugmenot was invented.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
don't save passwords by Speare · 2008-12-15 02:55 · Score: 4, Insightful

Putting passwords in your web browser isn't just like hiding your house keys under the doormat, it's like taping the keys of your house to the front door.
I don't keep full passwords on paper, nor do I use one of those password vault devices. Using truly random characters just means I have to write it down in full somewhere. I do have a text file that gives me *just* enough info that my mind can recall the password. For example, I might write "B`" and I recall that means "b1ZZare`" or I might use "W.P" to remember "To1.st0y". I know the rules I use to spell or punctuate words. I use different sorts of passwords for different tiers of security, from web forum, web merchant, web banking, private data, estate data, etc.

--
[ .sig file not found ]
Why? by PhotoGuy · 2008-12-15 03:07 · Score: 4, Insightful

I never understood the appeal of password managers. And they tend to be obnoxious, getting in your face until you disable them.
If I have a high security password, I'm not going to want to store it in a browser for two reasons: 1) Someone else with physical accesse to my machine, has access to my stuff; 2) If I don't ever have to type my password, I'll often forget it.
For lower-security passwords, I, like many, simply use the same one that's easy to remember, and used for all those stupid forums and other lightweight places that make you register.
I've just never seen the need... It's definitely one of the most hyped up features that seems to have zero utility to me.

--
Love many, trust a few, do harm to none.
1. Re:Why? by JSBiff · 2008-12-15 04:03 · Score: 2, Insightful
  
  That's one solution. I began looking into seperate password managers a year or two ago. The two solutions I found looked the best, at the time, were KeePass, and Bruce Schneier's Password Safe.
  Ultimately, though, I decided against either one. The problem with using something like that is that, now, I don't actually know the passwords for all of my accounts. If something goes wrong, or I just don't have access to the safe (like maybe I am away from home and forgot to bring my USB key along, or I'm using a computer which I don't want to stick the key into (because the key might get infected with some virus/trojan if I stick it into a public PC, or maybe their is malware on the PC which, once I've unlocked the password safe, grabs all the account/password info), I can't get into my accounts.
  The real, true, ultimate problem isn't that people need a password safe. It's that people need fewer accounts/passwords. We need something like OpenId to become more widespread. Now, you probably wouldn't use OpenId (or some analog) for very sensitive accounts like bank/paypal/amazon.com/etc, but how many times have you been to a site where you wanted to post in a forum, or add a comment to a blog, but then you were confronted with being forced to register an account? On the one hand, that might cut down on spam/noise/trolls (or it might not; if you are a troll or spammer, you just register an account without worrying about every using it again, so you don't care what the password is or if you remember it), but it also cuts down, I'm sure, on worthwhile posts because people can't be bothered to try to remember yet another password (or they just end up using a very small number of passwords everywhere).
  I wish more sites used OpenId. Seems like only a very small minority of sites I've visited offer that as an option.
Comment removed by account_deleted · 2008-12-15 03:10 · Score: 5, Funny

Comment removed based on user account deletion
Storing passwords is dumb by theaveng · 2008-12-15 03:16 · Score: 4, Insightful

I've always thought storing passwords in your computer is dumb. (1) It makes it extremely easy for people to steal your PC or laptop and get into your sites. (2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were. (3) I think the safest place to store them is in your head.

--
FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
MAJOR browser? by jedie · 2008-12-15 03:17 · Score: 4, Insightful

How exactly is Chrome (which is backed by a major company) a major browser?

--
"The majority is always sane, Louis." -- Nessus
http://slashdot.jp
Different passwords in different areas? by IBBoard · 2008-12-15 03:17 · Score: 3, Informative

One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site.
And that's a "trick" because...? Surely there are times when you want to have different passwords in different areas. I've got basic HTTP authentication on an admin area of one of my sites. From there I've then got a number of tools, at least one of which requires a separate login. There's situations like that where you want different passwords for different areas.
What annoys me with password managers at the moment is Firefox filling in too many passwords! If you record a password for one set of login forms and then go to any other page on the same domain with a password box with a text box just above it then Firefox blindly guesses that they're a login box (even if they're called "foo" and "bar" when you recorded the details for the fields "username" and "password"). That can really start to cock up some of your settings in things like phpBB's admin control panel if you don't notice what it has auto-filled.
I should get out more often... by jonaskoelker · 2008-12-15 03:31 · Score: 5, Funny

http://www.bash.org/?244321
I don't need to go there. I know the answer is "hunter2" (if you're the guy, I just copy-pasted the ***s from bash.org, that's why it shows up as hunter2 on your screen).
Is that a sign I should get out more often? ;)
All Password mangers suck by Big+Hairy+Ian · 2008-12-15 03:36 · Score: 3, Insightful

One thing that really pisses me off about just about every browser is being asked if I want it to remember my password. I mean honestly do people really trust Internet Explorer or Firefox to store their valuable passwords in a massively secure way? Call me Mr Paranoid if you like but I don't trust anything that stores more than a hash.

--
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Comment removed by account_deleted · 2008-12-15 03:42 · Score: 4, Funny

Comment removed based on user account deletion
Re:Please! by Ilgaz · 2008-12-15 03:47 · Score: 2, Insightful

So Opera can't be better than Firefox or any other browser on certain aspect for what reason?
You should see my BS meter when I see someone at /. bitches about Opera and I am not a Opera Desktop user, I use Safari with 1Password and I don't really know 99% of my passwords at all.
Re:Please! by Spad · 2008-12-15 04:09 · Score: 3, Informative

Clear your saved passwords *for their site*:

Part 1: Delete all saved passwords for www.info-svc.com
Perfectly secure by daybot · 2008-12-15 05:43 · Score: 2, Funny

I find Safari's password manager perfectly sec^H^HONLINE MEDS, CHEAP V1AGRA, NO PRESCRIPT1ON REQUIRED
Wordpress dashboard shows this flaw by yabos · 2008-12-15 08:49 · Score: 2, Interesting

Anyone using Wordpress admin + Safari can see this for themselves. Embedded in the Wordpress admin "dashboard" is a frame with a wordpress.com source. This frame will show you statistics about your blog if you're logged in to wordpress.com. The problem is, that in Safari when you have auto fill turned on, it puts the login credentials from myblog.com(i.e. your own blog login credentials) into this form which is hosted on wordpress.com