Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safari and Chrome: Tied For the Worst Password Manager

Posted by CmdrTaco on from the remember-this dept.

Startled Hippo writes "Safari and Chrome are tied for the worst password manager built into a major Web browser, according to a new study on the issue produced by Chapin Information Services. One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site. The bug has been fixed in Firefox, but Chrome and Safari are still vulnerable to this kind of attack."

26 of 218 comments (clear)

  1. users can be tricked too... by Anonymous Coward · · Score: 5, Funny

    http://www.bash.org/?244321

  2. Aha! by fbish · · Score: 5, Funny

    Luckikly, all my passwords are exactly the same, so I'm fine.

    1. Re:Aha! by fbish · · Score: 5, Funny

      Luckily, I also cannot spell.

    2. Re:Aha! by Yvan256 · · Score: 4, Funny

      "exactly the same" is a bit strange for a password, isn't it?

    3. Re:Aha! by genner · · Score: 4, Funny

      "exactly the same" is a bit strange for a password, isn't it?

      No it's perfect. If you get torchered you'll be screaming that all your passwords are extactly the same and your captors will be clueless as to why they can't break you.

  3. I Use A Mac... by Telephone+Sanitizer · · Score: 5, Funny

    ...So I'm safe, right? ;-)

    1. Re:I Use A Mac... by goombah99 · · Score: 5, Informative

      macs do get credit for putting the passwords where they belong: in a centralized password keychain. Firefox rolls it's own separate password manager. At various time firefox's keychain has been found to be insecure and it's separate from your other keychains. There's no simple keychain brownser interface like the centralized keychain protection system safari uses.

      If you want to encrypt or hide or transport all your passwords it's easy in safari but hard in firefox since how it's done changes.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    2. Re:I Use A Mac... by Jugalator · · Score: 5, Interesting

      Isn't it time Firefox supported the Mac Keychain? :-/

      --
      Beware: In C++, your friends can see your privates!
  4. Why focus on Chrome? by myxiplx · · Score: 5, Insightful

    To be honest, when the best browser is only scoring 7/21 they *all* need some work. Focusing on Chrome just means you're ignoring the bigger picture.

    1. Re:Why focus on Chrome? by tomknight · · Score: 5, Insightful

      You're assuming that the metric used by this company/person actually means something...

      --
      Oh arse
  5. Never use password managers by thetoadwarrior · · Score: 4, Interesting

    If you can't remember your password then write it on paper and hide it. Putting it on your computer, especially your Windows PC, is asking for someone take it.

    Even if they aren't in clear text the downside to using a password manager is everyone's passwords will be in the same place and in the same format. It's easy pickings.

    1. Re:Never use password managers by skeeto · · Score: 4, Insightful

      It depends on the account type.

      Yeah, don't let the browser store your bank and e-mail passwords.

      But your /. account, where logins are done in plaintext rather than https? Go for it. As soon as you log in wirelessly you have broadcasted your password to the world anyway. The password manager is not the weak link here.

      Plus, you know, it's only your /. account, not your life savings. The consequences for losing the password are small, so shifting the trade-off towards convenience will be more reasonable.

    2. Re:Never use password managers by yttrstein · · Score: 4, Interesting

      First place a local black hat looks? Under keyboards. One of the things its fun to do with new clients is to walk around their offices and grab every password-slip you can find. All the usual places -- under keyboards, in the desk drawer next to the pens, on the back of a monitor facing a cube wall.. And this one is my favorite:

      In a desk drawer but fastened to the underside of the desk surface. Very clever.

    3. Re:Never use password managers by poopdeville · · Score: 5, Funny

      I often leave notes for desk-Nazi's like you: "e@t_a_d1ck" or "Stop looking under my keyboard, asshole"

      --
      After all, I am strangely colored.
  6. Before someone asks by Opportunist · · Score: 5, Informative

    "How can this be exploited" when some subtree memeber of a domain can read credentials that should only be given to the top level member, read http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug.

    To save the others the hassle, allow me to sketch something. It's trivial to get the domain a000001.amazon.com under your control. It is, believe me, if you don't, just read it up. Well, maybe not exactly a0000001... but something to the quality of $foo.amazon.com can easily be made to point back to a webpage you control.

    Next, create a page for the internets most sought after resource: pr0n. Do like the missionaries, spread the word, unlike them you have ICQ and spam at your disposal to get people to visit your page. On this page, refer to $foo.amazon.com

    Then have $foo.amazon.com ask for the credentials.

    It's not so much that the threat of hijacking a "real" domain name (i.e. amazon.com itself) is too big after a few ISPs toughened their DNS lookups when the patches didn't come quickly. Few ISPs are left that are actually vulnerable to having their caches completely rewritten. Subdomains can still be hijacked (even after the half-assed patch we got lately), and in combination with browsers that send credentials to whatever subdomain, it's a serious security problem.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Is this really worth noting? by tomknight · · Score: 5, Insightful
    "Chapin Information Services."

    Who??

    Seriously, this looks like a typical "storm in a teacup to get people to take me seriously as a security researcher" notification.

    Who here really lets any password manager save any password they care about? I have Opera save details for systems that don't matter, everything else I just remember.

    Check out the website for more information about this astounding company.

    --
    Oh arse
    1. Re:Is this really worth noting? by qoncept · · Score: 4, Insightful

      Who here really lets any password manager save any password they care about?

      I do. And I bet at least one other person does.

      --
      Whale
    2. Re:Is this really worth noting? by tomknight · · Score: 4, Funny

      I can see why you post anonymously!

      --
      Oh arse
  8. don't save passwords by Speare · · Score: 4, Insightful

    Putting passwords in your web browser isn't just like hiding your house keys under the doormat, it's like taping the keys of your house to the front door.

    I don't keep full passwords on paper, nor do I use one of those password vault devices. Using truly random characters just means I have to write it down in full somewhere. I do have a text file that gives me *just* enough info that my mind can recall the password. For example, I might write "B`" and I recall that means "b1ZZare`" or I might use "W.P" to remember "To1.st0y". I know the rules I use to spell or punctuate words. I use different sorts of passwords for different tiers of security, from web forum, web merchant, web banking, private data, estate data, etc.

    --
    [ .sig file not found ]
  9. Why? by PhotoGuy · · Score: 4, Insightful

    I never understood the appeal of password managers. And they tend to be obnoxious, getting in your face until you disable them.

    If I have a high security password, I'm not going to want to store it in a browser for two reasons: 1) Someone else with physical accesse to my machine, has access to my stuff; 2) If I don't ever have to type my password, I'll often forget it.

    For lower-security passwords, I, like many, simply use the same one that's easy to remember, and used for all those stupid forums and other lightweight places that make you register.

    I've just never seen the need... It's definitely one of the most hyped up features that seems to have zero utility to me.

    --
    Love many, trust a few, do harm to none.
  10. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  11. Storing passwords is dumb by theaveng · · Score: 4, Insightful

    I've always thought storing passwords in your computer is dumb. (1) It makes it extremely easy for people to steal your PC or laptop and get into your sites. (2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were. (3) I think the safest place to store them is in your head.

    --
    FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
  12. MAJOR browser? by jedie · · Score: 4, Insightful

    How exactly is Chrome (which is backed by a major company) a major browser?

    --
    "The majority is always sane, Louis." -- Nessus
    http://slashdot.jp
  13. I should get out more often... by jonaskoelker · · Score: 5, Funny

    http://www.bash.org/?244321

    I don't need to go there. I know the answer is "hunter2" (if you're the guy, I just copy-pasted the ***s from bash.org, that's why it shows up as hunter2 on your screen).

    Is that a sign I should get out more often? ;)

  14. Comment removed by account_deleted · · Score: 4, Funny

    Comment removed based on user account deletion

  15. Re:My password manager is in my wallet by clone53421 · · Score: 4, Insightful

    Idiot-run newspapers are why bugmenot was invented.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.