All About Safe Browsing

Uh, no? They started with IE8 iirc and this was back when IE was funding them.

 

from the Mozilla/Firefox test page:

yes, store all your passwords inside your browser.
it seems like a great idea!

until the day when your browser get pwned. lol

 

I suppose Firefox/Mozilla team doesn't make use of it, right?

 

hahaha!

 

Faster browsing, safer downloading

http://chrome.blogspot.com/2012/02/faster-browsing-safer-downloading.html

 

I like bacon sarnies with 'Daddies' brown sauce, not sure what it's got to do with browsing though.

Is the new Chrome version 17.0.963.46 free of E-Numbers or something?

 

Ha! I thought the same thing.

 

i mean, you really gotta wonder who comes up with stuff like that. lol

 

Do you have any evidence that the FF Password Manager is not safe? Yes, there had been security issues some years ago which are fixed, though. In any case, all usernames and passwords are encrypted, and particularly if you use a good master password I don't see any reason to mock it.

I'm saying that as a Lastpass user which I prefer for other reasons.

 

Actually usernames and passwords aren't encrypted unless you use a MP. Unless things have changed.

 

As mentioned, I'm using Lastpass so I cannot test that right now. However, this site says:

 

Glad that it's changed then.

 

Actually that's not at all new. The old signons.txt file used in FF 1 and 2 was already encrypted.

 

Strange - I wonder where I'd heard otherwise.

 

It's not a matter of having evidence or not (I think I've seen someone mentioning an article in this forum - I believe at the privacy sub-forum - mentioning web browsers, not just Firefox, aren't that great storing passwords.).

I never made any statements. I just figured that someone clever would never use a browser to store their passwords. I mean, storing passwords in an Internet facing application? You won't ever see me do that, that's for sure. Then again, some even store them in the cloud. I don't know if that's how Lastpass works, so it's not an attack attempt at you.

I'm better off with an offline (no Internet connection, at all) password manager. But, that's me. Anyone else is free to use whatever solution they want.



-edit-

Found the thread https://www.wilderssecurity.com/showthread.php?t=313042 which links to here: -http://www.thewindowsclub.com/chrome-firefox-show-passwords-plain-text-ie9

Please, note that I'm not saying whether or not it's relevant for the most recent versions.

 

really.
it's like going to sleep with your door unlocked because you think you live in a safe neighborhood.

you keep playing the odds, eventually the bookie will show up.

 

Well, if it comes to Lastpass I've tried to explain elsewhere why I consider it secure.

I had read that before and regarded it irrelevant. What this guy says is:
1. If you go to settings -> security -> saved passwords, and
2. if you instruct FF to show your passwords, and
3. if - while you're doing this - someone is standing behind you and looking over your shoulder

... well, then you've got a problem. What does that say about the security of the built-in password manager in general? Answer: Nothing.

 

Well said.

Frankly I haven't found a good way to manage passwords. I remember most of them but then you need to change them regularly, ugh. And I hate to use the same construction for all of the passwords, makes them harder to remember. There's something in every password manager that I don't trust so I haven't committed to any of them. Inexplicably that has led me to keeping some of them written on a list next to the computer (umm.. WHAT?).

 

Please read what I wrote about Lastpass. Once you've understood its technical background you will probably agree that it's a good solution.

Quite frankly: This probably means that you're using weak passwords, even if you created them by using, e.g., mnemonic phrases. This might work for 2 or 3 passwords but not for 10 or more.

 

They're probably plenty strong. If you use anything over 12 characters it won't be cracked. aaaaaaaaaaaaaaaaaa is a very strong password (equal to: abababababababababb)- it's only thought of as weak because of the assumptions we make about how it's attacked.

 

Or, maybe you're too focused doing something and don't even pay attention. You just want to add one more password to it, and while you're doing it, everything else is revealed.

And, in opposition, a password manager such as Keepass, and I'd imagine Lastpass, would not reveal them. Whenever I open my password's database to add/change something, they're hidden.

Anyway, the point is I would never trust my passwords to a browser's password manager. And, a minimally decent browser password manager, would hide the passwords by default, IMHO.

Also, while adding/editing the passwords in those browsers, while the user is surfing, couldn't a bug in the browser allow access to the passwords, which are on plain sight? Let's just imagine it would happen that the user visits a website that's taking advantage of a bug in the browser to get access to the passwords.

Is such a scenario impossible to happen? Note that I'm not asking if it's likely to happen; I'm asking if it's impossible to happen.

 

I did read the post you linked to. Problem is I just don't understand exploits well enough at this point to make an informed decision. My (maybe irrational?) fears are that someone can just run a JavaScript or malicious code in my browser to harvest the credentials stored there & send them back to the bad guy. If the bad guy can crack my master password then he's got them all. At least if I keep them all independent, if one gets cracked they're not all automatically cracked.

Regarding the strength of passwords... actually regarding passwords in general: that's a rabbit hole I've been avoiding. Too many variables & too many diverging opinions. Of course the basics are obvious:
-avoid dictionary words
-don't use the same password across accounts
-qwerty, s3cr3t, and password1 might be the least safe passwords ever

There doesn't seem to be a decisive authoritative source on password management, or at least not one that I've found. If anyone has some good links I'd very much like to see.

 

To make the passwords unviewable they would have to be further encrypted a la master password. Otherwise any obfuscation would be meaningless since they would be stored on disk.

Assuming no master password/ further encryption (The default method is to encrypt with windows password) a vulnerability could potentially leak the password of either LastPass or the browser - both products have vulnerabilities.

I'm sure browsers take steps against this - webpages probably do not have access to passwords.

 

Are you saying that Firefox's master password is the one the user uses as his/her user account password?

What exactly do you mean by The default method is to encrypt with windows password?

-edit-

I suppose you meant the master password only protects access to the password manager's window.

- end of edit-

Well, it's not a about if they allow it, it's rather a matter of bugs allowing it, isn't it?

On a side note, I found this at Mozilla's website:

Source: -https://support.mozilla.org/en-US/kb/Protecting%20stored%20passwords%20using%20a%20master%20password

It's a bit worrying, isn't it? This means that if I'm to start my Firefox session, then the passwords will be viewable for as long as the session is alive.