All About Safe Browsing

I don't know how lastpass works but I can only assume that it's the exact same way but with some more obfuscation but not encryption. It would have to encrypt each key separately with a separate passphrase for that to work.

What I was saying is that by default, without a master password, your passwords are encrypted with your Windows logon password. With a master password they're further encrypted.

 

The FF password manager has been there for many years, and I'm not aware of any bugs with respect to allowing websites accessing it. Nevertheless, it's certainly a good idea to use Secure Login which provides protection against possible XSS attacks (among other advantages). I had used it before I moved to Lastpass, and it's really good IMHO.

Viewable by whom? Would you keep the password manager window permanantly open (with the passwords displayed)? And don't you lock your screen if you go for lunch?

Besides, that's probably true for most other password managers like Keepass. Once you open it it stays open until you close it. Only password managers that have a time-out option (like Lastpass) are not affected.

 

Good starting points are here, here and here.

 

Looks like a Firefox master password type thing to me except it generates passwords for you.

edit: And yes, if you open any password manager (unless they encrypt each password with a separate password) it's all decrypted.

 

My point was that Firefox will let the passwords viewable, for as long as the session lasts. Now, imagine a session lasting for a few hours. This means that, if the browser is to be hijacked, if conditions are met, then it's 100% easier to get them, no? But, if they were encrypted by the master password - after a few seconds of no activity - then, it would be harder... depending on how weak the master password is.

But, anyone is free to place there their important password. It's not my concern.

In opposition, an offline password manager doesn't have that weakness, because... well... it's offline.

Not if I'm in a hurry to go to the bathroom!!! Thinking of locking the system will be the last of my concerns!

And, regarding KeePass, the user can choose to have it automatically locked down.

Besides, I like the Secure Desktop feature that KeePass offers.

 

This again assumes that a website can access the password manager. I've found no evidence for that. And what exactly do mean with "hijacked"? . Anyway, if you have a keylogger/trojan on your system, I doubt that another password manager would be necessarily more secure. Okay, I've just seen your remark about the Secure Desktop of Keepass - great feature. So I agree that there are password managers that offer advantages over the FF one - but is that reason enough to ridicule it and call it insecure?

Agreed, I was wrong about Keepass - it has that option. But would it help if you're in a hurry to go to the bathroom and someone else has access to your computer within the time-out period while you're sitting on the can?

 

Thanks for the links- those were very informative.

 

I think he means something like this or this.

 

i can't even begin to comprehend what storing passwords in an Internet-facing apps like browsers, or Cloud based 'solution' has anything to do with "safe browsing".

different strokes for different folks, i guess.

 

As long as it's encrypted it doesn't matter if it's on a cloud server or my computer. The attacker can't do anything with it.

 

maybe so.

still, i don't have the knowledge to put that to the test or verify that it is indeed safe.
so for an old geezer like me with an healthy dose of paranoia i feel safer to use an offline password manager like KeepassX.

i don't even check my emails when i am at work, so for me Could base solution are irrelevant.
the only computer i trust is my own.

 

You got at least this one, which dates from 2007... not that long ago.

-https://bugzilla.mozilla.org/show_bug.cgi?id=360493

-edit-

Please, not that I'm not trying to argue against Firefox's password manager. I'm discussing browser password managers, in general.

 

Well, safe browsing may include safe password safe.

 

hahaha!

 

The Firefox master password is encrypted very powerfully. You don't have to worry about it being cracked just because it's in the cloud.

All password managers that act the same way work the same way - they further encrypt your passwords and give you a "master password" to decrypt those. Once you enter that password they're all decrypted - whether you're using LastPass, KeyPass, or Firefox.

At most they'll all be encrypted separated but wht the same passphrase and then individually decrypted as necessary. This would be silly since the password would have to remain in memory and would therefor be just as vulnerable to the type of attacked posed by the topic.

The only difference in terms of this attack is that Firefox would be more targeted since (I assume) there are more Firefox users than Last/KeePass.

 

Exactly - provided that you have a strong master password.

 

Yes, I remember now that I had seen that before. Well, one bug in many years. Besides, as far as I understand that bug was more of an XSS attack where probably other password managers would have problems, too. If an XSS attacker could read your password from the login site an alternative password manager would also be of no help, IMHO. BTW, that's why I wrote that using the SecureLogin add-on is a good idea. And Noscript, of course

Understood. I was only a bit irritated as I had the impression that the accusations against the built-in password manager were not really based on facts.