Browser-saved password - security risk?

Discussion in 'other software & services' started by amarildojr, Mar 20, 2016.

  1. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
    I save all my passwords directly on Firefox and lock them with a Master password, but I'd like to know if this is too risky. Has anyone seen a vulnerability in Firefox that allowed a malicious website to grab saved passwords?
     
  2. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    I have often wondered about this also.
     
  3. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    There are regularly vulnerabilities like that, even Lastpass, which is supposedly more secure, suffer from them.

    http://www.bishopfox.com/news/2015/07/lastpass-site-password-stealing-clickjacking-vulnerability

    As for retrieving passwords stored in the browser, even with a master password, read this: 4. Autocomplete section.

    http://resources.infosecinstitute.com/browser-based-vulnerabilities-in-web-applications

    For important webpages, it is better to use an offline password manager. You can not beat a security triangle. More convenient = less security.
     
  4. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Here some other info:

    https://www.bestvpn.com/blog/27352/firefox-built-in-password-manager-review
     
  5. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    simple as that: dont store passwords which are really sensible - like banking or buying in general (ebay, amazon etc), admin actions.
    and change passwords regularly.
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I'm pretty sure I remember seeing other browsers read password info from Firefox for example, which bothered me somewhat. It's probably possible that other apps or even the system (Win 10 for example) could do that (if you're in Win). I never store banking or other sensitive passwords anywhere, period.
     
  7. haakon

    haakon Registered Member

    Joined:
    May 25, 2015
    Posts:
    761
    Location:
    SW USA
    I have 63 sites configured and use an a simple 10 character master password for convenience. By simple I mean my birthday mixed with three of my intials. i.e. d1903s2589g where the year 1989 is split as shown... XyymmXddyyX Typing that in has become more muscle memory than brain.

    The logins are for unimportant sites where I've created unique content profiles (news, entertainment), product and software sites for stuff I haven't purchased (no financial data), email sites I use for junk communication (yahoo, AOL and some others) and really really unimportant sites that need logins. Like forums. :D I don't use my real name or location for any of them.

    I clear Active Logins (among other History and ram cache) religiously. That means then the need to re-enter the password next time a configured site is visited.

    If anyone can steal my key3.db and logins.json files, I say... knock yourselves out.

    Other login data are stored locally and protected with a 24 complex character password and Serpent 256.
     
    Last edited: Mar 21, 2016
  8. haakon

    haakon Registered Member

    Joined:
    May 25, 2015
    Posts:
    761
    Location:
    SW USA
    Wow. You have all that memorized??!! :eek: My hero. :D
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Haha... most of it, believe it or not. Along with a few cheat notes on paper. :)
     
  10. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
    Thanks, but if you notice:

    The feature is convenient for users, as they don’t have to remember and enter the password, but it poses a problem if the user is using this feature on a shared or public computer. An attacker can easily retrieve the stored password from the browser.

    I only store passwords on my personal computer, which nobody else uses.

    Also, the page says:

    Even if the stored passwords are encrypted or protected by the master password (a password to access the stored passwords), an attacker can retrieve this password by visiting the application, for which the password is stored, in the browser. An attacker enters the username and the browser automatically fills the password field.

    I cannot reproduce this. When I open the browser and go to a website which I have a password stored, the browser will ask me for the master password. If I don't supply the correct password (or cancel the operation) no saved password will appear at all (on the mentioned website).

    Then the page says:

    The saved password can be accessed by navigating to:

    Firefox: Options

    Security Saved Password


    I cannot reproduce this either. No matter what I do, Firefox will ask me for the Master Password everytime I open "Saved Credentials".

    Thanks :)

    I guess I'm safe:

    Assuming that a strong (and unique) master password has been set, local storage of passwords in Firefox should be secure, as they are encrypted using a 256-bit AES cipher (as utilized by the US government for sensitive data, and generally considered very secure).


    I do consider such attack possible, but I'm not on Windows and I don't use proprietary browsers like Chrome (not even Chromium), so I shouldn't be vulnerable to it. The only proprietary program running here is Steam, and it is limited by Firejail so it can't read ".gnupg" or ".mozlla", for example :) (among many other limitations).

    Exactly ;)

    Yeah, after typing them a few dozen times it's quite easy to remember, right? :) I used to memorize 3 64-character random passwords when I didn't have LVM implemented hehehehe.
     
    Last edited: Mar 24, 2016
  11. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Well, my impression/speculation (not enough technical knowledge to provide more robust statement than this) is that it's basically ok when the OS itself is properly secured.
    All the hype about Firefox password manager being insecure is mainly by marketing by Password Manager devs (Lastpass, Dashlane, etc.)
     
Loading...