PDA

View Full Version : How safe are FF and IE7 "remember password" options?


Rhythmdvl
04-15-2009, 04:41 PM
I'm sick of it. Sick sick sick of remembering and typing in a thousand and one passwords. I'm sick of typing in the same password for low-security sites. Blech!

So I'm starting to get tempted by FF helpfully asking if I want it to remember my password. Same with IE. The PC is in our home office, so there is no possibility of anyone outside the Dvl clan having access to the machine.

Aside from being burgled, is there any security risk from using these helpers? I run ZA pro and regularly scan for malware, but of course anything can happen between scans.

Lemur866
04-15-2009, 05:02 PM
Ask yourself: what's the worst that could happen? Someone gets to read the New York Times without registering? Or access to your bank account?

If it's access to a website that requires registration, the risk is zero. If it's access to your email the risk is higher, but still pretty low. If it's access to your bank account then it's high.

Rhythmdvl
04-15-2009, 05:13 PM
I thought I was supposed to ask myself if I felt lucky (well, do I?).

So, there is a non-zero chance of a malicious Web site reading the contents of the password file? Has it been done before or is it a theoretical possibility?

Mr. Slant
04-15-2009, 05:52 PM
It has been done before and will happen again.

Myglaren
04-16-2009, 02:21 AM
In Firefox you can set a master password to add a layer of protection to your standard passwords.

hobscrk777
04-16-2009, 07:59 AM
I have Firefox remember all my trivial passwords (email, SDMB login, pr0n login, etc), but not my critical ones (bank account, credit card, etc.). Instead, I have a desktop application that keeps these critical account passwords managed and recorded under digital lock-and-key. This application requires a master password. I suppose if someone wanted was really motivated, they could get into my computer somehow and access these critical passwords, but at least they're not sitting in the login fields having been automatically filled in.

HorseloverFat
04-16-2009, 09:42 AM
Its not safe at all. Theyre stored in plain text.

FF does have the option to add a master password, which is just conventional cryptography to that file. I imagine if you used a really good master password then you would have a small amount of protection, but if the trojan on your system is also a keylogger then the attacker has that password too.

I also do something like what hobscrk777 suggests. I never save financial passwords.

I also dont run as local admin (http://nonadmin.editme.com/) when I use the internet, so that right there makes me immune to almost any attack.

Myglaren
04-18-2009, 08:48 AM
Its not safe at all. Theyre stored in plain text.

FF does have the option to add a master password, which is just conventional cryptography to that file. I imagine if you used a really good master password then you would have a small amount of protection, but if the trojan on your system is also a keylogger then the attacker has that password too.

I also do something like what hobscrk777 suggests. I never save financial passwords.

I also dont run as local admin (http://nonadmin.editme.com/) when I use the internet, so that right there makes me immune to almost any attack.

(Bolding mine)

That's a thought. Although the question was about Firefox, I use a hardened Linux machine for any sensitive accounts and don't save the passwords for internet banking etc.