Operation Bootstrap

Web Operations, Culture, Security & Startups.

Browser Password "Security"

| Comments

This is interesting. I’m not sure many people stop to think about the risks involved in saving the passwords for all your web sites within your browser. It’s not surprising the software is so vulnerable, password management is a required yet very behind-the-scenes feature of modern browsers. In these tests, which I think are fantastic, a few things stand out for me.

First, those browsers that get the most scrutiny don’t necessarily have better security for features which aren’t front and center such as this. Until now I haven’t seen much focus on password management security although I’ve long had the opinion that Firefox was a cut above the rest because you could secure your password store with a master password.

Second, the number of tests which failed on all or most browsers is amazing. Some of these are very basic, such as warning users when some of these conditions exist or when a destination domain doesn’t match the original. In this world of phishing and social engineering the warnings can become tiresome and routine but basic validation should take place and Opera and Firefox seem to be on top of that heap.

As a side note, I was thinking a bit about the master password in firefox the other day. I use it, and notice that it pops up at the first instance of needing access to the password store. Now, this could be shortly after you open your browser or maybe when you hit that certain site for which a password is saved. Point is, you don’t really know when to expect it, it doesn’t prompt at startup. Now, imagine if a website was able to simulate that master password prompt. Would you question it? It’s just a box, with a field, some text and an “OK” or “Cancel” button. I suspect it’s easily spoofed – at least well enough to fool some folks. I actually bet most folks don’t even use it but I think the feature makes us feel more secure than it actually makes us secure.

But in general, should you save passwords in a browser at all? A password is intended to be “something you know”. The value of a password is in the fact that it cannot (ideally) be stolen from you physically or electronically because you keep it in your head. When we store a password in a browser it becomes “something you have” and then the security of the storage mechanism becomes important.

Applications will never be without faults. The more and more web browsers become our application platform, the more and more features like password storage will become vectors for attack. Any chink in the armor will do, so it becomes a bit of an arms race. Better to avoid the whole situation and stick to more secure and standard password management tools which are designed for the task.

There are plenty out there, KeePass and Password Safe to name two. These applications have a number of features which make them well suited to securely managing your passwords:

  1. They hide passwords from shoulder surfing but still allow you access to them

  2. They limit interaction from other applications which makes electronically stealing your password much more difficult

  3. They have had focused scrutiny around their ability to secure passwords, not how fast or furiously they are able to wrangle web apps

  4. They maintain a portable database of passwords which are browser independent

There is no doubt that the built-in password manager in a browser is convenient. Consider for a moment however, the work involved in recovering from a stolen Gmail or Yahoo! password. Or your favorite banking site, or worse. If you are forced to type in those common passwords you use all the time you will remember them. For those which are more obscure, store them in a password database. If you really feel up to it, simply maintain a list of all the sites you have ever registered at (you remember them all right?) and then go to each and every one of them and update your password each time you change it (you do change your passwords right?).

When you’ve gone insane, try a password manager.