2008-02-09

Assumption is The Mother of All Fuckups - Firefox Password Manager

Consider the following:

  1. Are you using Firefox?
  2. Do you use the "Save Password" feature for web forms?
If you answered yes to these questions, you are at risk. Not the kind of "cool buffer overflow" risk, that I personally ignore most of the time, but the kind of "anyone knowing this sitting near my computer knows all my passwords in 2 seconds" risk.
You are probably assuming, that some geek security freak at the Mozilla Foundation made sure your passwords are safe, encrypted one-way into a unbreakable AES/MD5/SomeHashBuzzTLA.
Well, they are not.

Follow these steps:

Open the preferences screen in Firefox (this is the OS X version, but the Windows version is just the same)

Click on "Show Passwords"
We're not there yet. Click "Show Passwords" one more time (it can't be that easy), and get the following:


I blurred the images for obvious reasons, but you can guess how it looks - the entire site/username/password list is there in clear text.

I know this "feature" is well documented if you bother to look it up, and it can be somewhat mitigated if you place a master-password over the configuration. Still, I find it unacceptable for a browser to behave this way by default.

My recommendation - assume passwords saved in Firefox are compromised to begin with, and only save passwords for sites where you don't care if someone knows the password.

Posted by Shlomo Priymak at 18:00

Labels:

4 comments:

Asaf said...

This may be somewhat besides the point, but it's important to point out that passwords can't be saved in a encrypted or otherwise mangled fashion (i.e. hashed). This is because the passwords' plaintext must be available for use when preparing the request, be it HTTP, HTTPS or otherwise.

2/18/08 6:55 PM
Shlomo Priymak said...

You're right, just hashing it one-way is wrong, but it doesn't prevent the password managements system (whatever it is) to encrypt it in some form, which people assume is not easily accessible as it is here.

2/18/08 7:51 PM
Ilya said...

In case you didn't know, then (since, like, forever) you can set a master password on your Firefox profile and then all your sensitive details would be encrypted.

Then, the first time a sensitive detail is needed (in a session), you're prompted for the password.

In your Preferences, go to Security and then check Use Master Password.

In fact, I can almost swear that the first time you're prompted to save a password and you accept that offer, you're also offered to set a master password.

2/22/08 5:56 PM
Shlomo Priymak said...

Yeah, I know you can do this, this is why I said "somewhat mitigated if you place a master-password over the configuration". :)

For most users, the default configuration is the only configuration - and they assume it works a certain way, which it doesn't really.

2/23/08 4:47 PM

Post a Comment

Subscribe to: Post Comments (Atom)