2008-02-09

Assumption is The Mother of All Fuckups - Firefox Password Manager

Consider the following:
  1. Are you using Firefox?
  2. Do you use the "Save Password" feature for web forms?
If you answered yes to these questions, you are at risk. Not the kind of "cool buffer overflow" risk, that I personally ignore most of the time, but the kind of "anyone knowing this sitting near my computer knows all my passwords in 2 seconds" risk.
You are probably assuming, that some geek security freak at the Mozilla Foundation made sure your passwords are safe, encrypted one-way into a unbreakable AES/MD5/SomeHashBuzzTLA.
Well, they are not.

Follow these steps:

Open the preferences screen in Firefox (this is the OS X version, but the Windows version is just the same)

Click on "Show Passwords"
We're not there yet. Click "Show Passwords" one more time (it can't be that easy), and get the following:


I blurred the images for obvious reasons, but you can guess how it looks - the entire site/username/password list is there in clear text.

I know this "feature" is well documented if you bother to look it up, and it can be somewhat mitigated if you place a master-password over the configuration. Still, I find it unacceptable for a browser to behave this way by default.

My recommendation - assume passwords saved in Firefox are compromised to begin with, and only save passwords for sites where you don't care if someone knows the password.
Labels:

6 comments:

  1. This may be somewhat besides the point, but it's important to point out that passwords can't be saved in a encrypted or otherwise mangled fashion (i.e. hashed). This is because the passwords' plaintext must be available for use when preparing the request, be it HTTP, HTTPS or otherwise.
    ReplyDelete
  2. You're right, just hashing it one-way is wrong, but it doesn't prevent the password managements system (whatever it is) to encrypt it in some form, which people assume is not easily accessible as it is here.
    ReplyDelete
  3. In case you didn't know, then (since, like, forever) you can set a master password on your Firefox profile and then all your sensitive details would be encrypted.

    Then, the first time a sensitive detail is needed (in a session), you're prompted for the password.

    In your Preferences, go to Security and then check Use Master Password.

    In fact, I can almost swear that the first time you're prompted to save a password and you accept that offer, you're also offered to set a master password.
    ReplyDelete
  4. Yeah, I know you can do this, this is why I said "somewhat mitigated if you place a master-password over the configuration". :)

    For most users, the default configuration is the only configuration - and they assume it works a certain way, which it doesn't really.
    ReplyDelete
  5. OK, if a bad person had access to your computer, this would be a bad thing. Nothing new, right?

    I mean, that person could as well switch Java on and surf to a malicious website to get your PC infected (with a Trojan horse, for example), so that encryption doesn't help you anymore!
    So why should Firefox give you the illusion your passwords were save, by encrypting them?

    When my browser tells me it "remembers" an information (like a password), then my intuition tells me, that information has to be stored somewhere and that it can be received easily. Like, your surfing history, cookies, and, by the way, ANY OTHER DATA ON YOUR HARD DRIVE can be easily read out and even manipulated in no time by anyone who has physical access to your running computer! This person could also directly infect your PC (with a Trojan horse, for example) and/or manipulate it in every possible way! To prevent this (I don't know if this is really totally possible at all) you'd have to take FAR MORE steps than simply configuring your browser right! Or, on the other hand, you could just log off from your windows session (press Windows key + L), or turn on a password protected screen saver or whatever, when you leave your running computer for a short time. This would NOT be absolutely secure, but already much more secure than encrypting your passwords!

    Encrypting your passwords could only act as a child-proof lock!

    The only real security purpose imaginable to me would be, if someone breaks into your home and accesses your computer you could prevent him/her from easily reading out your passwords, but ONLY if you realize that your PC has been accessed and immediately delete and reinstall your hole system, in order to destroy any Trojan horse!
    But for that scenario it would make MUCH more sense to encrypt your whole hard drive (free programs for that purpose are available on the net), so again, consider password encryption to be a child-proof lock and only use it for that single purpose!
    ReplyDelete
  6. Thanks for the Firefox Password Manager. I think this makes changing saved passwords en masse fairly easy. First, log into a site with your new password, and check that Firefox saved it. Open the saved password file, copy the stored password for that site, and paste it over the stored password for each site you want to update. Restart Firefox, and you should breeze past login pages just like normal.
    ReplyDelete

Subscribe to: Post Comments (Atom)