January 1st, 2005, 03:56 AM
firefox saving passwords / usernames
I was wondering how exactally your browser saves your login information for random sites (ie......hotmail accounts, antionline accounts, etc)....I use Safari and Firefox on my mac (im using it right now, but firefox does the same on my windows lappy and box)...
if your login/password information is stored on your computer, is that a potential security risk? if someone were to hack into my box and find wherever that information is saved, would it do them any good? (would they be able to see it)
i did a forum search and apologize if this has been posted / explained before
January 1st, 2005, 04:06 AM
Not sure of the answer on the first question, but I'm sure someone will be able to answer.
As for the second.. yes, saved passwords can be retrieved and used if someone has access to your PC. If you're paranoid enough, you shouldn't save anything you don't want other people knowing, but I'd be more paranoid about keyloggers or trojans or something retrieving passwords compared to someone cracking my IDS and firewalls then cracking my browsers saved-info.
Hope that helps.
Edit: I didn't find much on the security or encryption of the Firefox password manager, but this is what I did find on the Mozilla site:
Firefox stores passwords with this metadata:
domain usernamefield passwordfield username password
Then uses the usernamefield/passwordfield values as hints to find the appropriate <input> elements within a webpage by matching them to the "name" attribute.
Unfortunately this means that when a website redesigns and changes the un/pw field names, the effect on the end user is that the password is "forgotten".
As a backup, when usernamefield/passwordfield fail to match, Password Manager should attempt to discover the password field manually, using a technique similar to what Camino uses.
This is needed for another reason - passwords stored by other browsers such as Camino and Safari are stored in the KeyChain WITHOUT username/password field hints - so un/pw field discovery must be manual.
Edit2: This should answer your first question
Copied from here.
This is better than storing your passwords within Microsoft's Internet Explorer browser (whose password encryption was cracked long ago) or the Mozilla Foundation's Firefox (which stores passwords in an ordinary file unless you set up a "master password").
There ya go.
January 1st, 2005, 04:40 AM
thanks so much :-)
good to see im not the only one spending new years eve on AO hehee ;-)
January 1st, 2005, 04:44 AM
Friends' having a party outside, but I'm not going out until they need me.
(Major pyromaniac here, tonight we're gunna blow stuff up.. wewtness!)
But until then, I'm trying to find a way to write a boot/restore disk for Windows from inside Helix Linux GUI.
January 1st, 2005, 10:38 AM
i did found a bug in firefox 0.9.3 once, in the latest one, the bug is solved but the passwords still are stored in the same way. read this thread for more info.
January 1st, 2005, 05:48 PM
There is a CHEESY way to use Multi-Factor Authentication on a budget...
This is a bit off topic, but is definitely related/relevant, because the method below is EXACTLY how I handle password storage and retrieval for all of the websites I have logins for.
1. Password Safe.
- The official version is Win32 only (legacy version for WinCE), but as noted there are several related projects using the same DB type, etc. for linux and other OS platforms.
2. Portable storage device.
- I suggest a USB flash device...they are quite cheap these days, and MOST systems support them
- You can also use a floppy diskette, but that is so 20th Century.
3. Ridiculously strong password that you have memorized.
1. Turn off the options, clear the cache, etc. for all stored passwords in Firefox, InternetExploder, Opera, Safari, etc.
*Note* - It's probably a good idea to know what all of these are, first.
2. Download the installer for Password Safe and save it to USB storage device (substitute old crappy floppy disk if you still live in the previous century)
3. Install Password Safe and use it as intended. Make sure you save the data file to your USB storage device, and use your Ridiculously strong password to protect the data file.
Yes, this is actually just a post promoting Password Safe as a means of storing (and generating! it makes strong passwords nicely) credentials in an encrypted file...but you have to have the USB storage device with you to use the passwords. And you have to know the Ridiculously strong password to read the contents of the file. Thus, you must HAVE the USB device and you must KNOW the Ridiculously strong password. This is, as any CISSP student will tell you, Multi-Factor (two factor) Authentication. Well, not really...it sort of is, but it's the bastardized application of the process from the user side.
Semantics aside, it helps you keep the credentials for a whole boat load of web sites and applications handy, without having to use P455wUrd for all of them.
Full blown implementation of encrypted password storage Tutorial coming soon.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore