Just lock your computer. Also, use a hashing algorithm to generate a separate password per web site - like the one I keep on my home page: www.dymitruk.com
Good point Roy. But if someone's already on your machine in an enterprise environment then they've almost certainly got access to your password (or you were foolish enough to leave it unlocked) - in which case they could do almost anything under your identity anyway.
FYI - If you really want to get freaked out about this, even if you choose to use a master password in Firefox, all it takes is someone to come by and install Google Chrome on your PC and import all the settings from Firefox. When Chrome imports the settings from Firefox, it imports all the passwords too.... which they can then use to view the passwords. Creepy right? Well it gets worse... you can do the same thing to Safari passwords by installing Firefox... just import the settings from Safari and abracadabra, you can view them in Firefox! So none of them are safe when using this method...
The best option to use for any browser is the most annoying: Don't save the passwords.
(NOTE: This was true about a few months ago when I was doing some testing for IT on this specific feature between browsers so I'm assuming it is still true which I have no reason to believe any differently but I could be wrong)
Patient: Doctor, doctor, it hurts when I stick my finger in my eye. What should I do?
Doctor: Well, don't stick your finger in your eye.
...
Use whatever browser you want, just don't use saved passwords.
I almost can't believe this coming from you, reasons have been explained already in the comments
Don't save your passwords bozo. Better yet, maybe you should just leave the computer turned off.
you gotta be kidding me...
maybe you *should* be using safari.. lol..
As others have said, don't save your passwords. Auto-saving of passwords is the first feature I turn off in any browser.
Surely your documents are there for anyone to see too?
And your pictures!
Quick, uninstall Windows!
Just don't store them in the browser :) I lock my system even at home. It is just so normal to lock when I stand-up. If you are worried about a master password then make sure that the files in which the password are stored are encrypted in NTFS. This way if an administrator changes your password that he cannot decrypt that file.
Your 'master' password should be your local desktop password. I really hate it when applications have their own pasword scheme implemented.
Why don't you simply tell your browser not to remember passwords... and remember them yourself?
And there the trolls came...
he...
You're joking right? If you're worried about an unlocked shared PC - don't store passwords there.
If someone has physical access to your machine, I think you should have more to worry about than being able to read your website passwords thru your browser of choice...
Such statement is acceptable from an average computer user, but coming from a software professional and posted in a blog which is supposedly visited explicitly by other professionals?
Naah, you have to be joking ;-)
Like most of the visitors commented.. Why in this world you would leave your session open for anyone? Just lock it, its easy. Between IE 7 is not bad in terms of security and its even faster than its previous versions.
Rule #1: never let browsers store your passwords. Being a web-savvy person, you should know better. Enough said... :-)
I think the language in your post is a little over the top...a little alarmist. The risks you document are real but they require access to your machine via other means. This is not an internet-based exploit of any kind.
....seriously? what sort of buffoonery is this? Who doesn't lock their computer? Who saves passwords on a public computer?
Who saves their passwords in any file on their computer?
What are all the trolls blabbering about? It's true that it is easy to extract a saved password from a form using javascript from example, but what chrome does is hand you over a list of all the websites where I use a saved password, and the password itself.
Like Roy, I DO want use saved passwords, but I don't want it to be a click away from anyone.
He is right. Bad Chrome!
A probably good way is to use the fingerprint software to handle the passwords.
leaving your computer unlocked is a security risk' :)
Roy,
Why not use a password manager like RoboForm or 1Password? They're integrated in the browser and your passwords are encrypted on disk. More importantly you can use the browser you like the most.
I have to disagree with people who think you should remember all your passwords. Often those people have the same password on each site and register with the same email - how safe is that? For most sites I generate impossible passwords and back them up encrypted.
Roy, I think the feature's purpose is to make it easier to enter to "not so important" web sites (such as news, maps, intranet sites, weblogs.asp.net :-), etc.) where the worst thing a "criminal" can do is write a comment on your behalf, upgrade your vmware player version, download a bike trek to his gps device, etc.I am sure (and hope) that you do not use this feature to save your paypal's password or your bank account's, otherwise no super master password will prevent the potential thief from buying a nice 50'' LCD if you leave your PC unlocked.
I think that google should add a message that says, "saving important passwords can ruin your life..." or something. At least for me this feature saves a lots of time.