ISerializable - Roy Osherove's Blog

So you leave your computer unlocked then?

Just lock your computer. Also, use a hashing algorithm to generate a separate password per web site - like the one I keep on my home page: www.dymitruk.com

Good point Roy. But if someone's already on your machine in an enterprise environment then they've almost certainly got access to your password (or you were foolish enough to leave it unlocked) - in which case they could do almost anything under your identity anyway.

FYI - If you really want to get freaked out about this, even if you choose to use a master password in Firefox, all it takes is someone to come by and install Google Chrome on your PC and import all the settings from Firefox. When Chrome imports the settings from Firefox, it imports all the passwords too.... which they can then use to view the passwords. Creepy right? Well it gets worse... you can do the same thing to Safari passwords by installing Firefox... just import the settings from Safari and abracadabra, you can view them in Firefox! So none of them are safe when using this method...

The best option to use for any browser is the most annoying: Don't save the passwords.

(NOTE: This was true about a few months ago when I was doing some testing for IT on this specific feature between browsers so I'm assuming it is still true which I have no reason to believe any differently but I could be wrong)

Patient: Doctor, doctor, it hurts when I stick my finger in my eye. What should I do?

Doctor: Well, don't stick your finger in your eye.

...

Use whatever browser you want, just don't use saved passwords.

Pingback from  Twitter Trackbacks for                 Why Google Chrome and FireFox are a big security risk for anyone using them - ISerializable - Roy Osherove's         [asp.net]        on Topsy.com

Passwords are stored using Windows DPAPI. This means that they are encrypted using akey derived from the login password. We don't actually know what that key is - DPAPIis a service provided by the OS where you just hand it data, and it hands you backencrypted data. So they are protected on disk.As far as not allowing users to view the password - You can do this in Firefox, andmany people have said that this is a valuable feature for them. Not to mention thatif someone is sitting at your computer, they could easily extract the saved passworda number of other ways, including by browsing to the page for which the password issaved (and then injecting some javascript in there to show the auto-filled password).As such, taking away this feature really provides no extra security (except byobscurity), and takes away a feature many people have reported as being useful.

Passwords are stored using Windows DPAPI. This means that they are encrypted using akey derived from the login password. We don't actually know what that key is - DPAPIis a service provided by the OS where you just hand it data, and it hands you backencrypted data. So they are protected on disk.As far as not allowing users to view the password - You can do this in Firefox, andmany people have said that this is a valuable feature for them. Not to mention thatif someone is sitting at your computer, they could easily extract the saved passworda number of other ways, including by browsing to the page for which the password issaved (and then injecting some javascript in there to show the auto-filled password).As such, taking away this feature really provides no extra security (except byobscurity), and takes away a feature many people have reported as being useful.

Why not get a proper browser, like Opera...

In-fact, why not just get Opera. It's the best browser there is :)

Better than that safari crap.

I almost can't believe this coming from you, reasons have been explained already in the comments

Pingback from  Why Google Chrome and FireFox are a big security risk for anyone … | Firefox News on Twitter

Don't save your passwords bozo. Better yet, maybe you should just leave the computer turned off.

you gotta be kidding me...

maybe you *should* be using safari.. lol..

As others have said, don't save your passwords.  Auto-saving of passwords is the first feature I turn off in any browser.

Surely your documents are there for anyone to see too?

And your pictures!

Quick, uninstall Windows!

Just don't store them in the browser :) I lock my system even at home. It is just so normal to lock when I stand-up. If you are worried about a master password then make sure that the files in which the password are stored are encrypted in NTFS. This way if an administrator changes your password that he cannot decrypt that file.

Your 'master' password should be your local desktop password. I really hate it when applications have their own pasword scheme implemented.

Daily tech links for .net and related technologies - October 5-7, 2009 Web Development How To Speed Up

Why don't you simply tell your browser not to remember passwords... and remember them yourself?

And there the trolls came...

he...

You're joking right?  If you're worried about an unlocked shared PC - don't store passwords there.

I won't go that far to say Firefox is not secure because the Master password protection is not enable by default! It's takes you just a few clicks to turn it ON!

In the case of Chrome, I do agree.  That's why I use Ti-Took (titook.net).  It's based on Google Chrome. It comes with built-in online bookmark and many more features. Browsing activities are private by default.

If someone has physical access to your machine, I think you should have more to worry about than being able to read your website passwords thru your browser of choice...

Such statement is acceptable from an average computer user, but coming from a software professional and posted in a blog which is supposedly visited explicitly by other professionals?

Naah, you have to be joking ;-)

Like most of the visitors commented.. Why in this world you would leave your session open for anyone? Just lock it, its easy. Between IE 7 is not bad in terms of security and its even faster than its previous versions.

Rule #1: <strong>never let browsers store your passwords.</strong> Being a web-savvy person, you should know better. Enough said... :-)

I think the language in your post is a little over the top...a little alarmist. The risks you document are real but they require access to your machine via other means. This is not an internet-based exploit of any kind.

....seriously? what sort of buffoonery is this? Who doesn't lock their computer? Who saves passwords on a public computer?

Who saves their passwords in any file on their computer?

What are all the trolls blabbering about? It's true that it is easy to extract a saved password from a form using javascript from example, but what chrome does is hand you over a list of all the websites where I use a saved password, and the password itself.

Like Roy, I DO want use saved passwords, but I don't want it to be a click away from anyone.

He is right. Bad Chrome!

I don't personally think that it's a security flaw, so much as it is a feature [people forgetting their passwords].  The people that care about that sort of thing, shouldn't be saving their passwords in the web browser anyway.  However, I do agree that Google should add in a master password and let users KNOW that their passwords are accessible.

That being said.. I would suggest using KeePass Password Safe.  Excellent .NET application.. and [obviously] much more secure than FF/Google!.. and now you don't have to worry about the issue at all :)

- Matthew

Twitter:  www.twitter.com/csharpbydesign

Blog:  http://www.csharpbydesign.com

A probably good way is to use the fingerprint software to handle the passwords.

leaving your computer unlocked is a security risk'   :)

It's very very weak reason against Firefox. Whoever get phisical access to your computer easely can break anything you stored inside or have access to. It's not just Firefox - this is an idea of phisical access - your computer just stand naked :) So - you already I hope read all suggestions in comments. For so-strange-thoughts-about-security person like you I suggest: Do not store you passwords into Firefox (or any other program), clear history regulary and 'lock' your computer when you leave. Let's start with the basics...

Found here a little utility that does the same for IE... so I guess IE should be added to the list... did not check it but looks it does the job...

www.nirsoft.net/.../internet_explorer_password.html

By the way thanks for the information as it helped me to remember a password... LOL

- Guy

Roy,

Why not use a password manager like RoboForm or 1Password?   They're integrated in the browser and your passwords are encrypted on disk.  More importantly you can use the browser you like the most.

I have to disagree with people who think you should remember all your passwords.  Often those people have the same password on each site and register with the same email - how safe is that?  For most sites I generate impossible passwords and back them up encrypted.

Roy, I think the feature's purpose is to make it easier to enter to "not so important" web sites (such as news, maps, intranet sites, weblogs.asp.net :-), etc.) where the worst thing a "criminal" can do is write a comment on your behalf, upgrade your vmware player version, download a bike trek to his gps device, etc.I am sure (and hope) that you do not use this feature to save your paypal's password or your bank account's, otherwise no super master password will prevent the potential thief from buying a nice 50'' LCD if you leave your PC unlocked.

I think that google should add a message that says, "saving important passwords can ruin your life..." or something. At least for me this feature saves a lots of time.

Pingback from  Google's Google Chrome - DesignersTalk