Slashdot Log In
Safari and Chrome: Tied For the Worst Password Manager
Posted by
CmdrTaco
on Mon Dec 15, 2008 09:35 AM
from the remember-this dept.
from the remember-this dept.
Startled Hippo writes "Safari and Chrome are tied for the worst password manager built into a major Web browser, according to a new study on the issue produced by Chapin Information Services. One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site. The bug has been fixed in Firefox, but Chrome and Safari are still vulnerable to this kind of attack."
Related Stories
Submission: Safari and Chrome: tied for the worst password man by Anonymous Coward
[+]
Technology: Google Releases Web Security Book 49 comments
northern squirrel writes "As reported by Security Focus, Google had publicly released their 50-page Browser Security Handbook (under a CC BY license, too). To quote, the document is 'meant to provide developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers,' and features a comparison of security features in Internet Explorer, Firefox, Opera, Safari, and — you guessed it — Chrome. Is it a belated Christmas gift to web developers, or just a reaction to recent bad publicity?"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
users can be tricked too... (Score:5, Funny)
http://www.bash.org/?244321
I should get out more often... (Score:5, Funny)
http://www.bash.org/?244321
I don't need to go there. I know the answer is "hunter2" (if you're the guy, I just copy-pasted the ***s from bash.org, that's why it shows up as hunter2 on your screen).
Is that a sign I should get out more often? ;)
Parent
Re:users can be tricked too... (Score:4, Funny)
Parent
Aha! (Score:5, Funny)
Re:Aha! (Score:5, Funny)
Parent
Re:Aha! (Score:5, Funny)
"exactly the same" is a bit strange for a password, isn't it?
Parent
Re:Aha! (Score:5, Funny)
"exactly the same" is a bit strange for a password, isn't it?
No it's perfect. If you get torchered you'll be screaming that all your passwords are extactly the same and your captors will be clueless as to why they can't break you.
Parent
Re: (Score:3, Funny)
Some years ago we used to have a stand-alone machine for testing using a local account. As most members of the team needed to be able to log on to it now and then I came up with "just leave it empty" as a password. Whenever someone forgot and had to ask for it, we simply would yell across the floor : that password ? Just leave it empty ! Those who 'knew' remembered then and were able to log in. Others who had overheard it and wanted to use our mega-powerful-machine tried logging in using a blank password, b
Re: (Score:3, Insightful)
I was very confused, for a moment, as to why someone who was lit on fire would be screaming their passwords.
It's a perfectly cromulant method of torture.
Re: (Score:3, Funny)
Confess! Or I'll shine this Maglite in your face again!
Re: (Score:3, Informative)
Re:Aha! (Score:4, Funny)
I thought it was because you make love with a lever and a planetary body (insert joke here).
Parent
Re: (Score:3, Informative)
That's a quotation by Archimedes [wikipedia.org]: "Give me a place to stand and with a lever I will move the whole world."
I Use A Mac... (Score:5, Funny)
...So I'm safe, right? ;-)
Re:I Use A Mac... (Score:5, Informative)
macs do get credit for putting the passwords where they belong: in a centralized password keychain. Firefox rolls it's own separate password manager. At various time firefox's keychain has been found to be insecure and it's separate from your other keychains. There's no simple keychain brownser interface like the centralized keychain protection system safari uses.
If you want to encrypt or hide or transport all your passwords it's easy in safari but hard in firefox since how it's done changes.
Parent
Re:I Use A Mac... (Score:5, Interesting)
Isn't it time Firefox supported the Mac Keychain [mozilla.org]? :-/
Parent
Re: (Score:3, Funny)
Isn't it time Firefox supported the Mac Keychain? :-/
It'll happen pretty quickly once Opera supports it! :D
Re:I Use A Mac... (Score:4, Informative)
Windows is an ambiguous case. As best I understand it, MS decided not to implement a flexible system for centralized storage of third party passwords because they wanted everybody to use their
Parent
Re:I Use A Mac... (Score:4, Informative)
In real life, near all OS X native browsers and even commercial password manager 1Password uses keychain. On Gnome and KDE, only their own default browsers use their subsystems.
Apple made it somehow easy to integrate with keychain no matter how your application is coded in whatever language. Even AppleScript/OSAScript "Apps" use Keychain very effectively.
Firefox and Opera doesn't use it because they don't feel like it, that is all. I mean, that is why both browsers can't be "tried" on a up and running OS X since nobody would bother to type in 200 passwords while they got them recorded elsewhere and perfectly used by Omniweb etc.
Parent
Missing department (Score:4, Insightful)
Why focus on Chrome? (Score:5, Insightful)
To be honest, when the best browser is only scoring 7/21 they *all* need some work. Focusing on Chrome just means you're ignoring the bigger picture.
Re:Why focus on Chrome? (Score:5, Insightful)
Parent
Re:Why focus on Chrome? (Score:5, Funny)
Parent
Never use password managers (Score:5, Interesting)
Even if they aren't in clear text the downside to using a password manager is everyone's passwords will be in the same place and in the same format. It's easy pickings.
Re:Never use password managers (Score:5, Insightful)
It depends on the account type.
Yeah, don't let the browser store your bank and e-mail passwords.
But your /. account, where logins are done in plaintext rather than https? Go for it. As soon as you log in wirelessly you have broadcasted your password to the world anyway. The password manager is not the weak link here.
Plus, you know, it's only your /. account, not your life savings. The consequences for losing the password are small, so shifting the trade-off towards convenience will be more reasonable.
Parent
Re: (Score:3, Insightful)
Think:
* Libel
* "Possessing information of use to a terrorist organisation"
* "Inciting racial hatred"
Not sure about US laws, but you can't say whatever you like in the UK...
Of course the same goes for newpaper sites that let people leave comments etc.
Re:Never use password managers (Score:4, Interesting)
In a desk drawer but fastened to the underside of the desk surface. Very clever.
Parent
Re: (Score:3, Informative)
And if you leave that lying around I think you should be more worried about card numbers being pinched.
Re:Never use password managers (Score:5, Funny)
I often leave notes for desk-Nazi's like you: "e@t_a_d1ck" or "Stop looking under my keyboard, asshole"
Parent
Re:Never use password managers (Score:4, Insightful)
Don't put your password on your windows computer, or on your windows computer. Both are easy pickings.
Parent
Before someone asks (Score:5, Informative)
"How can this be exploited" when some subtree memeber of a domain can read credentials that should only be given to the top level member, read http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug [linuxjournal.com].
To save the others the hassle, allow me to sketch something. It's trivial to get the domain a000001.amazon.com under your control. It is, believe me, if you don't, just read it up. Well, maybe not exactly a0000001... but something to the quality of $foo.amazon.com can easily be made to point back to a webpage you control.
Next, create a page for the internets most sought after resource: pr0n. Do like the missionaries, spread the word, unlike them you have ICQ and spam at your disposal to get people to visit your page. On this page, refer to $foo.amazon.com
Then have $foo.amazon.com ask for the credentials.
It's not so much that the threat of hijacking a "real" domain name (i.e. amazon.com itself) is too big after a few ISPs toughened their DNS lookups when the patches didn't come quickly. Few ISPs are left that are actually vulnerable to having their caches completely rewritten. Subdomains can still be hijacked (even after the half-assed patch we got lately), and in combination with browsers that send credentials to whatever subdomain, it's a serious security problem.
Is this really worth noting? (Score:5, Insightful)
Who??
Seriously, this looks like a typical "storm in a teacup to get people to take me seriously as a security researcher" notification.
Who here really lets any password manager save any password they care about? I have Opera save details for systems that don't matter, everything else I just remember.
Check out the website for more information about this astounding company.
Re: (Score:2)
I thought *everyone* knew who Chapin Information Services was - you must be really out of the loop.
Re:Is this really worth noting? (Score:5, Insightful)
I do. And I bet at least one other person does.
Parent
Re:Is this really worth noting? (Score:5, Funny)
Parent
Re:Is this really worth noting? (Score:4, Funny)
Really? Not even the people who wrote your web browser?
Parent
My password manager is in my wallet (Score:3, Insightful)
I don't do commerce online, so the only passwords I need are two email accounts, slashdot, and half a dozen idiot-run newspapers. I use the same password for all the idiot newspapers: 111111. That password is for their page counts and advertising and has nothing whatever to do with my own security, I have no reason to worry about them. And I never forget my password. If somebody logs on to the Chicago Tribune using my password, why should I care? Requiring a password to read a newspaper is stupid.
Email and slashdot, of course, are a horse of a different color.
Safari and Chrome are the last two browsers I would expect (well second last) to have this sort of problems.
Re:My password manager is in my wallet (Score:5, Insightful)
Idiot-run newspapers are why bugmenot [bugmenot.com] was invented.
Parent
don't save passwords (Score:5, Insightful)
Putting passwords in your web browser isn't just like hiding your house keys under the doormat, it's like taping the keys of your house to the front door.
I don't keep full passwords on paper, nor do I use one of those password vault devices. Using truly random characters just means I have to write it down in full somewhere. I do have a text file that gives me *just* enough info that my mind can recall the password. For example, I might write "B`" and I recall that means "b1ZZare`" or I might use "W.P" to remember "To1.st0y". I know the rules I use to spell or punctuate words. I use different sorts of passwords for different tiers of security, from web forum, web merchant, web banking, private data, estate data, etc.
Why? (Score:5, Insightful)
I never understood the appeal of password managers. And they tend to be obnoxious, getting in your face until you disable them.
If I have a high security password, I'm not going to want to store it in a browser for two reasons: 1) Someone else with physical accesse to my machine, has access to my stuff; 2) If I don't ever have to type my password, I'll often forget it.
For lower-security passwords, I, like many, simply use the same one that's easy to remember, and used for all those stupid forums and other lightweight places that make you register.
I've just never seen the need... It's definitely one of the most hyped up features that seems to have zero utility to me.
Storing passwords is dumb (Score:5, Insightful)
I've always thought storing passwords in your computer is dumb. (1) It makes it extremely easy for people to steal your PC or laptop and get into your sites. (2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were. (3) I think the safest place to store them is in your head.
MAJOR browser? (Score:5, Insightful)
How exactly is Chrome (which is backed by a major company) a major browser?
Different passwords in different areas? (Score:4, Informative)
And that's a "trick" because...? Surely there are times when you want to have different passwords in different areas. I've got basic HTTP authentication on an admin area of one of my sites. From there I've then got a number of tools, at least one of which requires a separate login. There's situations like that where you want different passwords for different areas.
What annoys me with password managers at the moment is Firefox filling in too many passwords! If you record a password for one set of login forms and then go to any other page on the same domain with a password box with a text box just above it then Firefox blindly guesses that they're a login box (even if they're called "foo" and "bar" when you recorded the details for the fields "username" and "password"). That can really start to cock up some of your settings in things like phpBB's admin control panel if you don't notice what it has auto-filled.
All Password mangers suck (Score:3, Insightful)
Perfectly secure (Score:3, Funny)
I find Safari's password manager perfectly sec^H^HONLINE MEDS, CHEAP V1AGRA, NO PRESCRIPT1ON REQUIRED
Wordpress dashboard shows this flaw (Score:3, Interesting)
Re: (Score:2, Offtopic)
I can password back as fast as you can! I can password back as fast as you can!
Re: (Score:3, Insightful)
So Opera can't be better than Firefox or any other browser on certain aspect for what reason?
You should see my BS meter when I see someone at /. bitches about Opera and I am not a Opera Desktop user, I use Safari with 1Password and I don't really know 99% of my passwords at all.
Re:Please! (Score:4, Informative)
Clear your saved passwords *for their site*:
Part 1: Delete all saved passwords for www.info-svc.com
Parent
Re: (Score:3, Insightful)
That's one solution. I began looking into seperate password managers a year or two ago. The two solutions I found looked the best, at the time, were KeePass [keepass.info], and Bruce Schneier's Password Safe [schneier.com].
Ultimately, though, I decided against either one. The problem with using something like that is that, now, I don't actually know the passwords for all of my accounts. If something goes wrong, or I just don't have access to the safe (like maybe I am away from home and forgot to bring my USB key along, or I'm using a co