Holes Remain Open in Firefox Password Manager

juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"

stupid features

[D+iz+a+n+k+Meister]

I think people really need to have their head examined when it comes to certain features.

Don't want to remember all your passwords? Don't use sites that require passwords.

Do you trust the your real life keys to be managed by a third party, then wonder how someone broke in your house without forced entry?

Having something "remember" your passwords defeats the purpose of having passwords.

Possible fix

[Arthur B.]

Do not use a pull model but a push model like the bugmenot extension. A right click in the login form would allow you to automatically enter saved information. It's much safer.

Re:It's evolution baby

[janrinok]

The article and TFS tell me that using NoScript (which I do) means that many Web2 sites no longer function properly. I cannot say that I have ever noticed this - has anybody? Perhaps it only affects the sort of web page that I would not wish to visit...?

password complexity

[farker haiku]

I used to think (back in my tech support days) that people who couldn't remember their password were just plain stupid. These days, I work in a large firm that has tons of different passwords for everything. Unix passwords, windows passwords, spam mail setting utility password, time tracking utilities have passwords, passwords are required for clearcase/clearquest, remote login, etc. Each of them has different password complexity rules. I no longer criticize people for forgetting their password.

Firefox password manager

[wile_e_wonka]

The thing that scared me away from the password manager in Firefox was a program called System Info for Windows [gtopala.com]. It lists all sorts of things about your computer--click on "Secrets." It searches for passwords in several programs--I have a few passwords saved in FF and the vast majority in Opera. I saw both programs mentioned in its analysis (meaning it searched both FF and Opera for saved passwords). It listed every saved FF password but no Opera passwords.

It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.

Re:Clarification

[Opportunist]

That's exactly the problem with Web2.0, that NoScript would probably not cut it.

Take MySpace. How do you want to handle it? Whitelist MySpace as a whole? Then you got no security. Whitelist certain user pages? Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it.

The problem is not that certain domains are "evil". Ok, that problem exists, too, but it's a very different problem. The problem is that it's now possible to put malicious script code into user generated content, and that other content on the same server and domain is what people want to see.

Master Password?

[Anonymous Coward]

I wonder why they didn't mention the "Master Password" feature of the password manager. Every time the password manager activates, it prompts you to type in a single master password. This should be effective in preventing any password harvesting, save for any other bugs that the manager might have.

Re:Lies, damned lies

[FLEB]

It's not even really a browser security issue. Okay, I suppose there could be user-interaction requirements so the form-filler doesn't *automatically* autofill on page load, but the real issue is site-owners who ignore the basic principles of site security and password handling, and open their users up to simple exploits.

The central concept in much of web-client security assumes that a domain is a single entity, and if you trust the domain, you trust the domain entirely. I don't see fault in this assumption-- a line has to be drawn somewhere as to what "one entity" is, and to split it much further would lead to unnecessary hoops and inconveniences. Back in the NetSol-monopoly days before cheap domain names, this point may have been debatable, but at that time there was far less personal information getting passed around by clients, as well.

Nowadays, anyone who is running a service with open access and open-ended "userpages" should be taking the bare-minimum step of sub-domaining their users' pages, and sub-domaining their own login forms as well. It costs nothing, it's more convenient for users, and it sandboxes everyone from each others' potential hack-attacks. If an exploit that gets around that, then people can talk, as that'd be a legitimate XSS or trojan/spoofing exploit. This stuff, though, is pinning exploits borne of shoddy web-side security onto the client developers.

Re:Thank goodness...

[sci50514]

I travel widely. If your luggage is randomly selected by US custom for inspection, they will force open your luggage if they can't open it using the default 0000 password. Good luck when it hits you. I got my luggage damage a few years ago and a letter stating Homeland Security is not liable for any damage. Now I never set password on my luggage. There is nothing expensive inside any way.

Re:Possible fix

[m0RpHeus]

Do not use a pull model but a push model That's exactly how Opera's password manager works. You need to click on the Wand button to enter the user name and password on the form fields. And FYI, the security hole does not affect Opera.

My Solution

[fast turtle]

While I do use the PW Manager in Firefox, I have never allowed it to retain any critical pw's with those defined as any site where I enter financial or shipping information. For those sites, I use a dedicated PW Manager that allows me to generate more secure passwords using all available characters including special characters.

In the rare case that a website does not accept/allow special characters to be used for passwords, I tend to re-evaluate their value to me. I also notify both the webmaster and customer service that they've reduced the value of their business to me by not accepting secure passwords and that I will no longer deal with them except by a cash-n-carry basis. A few of them have responded positively and after some effort have increased their password security by allowing special characters and thus they've gained an increased level of business from me along with the positive word of mouth advertising to my friends and associates.

Do not use password managers

[Monsieur_F]

the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.

I rarely use a password manager, because I do not really trust them but also because, just as when using cookies to stay logged on a site, you just do not have to remember your password. This means that when you occasionnally want to log from another computer, for some urgent matter, you cannot find what your password was!

On the other hand, I generally use the same simplistic password on many sites just because there is no critical information on them. On some game sites, the most important information may be my real name and address if there is some incentive for this (read: prizes to win).

Strangely, one really critical site (my banking account) uses a not-so-hard password (6 digits), but this is constrained by the bank itself.

Re:Thank goodness...

[SatanicPuppy]

On a related note, they announced today that they were going to stop banning lighters [washingtonpost.com]. Not that the shoe bomber guy used a lighter (he used matches which have never been banned), but still. Semtex is a plastic explosive, and not readily flammable. It used to be really popular with the terrorists, but they've taken steps to make it much more easily detectable.

The TSA guy was quoted in the article saying that "Taking lighters away is security theater." Nice to see someone in charge gets it, and, even more choice, in getting it, quotes Bruce Schneier's catch phrase.

Use a different password for each site

[Yahma]

Using a different password for each site is the ultimate in security; however, without a password manager of some sort, it becomes too difficult to manage such a large list of passwords. Thankfully, OSS password managers such as Revelation [codepoet.no] and Figaro Password Manager [sourceforge.net] exist! Personally, I use revelation; however, both are excellent pieces of software!

--
Yahma
BlastProxy [blastproxy.com] - Anonymous & Secure web browsing
ProxyStorm [proxystorm.com] - Anonymous & Secure web browsing
LiarLiar [sf.net] - Open Source Voice Stress Analysis & Lie Detection Software

Re:Firefox no longer safe?

[CastrTroy]

Oh, I'm not saying that there isn't a problem with the password manager. What I am saying, is that if there wasn't a password manager, sites that allow users to post arbitrary javascript on the site would still have problems with users passwords being stolen. So, while the password manager probably needs to be fixed, the sites that allow users to post javascript are an even bigger threat, as they allow passwords to be stolen, as well as many other exploits.