Holes Remain Open in Firefox Password Manager 191
juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"
stupid features (Score:1, Interesting)
Don't want to remember all your passwords? Don't use sites that require passwords.
Do you trust the your real life keys to be managed by a third party, then wonder how someone broke in your house without forced entry?
Having something "remember" your passwords defeats the purpose of having passwords.
Possible fix (Score:5, Interesting)
Re:It's evolution baby (Score:3, Interesting)
password complexity (Score:5, Interesting)
Firefox password manager (Score:5, Interesting)
It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.
Re:Clarification (Score:4, Interesting)
Take MySpace. How do you want to handle it? Whitelist MySpace as a whole? Then you got no security. Whitelist certain user pages? Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it.
The problem is not that certain domains are "evil". Ok, that problem exists, too, but it's a very different problem. The problem is that it's now possible to put malicious script code into user generated content, and that other content on the same server and domain is what people want to see.
Master Password? (Score:1, Interesting)
Re:Lies, damned lies (Score:3, Interesting)
The central concept in much of web-client security assumes that a domain is a single entity, and if you trust the domain, you trust the domain entirely. I don't see fault in this assumption-- a line has to be drawn somewhere as to what "one entity" is, and to split it much further would lead to unnecessary hoops and inconveniences. Back in the NetSol-monopoly days before cheap domain names, this point may have been debatable, but at that time there was far less personal information getting passed around by clients, as well.
Nowadays, anyone who is running a service with open access and open-ended "userpages" should be taking the bare-minimum step of sub-domaining their users' pages, and sub-domaining their own login forms as well. It costs nothing, it's more convenient for users, and it sandboxes everyone from each others' potential hack-attacks. If an exploit that gets around that, then people can talk, as that'd be a legitimate XSS or trojan/spoofing exploit. This stuff, though, is pinning exploits borne of shoddy web-side security onto the client developers.
Re:Thank goodness... (Score:1, Interesting)
Re:Possible fix (Score:2, Interesting)
My Solution (Score:2, Interesting)
While I do use the PW Manager in Firefox, I have never allowed it to retain any critical pw's with those defined as any site where I enter financial or shipping information. For those sites, I use a dedicated PW Manager that allows me to generate more secure passwords using all available characters including special characters.
In the rare case that a website does not accept/allow special characters to be used for passwords, I tend to re-evaluate their value to me. I also notify both the webmaster and customer service that they've reduced the value of their business to me by not accepting secure passwords and that I will no longer deal with them except by a cash-n-carry basis. A few of them have responded positively and after some effort have increased their password security by allowing special characters and thus they've gained an increased level of business from me along with the positive word of mouth advertising to my friends and associates.
Do not use password managers (Score:3, Interesting)
I rarely use a password manager, because I do not really trust them but also because, just as when using cookies to stay logged on a site, you just do not have to remember your password. This means that when you occasionnally want to log from another computer, for some urgent matter, you cannot find what your password was!
On the other hand, I generally use the same simplistic password on many sites just because there is no critical information on them. On some game sites, the most important information may be my real name and address if there is some incentive for this (read: prizes to win).
Strangely, one really critical site (my banking account) uses a not-so-hard password (6 digits), but this is constrained by the bank itself.
Re:Thank goodness... (Score:3, Interesting)
The TSA guy was quoted in the article saying that "Taking lighters away is security theater." Nice to see someone in charge gets it, and, even more choice, in getting it, quotes Bruce Schneier's catch phrase.
Use a different password for each site (Score:2, Interesting)
Using a different password for each site is the ultimate in security; however, without a password manager of some sort, it becomes too difficult to manage such a large list of passwords. Thankfully, OSS password managers such as Revelation [codepoet.no] and Figaro Password Manager [sourceforge.net] exist! Personally, I use revelation; however, both are excellent pieces of software!
--Yahma
BlastProxy [blastproxy.com] - Anonymous & Secure web browsing
ProxyStorm [proxystorm.com] - Anonymous & Secure web browsing
LiarLiar [sf.net] - Open Source Voice Stress Analysis & Lie Detection Software
Re:Firefox no longer safe? (Score:3, Interesting)