Forgot your password?
typodupeerror
Security Mozilla Software The Internet

Holes Remain Open in Firefox Password Manager 191

Posted by Zonk
from the batten-down-the-hatches dept.
juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"
This discussion has been archived. No new comments can be posted.

Holes Remain Open in Firefox Password Manager

Comments Filter:
  • by JamesD_UK (721413) on Friday July 20, 2007 @10:21AM (#19926559) Homepage
    That's it, I'm leaving the Internet. Forever.
    • by jimbug (1119529) on Friday July 20, 2007 @10:25AM (#19926609)
      can I have your karma?
    • by dvice_null (981029) on Friday July 20, 2007 @10:58AM (#19926981)
      It is not about safety of the Firefox. It is about safety of websites that allows users to insert Javascript code to their sites. It's like a bank which would allow anyone to step behind the desk and act as an employee of the bank.

      But they can only "steal" the passwords of that website. They can't steal your all passwords. So just remember to select different passwords for websites that might allow users to insert Javascript code on the site. So it doesn't matter that much if they manage to steal your passwords.

      Or use Noscript as suggested. Or simply don't use such websites, as they clearly don't think much about user's security.
      • by CastrTroy (595695) on Friday July 20, 2007 @11:33AM (#19927495) Homepage
        Which outlines the whole strength of having a password manager. You can have a different password for each website. Without a password manager, it's hard to do this because there are so many sites that require passwords. For my password management, I use passwordsafe [sourceforge.net], because it lets me manage all my passwords, not just ones for websites, and I can put it on a usb memory stick, and carry all my passwords with me.

        This brings up another thought. If the websites in question allow users to post javascript, and there happens to be a login section on that page, then couldn't the user posting the script add an onchange or onkeypress event to the username and password fields to capture the username and password, and then forward the information to their server by creating an img element, and having the username and password passed as GET variables appended to the URL of the img src, which is in fact just a php page that stores the username and password in a database. Seems to me that any site that allows people to post executable javascript is just asking for trouble.
        • by mhall119 (1035984)
          But that would at least require the user to enter their username and password before it can be stolen. I think the problem with Firefox and Safari is that they automatically populate those fields when the page loads, the user doesn't have a chance to _not_ enter that information.
          • Re: (Score:3, Interesting)

            by CastrTroy (595695)
            Oh, I'm not saying that there isn't a problem with the password manager. What I am saying, is that if there wasn't a password manager, sites that allow users to post arbitrary javascript on the site would still have problems with users passwords being stolen. So, while the password manager probably needs to be fixed, the sites that allow users to post javascript are an even bigger threat, as they allow passwords to be stolen, as well as many other exploits.
      • Re: (Score:3, Insightful)

        by EvanED (569694)
        Or simply don't use such websites, as they clearly don't think much about user's security.

        Because it's always clear what sites these are?
      • Re: (Score:2, Insightful)

        by Falstius (963333)

        So just remember to select different passwords for websites that might allow users to insert Javascript code on the site. So it doesn't matter that much if they manage to steal your passwords.

        I use the same crappy password on a whole bunch of sites. If someone steals it, they can deface my Facebook page, use my nick on IRC, post on Slashdot under my name. Who knows, it might get modded up for once. There are a limited number of nonguessable, easy to remember passwords in my life, I won't waste them on wikis, forums, and myspace.
        My bank, bills and credit card each have their own password and username however. As do my computer and email.

      • by l0b0 (803611)

        "It is not about safety of the Firefox. It is about safety of websites that allows users to insert Javascript code to their sites."

        Please. "It is not about safety of the Outlook. It is about safety of ISPs that allows users to insert code in their email."

      • by sjames (1099)

        Of course, if a website allows visitors to inject javascript, they can steal passwords even if they're not in password manager, just cause a page to come up that looks like the login page and most people will "log back in" using the fake form.

        For that matter, according to one study, just saying "Go to example.com and give me your password and I'll send you a candy bar!" will work fine.

  • Possible fix (Score:5, Interesting)

    by Arthur B. (806360) on Friday July 20, 2007 @10:25AM (#19926607)
    Do not use a pull model but a push model like the bugmenot extension. A right click in the login form would allow you to automatically enter saved information. It's much safer.
    • by David_W (35680) on Friday July 20, 2007 @11:14AM (#19927195)

      Do not use a pull model but a push model like the bugmenot extension.

      You know, that's not a bad idea. Apparently someone else had it too. Check out the Secure Login [mozilla.org] extension. It doesn't use a right click (although I kinda wish it did; may have to suggest that) but it does have a shortcut key and an icon.

      Thanks for saying that; I would have never thought to go looking for such an extension without you saying it.

      • by Arthur B. (806360)
        The nice thing with a contextual menu is that it could provide you with the list of all possible login you have for this website.
    • by discord5 (798235)

      A right click in the login form would allow you to automatically enter saved information. It's much safer.

      Actually, it wouldn't. It would prevent this simple javascript "exploit", but you can adjust the tactic for this. Now you would just either wait for the login form to lose focus or to be submitted. Click on the submit button, trigger the onSubmit handler that you can craft because someone was stupid enough to allow users to do javascript, and we're down the same road again.

      You should never allow unt

      • by Arthur B. (806360)
        In the case you describe (user javascript on the same page as the login form) manually entered javascript is also affected... there's not much you can do about that in the browser.
        • by Arthur B. (806360)
          please read: manually entered logins
        • by discord5 (798235)

          In the case you describe (user javascript on the same page as the login form) manually entered javascript is also affected...

          Well, the exploit in question does deal with some user forging a login form and adding some javascript to a webpage on the domain he's visiting. From the article:

          From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts.

          there's not much you can do abo

    • Re: (Score:2, Interesting)

      by m0RpHeus (122706)
      Do not use a pull model but a push model That's exactly how Opera's password manager works. You need to click on the Wand button to enter the user name and password on the form fields. And FYI, the security hole does not affect Opera.
  • password complexity (Score:5, Interesting)

    by farker haiku (883529) on Friday July 20, 2007 @10:29AM (#19926657) Journal
    I used to think (back in my tech support days) that people who couldn't remember their password were just plain stupid. These days, I work in a large firm that has tons of different passwords for everything. Unix passwords, windows passwords, spam mail setting utility password, time tracking utilities have passwords, passwords are required for clearcase/clearquest, remote login, etc. Each of them has different password complexity rules. I no longer criticize people for forgetting their password.
    • I meant to tie that in with the topic... these password managers make life easy. The person that comes up with a secure, non hackable implimentation of it will make a fortune.
    • by Cyberax (705495)
      Yep, same problem. I've found that a real paper small notebook is your best friend (and a backup printout of all passwords kept in safe place).
    • by Sparr0 (451780)
      My company of ~200 users has perhaps a dozen services that require logins... and they are ALL synchronized. From our legacy SCO Unix apps to our LAMP intranet site, each person has only one login and password. The synchronization is mostly handled by performing logins via LDAP, with a few of the most stubborn bits being subject to a script that resets them to match the LDAP database every so often.

      In other words...

      YOURE DOING IT WRONG.
      • by Nimey (114278)
        Yes. GP's company needs to figure out how to get all their apps to talk to an LDAP database, then have just one username/password for everything, and a single complexity requirement &c. And a policy that involves a righteous LARTing if a luser writes user/pass on a sticky.

        And FFS, don't put stupid things like how much a given user is being paid into the LDAP; that's just asking for trouble.
  • Clarification (Score:5, Informative)

    by jojoba_oil (1071932) on Friday July 20, 2007 @10:30AM (#19926683)

    Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function.
    That's very misleading. Allow me to clarify:

    Users could also disable JavaScript, which in the age of Web2.0 would cause many pages to display incorrectly. A better alternative is NoScript! [noscript.net], an add-on that allows users to selectively white-list pages, servers, or domains to use JavaScript.

    • Re:Clarification (Score:4, Interesting)

      by Opportunist (166417) on Friday July 20, 2007 @10:38AM (#19926771)
      That's exactly the problem with Web2.0, that NoScript would probably not cut it.

      Take MySpace. How do you want to handle it? Whitelist MySpace as a whole? Then you got no security. Whitelist certain user pages? Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it.

      The problem is not that certain domains are "evil". Ok, that problem exists, too, but it's a very different problem. The problem is that it's now possible to put malicious script code into user generated content, and that other content on the same server and domain is what people want to see.
      • Re: (Score:2, Insightful)

        by flitty (981864)
        Easy. Don't use Myspace.

        Usually my NoScript when blocking Java has a list of about 5 or 6 current sites running scripts (ad-servers and whatnot, ads.google.com comes up on almost every page), and anything other than the trusted site i'm at NEVER gets whitelisted, it's just not worth the risk. It's a hell of a lot better running a crippled 2.0 website than losing control of what's coming into my computer. I don't need to see all your pretty java crap, and a good site doesn't rely on java to display co
      • Re: (Score:3, Informative)

        by jojoba_oil (1071932)

        Then someone who browses userpages has essentially the equivalent of having JS turned off and gets bugged every 2 seconds. And the potential problem that someone might generate content you want to see and bug it.

        Gets bugged every 2 seconds? Have you used NoScript? It provides a very minimally intrusive bar along the bottom of the browser stating "NoScript has blocked X number of scripts", and you can even turn that off. And without scripting enabled on a page, how do you expect the page to "bug" users to enable JavaScript? The very best they can do is provide a <noscript> tag asking for it -- and then we'd be assuming the user can make the decision themselves.

        Browsing websites such as MySpace works fine with

    • by metamatic (202216)
      I've just submitted an enhancement request [mozilla.org] saying that NoScript + CookieSafe is how cookie and script security ought to work by default. If you agree, please pile on and vote for it.
  • by wile_e_wonka (934864) on Friday July 20, 2007 @10:32AM (#19926711)
    The thing that scared me away from the password manager in Firefox was a program called System Info for Windows [gtopala.com]. It lists all sorts of things about your computer--click on "Secrets." It searches for passwords in several programs--I have a few passwords saved in FF and the vast majority in Opera. I saw both programs mentioned in its analysis (meaning it searched both FF and Opera for saved passwords). It listed every saved FF password but no Opera passwords.

    It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.
    • Re: (Score:3, Insightful)

      by jedidiah (1196)
      You aren't trying to keep it secret from yourself. You're trying to keep it secret from others. At the very least you could run the relevant password saving program in a debugger on your own machine to extract the data in question.

      The fact that a program running on your machine as you can read your passwords is only marginally disturbing.
    • by Derek Pomery (2028) on Friday July 20, 2007 @10:38AM (#19926773)
      Your first mistake is not setting a master password in Firefox.
      Once you do that it won't be able to read them either.
      Its failure to read the Opera ones means either A) you set a master password in Opera or B) no one cares about Opera so program doesn't even look for them.
      • I don't have a master password in Opera--and the program does look for them (reread my post). Additionally, passwords in Opera are saved in "wand.dat"; if you open this file in a text editor is comes out nonsense. Other Opera .dat files (cookies, history, etc) are readable in a text editor (I notice they are more readable in Wordpad than Notepad), which makes me think Opera isn't just saving these as text. FF passwords appear to be saved in "signons2.txt"--this file opens nicely in notepad or wordpad, an
        • by J0nne (924579)
          Opera can encrypt the passwords with a key that's compiled in the program itself. It's hard to do that in an open source application, as anyone can just find the key in the source code of the program. You just have to pray nobody figures out Opera's key by decompiling it or brute-forcing it. Having a master password is safer, and it's similar in how keychains work in GNOME,KDE and OS X.
        • by mhall119 (1035984) on Friday July 20, 2007 @12:40PM (#19928625) Homepage Journal

          Last--FF needs a master password set to be even remotely secure with regard to passwords, while Opera does not. This seems like a big hole.
          If Opera has encrypted your passwords, then it must have a copy of the decryption key stored somewhere in order to read them. It would seem that your program's author just didn't know where the key way, or it would have been able to read the Opera passwords too. Someone can correct me on this if I'm wrong (not a big Opera user), but to me it sounds like security through obscurity.
        • You just don't get it do you, as other people noted, your information is NOT secure unless a master password is set.
          All other options are simply obfuscation. Unless there is a piece of information you add to the mix, all the "ingredients" to reverse it are sitting right there on your HD.
          Your rambling commentary above boils down to simply:
          Opera obfuscates passwords by default.
          Firefox obfuscates passwords by default.

          The only difference is your program you used reversed Firefox's. Again, since you did not se
          • You just don't get it, do you?

            Why didn't the author of this program succeed in deobfuscating my passwords in Opera?

            Three reasons:

            1) It closed source, and therefore more difficult to figure out how to get at the passwords

            2) The password file is much more heavily obfuscated

            3) There aren't as many Opera users out there, and therefore it is less economical to spend time to properly figure out how to get at the passwords (I repeat, the program does attempt to get at Opera's passwords, it merely fails to succeed)

            What this boils down to--exac

            • Nonsense.
              Obfuscation is not secure. Period.
              The closed source thing is ridiculous, if anyone really cared and had any monetary incentive (and with passwords there surely is) they could easily deobfuscate, closed source or not.
              Security through obscurity is never the answer.
              The smaller user base *is* legitimate, and a good argument for a browser ecology, but it is not an endorsement of any advantage to Opera's password management.
              You should ALWAYS assume passwords that are not encrypted are essentially in the
            • by chgros (690878)
              acknowledge the fact and fix the problem
              Fix what problem?
              If Firefox can get to your passwords (without your input), then so can any other program (that has the same priviledges). There's nothing that can be done about it.
              • There's nothing that can be done about it.
                Is that right or is this a lack of creativity on your part? Yours is the type of thinking that thwarts innovation.
                • by chgros (690878)
                  Is that right or is this a lack of creativity on your part?
                  It's right. No matter how creative you want to be, there's nothing that can be done.
                  Worst case, modify Firefox itself (the source is available) so that it spits out plaintext passwords. In practice you can just as easily (and more conveniently) rip out the de-obfuscation code.
    • by kebes (861706)

      It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.

      Well, any program running with user rights can probably read the firefox passwords, since they are not hard for a user to obtain. Just go into "Options" > "Security" > "Show Passwords..." > "Show Passwords" and click "Yes" on the confirmation dialog. You'll see all the stored passwords in plaintext. This means that your passwords can be read without trouble. For instanc

      • by kebes (861706)

        what I would like to see is Firefox switch to this kind of password manager--where the passwords are all encrypted with a "master password."

        To clarify (before someone points out my mistake!): I see that Firefox has a "Set Master Password" option in the Security settings. What I should have said was:

        what I would like to see is Firefox switch to this kind of password manager--where the passwords are all encrypted with a "master password" in the default configuration.

  • by andrewd18 (989408) on Friday July 20, 2007 @10:39AM (#19926779)

    On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.
    Don't tell me that the presence of an in-browser password manager has anything to do with the strength of the password. The only thing stopping people from using simplistic passwords is the quality of the IT department's restrictions. I bet every salesperson in my office would use "gocubsgo" as their password if our IT department didn't demand at least one capital letter and a number. As such, their passwords are now "goCubsgo2007".

    Don't tell me that an in-browser password manager stops people from using the same password everywhere. The average person sees "password" and a single phrase comes to mind. "Oh, my password is '12345'", they say to themselves, and enter that. They don't sit there and think, "Oh, I should keep my bank account password separate from my MySpace password."

    Those two issues aside, people always use password managers of some kind or another. The difference is whether or not they are vulnerable to an attack. I happen to manage my passwords by memorizing them, whereas my father keeps his monitor covered in sticky notes. My password manager is more secure against people sitting at my desk, while his is more secure against old age, and both of them are safe from internet crackers.

    I don't think there's much we can do about increasing people's password security other than increasing awareness and forcing better password standards.
    • Re: (Score:3, Insightful)

      by Otter (3800)
      Don't tell me that the presence of an in-browser password manager has anything to do with the strength of the password....Don't tell me that an in-browser password manager stops people from using the same password everywhere.

      You're right. The real advantage of the password manager is that it's the only reasonable alternative to writing down all of those unique, complex, constantly changing passwords.

    • by joeljkp (254783)
      That's the fundamental flaw with passwords: people have to either remember them or store them somewhere, which leads to weak, easy-to-remember passwords or insecure storage systems.

      When's biometric security coming for the web? Scan my fingerprint to log into Slashdot?
    • >Don't tell me that an in-browser password manager stops people from using the same password everywhere.

      That depends on the password manager. Firefox's password manager doesn't automatically create different passwords per site, but the pwdhash extension does. It hashes the site name with a master password to create a strong and site-specific password. There are several extensions that do this but pwdhash is my favorite.
    • One of the worst problems in my personal experience, worse than phishing, is people sharing passwords between all the untrusted/trusted websites they frequent AND their email; when they sign up to an 'evil' site, it stores their email and password and uses it to access all their stuff.

      What'd be nice if Firefox would automatically enter a very complicated random unique password into password signup form, save it, and automatically enter it into relevant password entry boxes. The user wouldn't even need to th
  • KeePass (Score:2, Informative)

    by Juneau (703789)
    Use KeePass http://keepass.info/ [keepass.info]. Open source, and better automation with websites and much more control than the internal password manager.
  • by shmert (258705)
    Sounds like the exploit relies on auto-enter password fields for a domain, and then using javascript to transmit the value of thte password field to the attacker's machine. So, not so much a coding error as a flaw in the thinking that any password field on a site should be auto-filled in. Requiring some action on the part of the user would help with this, but a better solution would be to move to openID [openid.net].
  • Can someone confirm if Safari is actually vulnerable, or if it is just that the author thinks that "all open source browsers are just the same"?

    I tried it with Konqueror and default KDE 3.5 password saving tecnhology, and no password leaked this way. I wonder if Safari would have problems there.

    • by Rosyna (80334)

      Can someone confirm if Safari is actually vulnerable, or if it is just that the author thinks that "all open source browsers are just the same"?
      It only works if form autofill is turned on for usernames and passwords. I have all of autofill turned off (because it's a huge privacy risk in my mind, for accidental forms when I am not paying attention) and the tests don't work. Form autofill for usernames and passwords can be disabled separately from other autofill in safari.
  • It's things like this that force me to disable Password Manager altogether. If only one security hole exists in Password Manager, someone would be able to grab passwords to my bank account, credit card, e-mail, and more. It's a lot harder for the hackers to get the passwords when the only place they are stored is in my head.

    With that said, I must admit that I am having more trouble remembering all of my passwords since I acquire more accounts and each account has different password requirements. I wis
    • by kebes (861706)

      It's things like this that force me to disable Password Manager altogether. ... With that said, I must admit that I am having more trouble remembering all of my passwords since I acquire more accounts and each account has different password requirements.

      Well my solution is to be selective about what passwords get saved. Low-priority things like slashdot and forum logins are fine for password managers. However I memorize, never write down, and never save passwords for financial sites. This keeps the number

  • by EMR (13768) on Friday July 20, 2007 @11:05AM (#19927069)
    By using this extension, the security whole is fixed. Just have to wait around for FF to implement it natively.
    This extension provides a *wand* like Opera has. (which is not affected by this security hole, because of this functionality).

    https://addons.mozilla.org/en-US/firefox/addon/442 9 [mozilla.org]
    • I also suggest using Password Maker to generate unique passwords for you. I don't even know the passwords to the websites I visit any more, I simply have them generated from one core password.

      You could use this extension by itself or combine it with the Secure Login extension.

      http://passwordmaker.org/ [passwordmaker.org]
  • Challenge/Response (Score:4, Insightful)

    by oldmacdonald (80995) <johnasmolin@a i m .com> on Friday July 20, 2007 @11:21AM (#19927279)
    The "right" solution is to have a challenge/response protocol where your secret key is never sent out of your computer at all. The current password situation is a huge mess since you need a different password for every site or risk one compromised trusted site giving away your password to everything. Most users, even when using a password manager, aren't going to have unique passwords for every site, let alone strong ones. It wouldn't surprise me at all if such a protocol already exists in the HTML standard. It certainly should.

    The downsides to this solution? 1) You need to have a browser that supports the protocol (no browsing in telnet). 2) You need to carry around your keys if you want to use them on more than one computer. 3) You need to explain it to users (but hopefully it can be almost transparent). I'm sure there are other problems but the current situation is untenable.
  • My Solution (Score:2, Interesting)

    by fast turtle (1118037)

    While I do use the PW Manager in Firefox, I have never allowed it to retain any critical pw's with those defined as any site where I enter financial or shipping information. For those sites, I use a dedicated PW Manager that allows me to generate more secure passwords using all available characters including special characters.

    In the rare case that a website does not accept/allow special characters to be used for passwords, I tend to re-evaluate their value to me. I also notify both the webmaster and custo

  • Who found the bug? Can we commision a hit on him?

    Ok, I take that back. Forgot this is Firefox, not Safari.

  • But I can't seem to get the Browser Check to pull passwords on Safari 2.0 or Mac/Win Firefox with all three using password manager. Is there a specific way that the password manager/auto-fill needs to be set up in order to pull the data?

    IE, is this more FUD-ey stuff that is very situational than practical?
  • From the Kwallet handbook [kde.org] (a KDE utility; GNOME has equiv.): The wallet subsytem provides a convenient and secure way to manage all your passwords. I'm not sure if this can be done automatically (integrated in browser) but manually, using a master key/password, it is a good way to store passwords for those with Alzheimer or other memory trouble. One could even use GPG/PGP or TrueCrypt (or LUKS/GELI etcetera) as 'wallet'. As long as you can remember/have the master key its more secure and reliable than (stic
    • by AaronW (33736)
      I also find this useful. That way I can choose a different password for each site that requires them and can generate some pretty random passwords like D7fgy#h0xl for example. At least with kwallet, the passwords are all encrypted.

      Out of curiosity I ran the password stealing test (as well as all of the other Javascript tests) with Konqueror and they all passed with no information leaked.

      One nice thing is Kwallet is outside of the browser with access control to various applications. This means that when Konq
  • by Monsieur_F (531564) <ffx@hot m a i l . com> on Friday July 20, 2007 @11:59AM (#19927951) Homepage Journal
    the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.

    I rarely use a password manager, because I do not really trust them but also because, just as when using cookies to stay logged on a site, you just do not have to remember your password. This means that when you occasionnally want to log from another computer, for some urgent matter, you cannot find what your password was!

    On the other hand, I generally use the same simplistic password on many sites just because there is no critical information on them. On some game sites, the most important information may be my real name and address if there is some incentive for this (read: prizes to win).

    Strangely, one really critical site (my banking account) uses a not-so-hard password (6 digits), but this is constrained by the bank itself.

  • Who on Earth uses the password save feature and expects it to be safe anyway... I mean, come on. I keep my password manager on my USB stick, using a program that doesn't communicate with the network. I don't keep them in the program that will also talk to the site I want to log into. Too much danger that info will leak or a way in will be found... well, whaddayaknow.
  • Maybe a much better solution. But you need to install Linux or *BSD first.
  • by bl8n8r (649187) on Friday July 20, 2007 @12:33PM (#19928507)
    "an attacker may emulate the login form "

    This is the same old whore in new shoes. A javascript text entry masquerading as something else. You may as well point in apache's direction for htaccess too then.

    As long as people do not think about what they are doing with their web browser, you will always have this problem. If people would think about web sites the same way they think about crossing a busy street the problem would be solved.
  • Using a different password for each site is the ultimate in security; however, without a password manager of some sort, it becomes too difficult to manage such a large list of passwords. Thankfully, OSS password managers such as Revelation [codepoet.no] and Figaro Password Manager [sourceforge.net] exist! Personally, I use revelation; however, both are excellent pieces of software!

    --
    Yahma
    BlastProxy [blastproxy.com] - Anonymous & Secure web browsing
    ProxyStorm [proxystorm.com] - Anonymous & Secure web browsing
    LiarLiar [sf.net] - Open Source Voice Stress Analysis

  • As pointed out, noscript is your friend. Another handy plugin is passwordmaker, https://addons.mozilla.org/fr/firefox/addon/469 [mozilla.org]

    Makes it trivial to have different, secure passwords for each site.
  • Don't store your passwords in ANY password manager, and especially do not allow Web site to "remember you." Enter your passwords every time you go to a site that needs them.

    This means using passwords you can remember, rather than truly strong random passwords, which is a security problem in itself. But with some initial judicial selection of a manual password generation algorithm, this should be doable for most people. If you have a limited set of passwords you use frequently, especially for low value appli
  • The first thing i found after the previous announce of this problem was the firefox extension that timesout the master password after let's say 30 seconds.
    Next time the browser wants to fill in a blank it ask for the master password, if you don't trust the site just press escape and nothing will happen ! :)

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...