Forgot your password?
typodupeerror
Security

Safari and Chrome: Tied For the Worst Password Manager 218

Posted by CmdrTaco
from the remember-this dept.
Startled Hippo writes "Safari and Chrome are tied for the worst password manager built into a major Web browser, according to a new study on the issue produced by Chapin Information Services. One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site. The bug has been fixed in Firefox, but Chrome and Safari are still vulnerable to this kind of attack."
This discussion has been archived. No new comments can be posted.

Safari and Chrome: Tied For the Worst Password Manager

Comments Filter:
  • by Anonymous Coward on Monday December 15, 2008 @10:38AM (#26119627)

    http://www.bash.org/?244321

  • Aha! (Score:5, Funny)

    by fbish (1429251) on Monday December 15, 2008 @10:39AM (#26119641)
    Luckikly, all my passwords are exactly the same, so I'm fine.
    • Re:Aha! (Score:5, Funny)

      by fbish (1429251) on Monday December 15, 2008 @10:50AM (#26119781)
      Luckily, I also cannot spell.
    • Re:Aha! (Score:5, Funny)

      by Yvan256 (722131) on Monday December 15, 2008 @11:02AM (#26119879) Homepage Journal

      "exactly the same" is a bit strange for a password, isn't it?

      • by theaveng (1243528)

        I think my old, ex-password is rather strange: "physicsastronomylover" - dates all the way back to my first BBS in 1987. My two favorite subjects in school.

      • Re:Aha! (Score:5, Funny)

        by genner (694963) on Monday December 15, 2008 @12:03PM (#26120507)

        "exactly the same" is a bit strange for a password, isn't it?

        No it's perfect. If you get torchered you'll be screaming that all your passwords are extactly the same and your captors will be clueless as to why they can't break you.

        • Re: (Score:3, Funny)

          by deroby (568773)

          Some years ago we used to have a stand-alone machine for testing using a local account. As most members of the team needed to be able to log on to it now and then I came up with "just leave it empty" as a password. Whenever someone forgot and had to ask for it, we simply would yell across the floor : that password ? Just leave it empty ! Those who 'knew' remembered then and were able to log in. Others who had overheard it and wanted to use our mega-powerful-machine tried logging in using a blank password, b

        • by rockout (1039072)
          Am I the only one who, at first, read that as "if you get torched"?

          I was very confused, for a moment, as to why someone who was lit on fire would be screaming their passwords.
          • Re: (Score:3, Insightful)

            by genner (694963)

            I was very confused, for a moment, as to why someone who was lit on fire would be screaming their passwords.

            It's a perfectly cromulant method of torture.

    • by daybot (911557) *

      My password is obvious.

  • by Telephone Sanitizer (989116) on Monday December 15, 2008 @10:41AM (#26119671)

    ...So I'm safe, right? ;-)

    • Re:I Use A Mac... (Score:5, Informative)

      by goombah99 (560566) on Monday December 15, 2008 @10:46AM (#26119715)

      macs do get credit for putting the passwords where they belong: in a centralized password keychain. Firefox rolls it's own separate password manager. At various time firefox's keychain has been found to be insecure and it's separate from your other keychains. There's no simple keychain brownser interface like the centralized keychain protection system safari uses.

      If you want to encrypt or hide or transport all your passwords it's easy in safari but hard in firefox since how it's done changes.

  • Missing department (Score:4, Insightful)

    by Atti K. (1169503) on Monday December 15, 2008 @10:41AM (#26119673)
    "from the avoid-saving-passwords dept." ???
    • by hardburn (141468)

      A good password manager is potentially better than trying to remember passwords. Excepting Rain Man-style savants (who often have severe cognitive difficulties in other ways), a computer can remember more unique passwords than any humans. Could you memorize a unique, strong, truly random password of at least 8 chars for every site you've ever visited?

      There are indeed implementation problems that make this less secure than it could be, but even a naive implementation that stores the passwords in plaintext is

    • I think the "real" solution, if you want good password security, is to use the following scheme:

      pwd = hash(master_secret || site_id || site_counter).

      That is, use as a password the hash value of your master password, something that identifies the site you're logging in at (say, "slashdot" for everything at slashdot.org), and a generation counter such that if your slashdot password gets stolen you can make a new one without changing your master password (and without changing password on your ~gazillion accoun

    • by Ilgaz (86384)

      I have 780 random passwords which the very high risk ones changes weekly automatically thanks to 1Password which integrated to all native OS X browsers and Firefox.

      Firefox developers should get a trial of it to see what they miss by not using system keychain. Opera too. In fact, Opera supported the keychain and switched to Wand.dat for no reason.

      • Re: (Score:2, Insightful)

        by maxume (22995)

        It seems more correct to say that your computer has 780 random passwords.

    • Tied for
      Worst Browser Functionality Idea

  • by myxiplx (906307) on Monday December 15, 2008 @10:44AM (#26119691)

    To be honest, when the best browser is only scoring 7/21 they *all* need some work. Focusing on Chrome just means you're ignoring the bigger picture.

  • by thetoadwarrior (1268702) on Monday December 15, 2008 @10:44AM (#26119697) Homepage
    If you can't remember your password then write it on paper and hide it. Putting it on your computer, especially your Windows PC, is asking for someone take it.

    Even if they aren't in clear text the downside to using a password manager is everyone's passwords will be in the same place and in the same format. It's easy pickings.
    • by skeeto (1138903) on Monday December 15, 2008 @11:11AM (#26119971)

      It depends on the account type.

      Yeah, don't let the browser store your bank and e-mail passwords.

      But your /. account, where logins are done in plaintext rather than https? Go for it. As soon as you log in wirelessly you have broadcasted your password to the world anyway. The password manager is not the weak link here.

      Plus, you know, it's only your /. account, not your life savings. The consequences for losing the password are small, so shifting the trade-off towards convenience will be more reasonable.

      • by Kz (4332)

        let the cookies keep you logged in /. and other non-sensitive accounts.

        for everything else, use your own passwords and type them with your own fingers.

        • The cookie is sent via HTTP and it's just as vulnerable as the password. Seems to me we just recently heard about a GMail attack that worked by this exact method...

      • Re: (Score:3, Insightful)

        by tomknight (190939)
        Hmm... could someone use your /. account to commit a crime in your name?

        Think:
        * Libel
        * "Possessing information of use to a terrorist organisation"
        * "Inciting racial hatred"
        Not sure about US laws, but you can't say whatever you like in the UK...

        Of course the same goes for newpaper sites that let people leave comments etc.

      • Easy for you to say, you 7-digit!

        Imagine if somebody had a 3-or-4 digit ID. Think of the evil they could unleash on the world!

    • by yttrstein (891553) on Monday December 15, 2008 @11:31AM (#26120191) Homepage
      First place a local black hat looks? Under keyboards. One of the things its fun to do with new clients is to walk around their offices and grab every password-slip you can find. All the usual places -- under keyboards, in the desk drawer next to the pens, on the back of a monitor facing a cube wall.. And this one is my favorite:

      In a desk drawer but fastened to the underside of the desk surface. Very clever.
      • Re: (Score:3, Informative)

        Work is a public area. It'd be silly to leave passwords anywhere other than in your wallet in that instance.

        And if you leave that lying around I think you should be more worried about card numbers being pinched.
        • by Ogive17 (691899)
          I know people will cringe, but I've got all my PWs written down and taped to the bottom of my desktop calculator. I have 7 different log ins for various programs/systems that all seem to have different PW requirements. Hell if I can remember them over a long weekend especially when they are all on different reset calendars.

          I realize it's stupid to have the PWs accessable so near my computer.. but at least now I have a laptop and take it home with me every evening.. so unless someone finds my hidden PW
      • by MightyYar (622222)

        I used to put mine on the front of the monitor, facing straight out so I could read it without too much effort.

      • by poopdeville (841677) on Monday December 15, 2008 @12:38PM (#26120809)

        I often leave notes for desk-Nazi's like you: "e@t_a_d1ck" or "Stop looking under my keyboard, asshole"

    • by Paradigm_Complex (968558) on Monday December 15, 2008 @11:34AM (#26120213)
      A few months back I did some computer help for someone who had all his passwords in post-it notes stuck around his monitor. I still remember some of them today.

      Don't put your password on your windows computer, or on your windows computer. Both are easy pickings.
    • Yeah, so I have a different password for every account I have. There is no friggin' way I'm going to remember them, so I keep them in a gpg encrypted file, which I consult when I need to. But the point of the password manager is not that you don't have to remember the password; it's that you don't have to type it. I do not want to type any passwords. All the sites these days are so paranoid about security, they make you type passwords all the time. Without a password manager I'd have to type a dozen passwor

    • Even if they aren't in clear text the downside to using a password manager is everyone's passwords will be in the same place and in the same format. It's easy pickings.

      If there's a crypto password datastore where merely having the password file is dangerous then something is wrong with the encryption. Or the master password.

  • Before someone asks (Score:5, Informative)

    by Opportunist (166417) on Monday December 15, 2008 @10:46AM (#26119721)

    "How can this be exploited" when some subtree memeber of a domain can read credentials that should only be given to the top level member, read http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug [linuxjournal.com].

    To save the others the hassle, allow me to sketch something. It's trivial to get the domain a000001.amazon.com under your control. It is, believe me, if you don't, just read it up. Well, maybe not exactly a0000001... but something to the quality of $foo.amazon.com can easily be made to point back to a webpage you control.

    Next, create a page for the internets most sought after resource: pr0n. Do like the missionaries, spread the word, unlike them you have ICQ and spam at your disposal to get people to visit your page. On this page, refer to $foo.amazon.com

    Then have $foo.amazon.com ask for the credentials.

    It's not so much that the threat of hijacking a "real" domain name (i.e. amazon.com itself) is too big after a few ISPs toughened their DNS lookups when the patches didn't come quickly. Few ISPs are left that are actually vulnerable to having their caches completely rewritten. Subdomains can still be hijacked (even after the half-assed patch we got lately), and in combination with browsers that send credentials to whatever subdomain, it's a serious security problem.

  • by tomknight (190939) on Monday December 15, 2008 @10:47AM (#26119735) Homepage Journal
    "Chapin Information Services."

    Who??

    Seriously, this looks like a typical "storm in a teacup to get people to take me seriously as a security researcher" notification.

    Who here really lets any password manager save any password they care about? I have Opera save details for systems that don't matter, everything else I just remember.

    Check out the website for more information about this astounding company.

  • by mcgrew (92797) * on Monday December 15, 2008 @10:48AM (#26119743) Homepage Journal

    I don't do commerce online, so the only passwords I need are two email accounts, slashdot, and half a dozen idiot-run newspapers. I use the same password for all the idiot newspapers: 111111. That password is for their page counts and advertising and has nothing whatever to do with my own security, I have no reason to worry about them. And I never forget my password. If somebody logs on to the Chicago Tribune using my password, why should I care? Requiring a password to read a newspaper is stupid.

    Email and slashdot, of course, are a horse of a different color.

    Safari and Chrome are the last two browsers I would expect (well second last) to have this sort of problems.

  • by Speare (84249) on Monday December 15, 2008 @10:55AM (#26119823) Homepage Journal

    Putting passwords in your web browser isn't just like hiding your house keys under the doormat, it's like taping the keys of your house to the front door.

    I don't keep full passwords on paper, nor do I use one of those password vault devices. Using truly random characters just means I have to write it down in full somewhere. I do have a text file that gives me *just* enough info that my mind can recall the password. For example, I might write "B`" and I recall that means "b1ZZare`" or I might use "W.P" to remember "To1.st0y". I know the rules I use to spell or punctuate words. I use different sorts of passwords for different tiers of security, from web forum, web merchant, web banking, private data, estate data, etc.

    • by elcid73 (599126)

      This is my scheme as well. It always seems to me to be blindingly obvious to do something like this, but it's never really mentioned anywhere.

    • I know the rules I use to spell or punctuate words.

      It's a good job you never post examples of those rules in a public forum.

    • by l3prador (700532)
      Actually, modern dictionary crackers are fluent in 1337 and are designed to substitute common replacements such as 1 for i and 0 for o. Taking a dictionary word and changing some of the letters to numbers is not a secure solution.
    • An even better solution is to put all your passwords into some kind of encrypted file, and memorize the password to that encrypted file. Then you can have a different long password for each service, random and invulnerable to dictionary attacks.

      Just make it something where you have to copy/paste it manually rather than having your browser automatically fill it in. Then you're only vulnerable to phishing attacks, other social engineering, or someone getting ahold of your vault & vault password.

    • I have two standard passwords that I use and then add three characters to the end that are keyboard based S-Boxed of the first three characters of the domain. So lets say my base password is lK89#8 and I visit slashdot.org so I take the sla and hash it out to woq for a password of lK89#8woq. Although that's not my base password or hash function.
  • Why? (Score:5, Insightful)

    by PhotoGuy (189467) on Monday December 15, 2008 @11:07AM (#26119923) Homepage

    I never understood the appeal of password managers. And they tend to be obnoxious, getting in your face until you disable them.

    If I have a high security password, I'm not going to want to store it in a browser for two reasons: 1) Someone else with physical accesse to my machine, has access to my stuff; 2) If I don't ever have to type my password, I'll often forget it.

    For lower-security passwords, I, like many, simply use the same one that's easy to remember, and used for all those stupid forums and other lightweight places that make you register.

    I've just never seen the need... It's definitely one of the most hyped up features that seems to have zero utility to me.

    • by Kz (4332)

      seems to have zero utility to me.

      less than zero, since in some browsers it's even hard to disable. (konqueror!!!)

  • by theaveng (1243528) on Monday December 15, 2008 @11:16AM (#26120033)

    I've always thought storing passwords in your computer is dumb. (1) It makes it extremely easy for people to steal your PC or laptop and get into your sites. (2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were. (3) I think the safest place to store them is in your head.

    • by argent (18001)

      (2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were.

      I just restore ~/Library/Keychains from backup. Don't you keep backups?

  • MAJOR browser? (Score:5, Insightful)

    by jedie (546466) on Monday December 15, 2008 @11:17AM (#26120037) Homepage

    How exactly is Chrome (which is backed by a major company) a major browser?

    • by Ilgaz (86384)

      It is backed by a gigantic dotcom giant which is de facto standard search tool. It is fairly safe to call it major browser since the day it got shipped as non beta.

      Just put "Google Chrome" link to Google.com index, see what happens :)

    • by Sir_Lewk (967686)
      Call me stupid, but I think you just answered your own question. Otherwise, I don't see why you thought "backed by a major company" was so relevant to your comment, unless you are implying backing should be considered a reason it's not a "major browser". In that case, you are an idiot.
  • by IBBoard (1128019) on Monday December 15, 2008 @11:17AM (#26120039) Homepage

    One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site.

    And that's a "trick" because...? Surely there are times when you want to have different passwords in different areas. I've got basic HTTP authentication on an admin area of one of my sites. From there I've then got a number of tools, at least one of which requires a separate login. There's situations like that where you want different passwords for different areas.

    What annoys me with password managers at the moment is Firefox filling in too many passwords! If you record a password for one set of login forms and then go to any other page on the same domain with a password box with a text box just above it then Firefox blindly guesses that they're a login box (even if they're called "foo" and "bar" when you recorded the details for the fields "username" and "password"). That can really start to cock up some of your settings in things like phpBB's admin control panel if you don't notice what it has auto-filled.

  • by Big Hairy Ian (1155547) on Monday December 15, 2008 @11:36AM (#26120233)
    One thing that really pisses me off about just about every browser is being asked if I want it to remember my password. I mean honestly do people really trust Internet Explorer or Firefox to store their valuable passwords in a massively secure way? Call me Mr Paranoid if you like but I don't trust anything that stores more than a hash.
  • I avoid storing passwords in most sites, where I can remember them - I have a few "tiers" of passwords, the low-security, medium-security, high-security etc. Except some sites require "no punctuation characters" or "password must include at least 3 digits and at least 3 letters." or "password must be lowercase".
    In these cases I make up something to match and let the password manager remember that. I don't care about these sites anyway, they usually suck - I just register with disposable email, grab the info

  • For most sites I frequently visit (like /.) I don't care if somebody steals my account, logs in as me, and starts spewing crap.

    For throwaway passwords on the above sites I like to use "ps -A |md5sum" I like it better then pwgen (don't ask why).

    For my serious accounts (like banking) I keep it in my head.

  • by daybot (911557) * on Monday December 15, 2008 @01:43PM (#26121633)

    I find Safari's password manager perfectly sec^H^HONLINE MEDS, CHEAP V1AGRA, NO PRESCRIPT1ON REQUIRED

  • One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site.

    Don't you mean "password managers can be tricked into submitting the same password credentials to different parts of the same Web site"?

  • by yabos (719499) on Monday December 15, 2008 @04:49PM (#26124187)
    Anyone using Wordpress admin + Safari can see this for themselves. Embedded in the Wordpress admin "dashboard" is a frame with a wordpress.com source. This frame will show you statistics about your blog if you're logged in to wordpress.com. The problem is, that in Safari when you have auto fill turned on, it puts the login credentials from myblog.com(i.e. your own blog login credentials) into this form which is hosted on wordpress.com

Nothing is more admirable than the fortitude with which millionaires tolerate the disadvantages of their wealth. -- Nero Wolfe

Working...