Safari and Chrome: Tied For the Worst Password Manager

Startled Hippo writes "Safari and Chrome are tied for the worst password manager built into a major Web browser, according to a new study on the issue produced by Chapin Information Services. One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site. The bug has been fixed in Firefox, but Chrome and Safari are still vulnerable to this kind of attack."

users can be tricked too...

[Anonymous Coward]

http://www.bash.org/?244321

I should get out more often...

[jonaskoelker]

http://www.bash.org/?244321

I don't need to go there. I know the answer is "hunter2" (if you're the guy, I just copy-pasted the ***s from bash.org, that's why it shows up as hunter2 on your screen).

Is that a sign I should get out more often? ;)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Aha!

[fbish]

Luckikly, all my passwords are exactly the same, so I'm fine.

Re:Aha!

[fbish]

Luckily, I also cannot spell.

Re:Aha!

[Yvan256]

"exactly the same" is a bit strange for a password, isn't it?

Re:

[theaveng]

I think my old, ex-password is rather strange: "physicsastronomylover" - dates all the way back to my first BBS in 1987. My two favorite subjects in school.

Re:Aha!

[S.O.B.]

I think my old, ex-password is rather strange: "physicsastronomylover" - dates all the way back to my first BBS in 1987. My two favorite subjects in school.

I thought it was because you make love with a lever and a planetary body (insert joke here).

physicsastronomylover

[KWTm]

Actually, how he came up with the password was: "Hmm, what shall I put as my password? Physics? Astro? No, my *lover*!"

Re:

[Macthorpe]

I've got a lever of sufficient length - show me your fulcrum and I'll make the earth move ;)

Disclaimer: I have no idea where I read this joke.

Re:

[clone53421]

That's a quotation by Archimedes [wikipedia.org]: "Give me a place to stand and with a lever I will move the whole world."

Re:

[siriuskase]

no digits? no good

Re:Aha!

[genner]

"exactly the same" is a bit strange for a password, isn't it?

No it's perfect. If you get torchered you'll be screaming that all your passwords are extactly the same and your captors will be clueless as to why they can't break you.

Re:

[deroby]

Some years ago we used to have a stand-alone machine for testing using a local account. As most members of the team needed to be able to log on to it now and then I came up with "just leave it empty" as a password. Whenever someone forgot and had to ask for it, we simply would yell across the floor : that password ? Just leave it empty ! Those who 'knew' remembered then and were able to log in. Others who had overheard it and wanted to use our mega-powerful-machine tried logging in using a blank password, b

Re:

[rockout]

Am I the only one who, at first, read that as "if you get torched"?

I was very confused, for a moment, as to why someone who was lit on fire would be screaming their passwords.

Re:

[genner]

I was very confused, for a moment, as to why someone who was lit on fire would be screaming their passwords.

It's a perfectly cromulant method of torture.

Re:

[Tony Hoyle]

Confess! Or I'll shine this Maglite in your face again!

Re:

[Poltras]

Space is technically a symbol when talking about password strength. </pedantry>

Re:

[MightyYar]

Make sure you encode your password with a high enough bit rate or the symbols won't sound right. I uses "--preset extreme" in LAME.

Re:

[daybot]

My password is obvious.

I Use A Mac...

[Telephone Sanitizer]

...So I'm safe, right? ;-)

Re:I Use A Mac...

[goombah99]

macs do get credit for putting the passwords where they belong: in a centralized password keychain. Firefox rolls it's own separate password manager. At various time firefox's keychain has been found to be insecure and it's separate from your other keychains. There's no simple keychain brownser interface like the centralized keychain protection system safari uses.

If you want to encrypt or hide or transport all your passwords it's easy in safari but hard in firefox since how it's done changes.

Re:I Use A Mac...

[Jugalator]

Isn't it time Firefox supported the Mac Keychain [mozilla.org]? :-/

Re:

[MobileTatsu-NJG]

Isn't it time Firefox supported the Mac Keychain? :-/

It'll happen pretty quickly once Opera supports it! :D

Re:

[argiedot]

Funny you should say that. Linux Firefox is awful compared to how it is on Windows at least. And it doesn't support Gnome Keyring or KDE Wallet either.

Re:

[techprophet]

Actually the Gnome keyring works with Firefox for me. Not the KDE 4.2 one though. Not without patches anyway. [/joke]

No, seriously? Linux FF is always faster for me than Windows FF. And Gnome integration + QT4 theme makes it look nice with KDE.

Re:

[nabsltd]

You can use Password Exporter [google.com] for Firefox to transport your passwords to another machine.

Re:I Use A Mac...

[fuzzyfuzzyfungus]

Both gnome and KDE have had centralized password management as a standard feature for some time. I don't know whether they predate or postdate the OSX implementation; but they are there.

Windows is an ambiguous case. As best I understand it, MS decided not to implement a flexible system for centralized storage of third party passwords because they wanted everybody to use their .NET Passport authentication, which would interact, through IE, with the windows authentication system. Luckily, the "All your base are belong to Microsoft" theory of authentication largely fell flat, so Passport is only used on a few sites, mostly MS's own properties, so Windows essentially has no centralized credentials mechanism that is of real world use. The sophistication of their mechanism, in environments it was designed for (MS monoculture), should not be underestimated.

Re:

[piltdownman84]

Windows essentially has no centralized credentials mechanism that is of real world use

Does a file called passwords.txt on your desktop count?

Re:

[fuzzyfuzzyfungus]

Only if you check the configuration of each trojan on your system to make sure that they all point to it correctly. Certain lower quality trojans have issues locating the user desktop in non-english windows installs.

Re:

[Foolhardy]

What about the Windows Credentials Management [microsoft.com] subsystem? It's been there since XP. IE and Explorer use it for the remember password option. The list of usernames/passwords in your profile can be modified via the users control panel.

However, Microsoft does seem to prefer a single (or very few) signon system with an AD domain or Passport.

Re:

[BrokenHalo]

Does your Linux or Windows have anything like that? No? Trolling failed, then, you Linux/Windows luser of ignoramus stance.

I have no idea about Windows, but there are several such applications available for Linux or any other unices.

For Gnome users, there is Gnome Keyring, and I believe the equivalent for KDE is KDE Wallet. I dare say there are others I haven't heard of.

Re:

[Shin-LaC]

If there are "several" such applications, doesn't that in fact mean that there is no single centralized password manager, like the (trollish) GP surmised? Or is it the case that, when you run a KDE application on a mainly-Gnome system, it gets passwords from the Gnome Keyring, and vice versa?

Re:

[leamanc]

Yeah, relatively - OS X stores passwords in a proper way: in the central "Keychain", to which you may only get access to by supplying your user credidentials. Does your Linux or Windows have anything like that? No? Trolling failed, then, you Linux/Windows luser of ignoramus stance

Somebody, please mod down this AC's +1 Insightful. Yes, Linux has an equivalent of the Keychain. If you use Gnome, it's called the Keyring. If you use KDE, it's called the Wallet. They all work equally well. Props to Apple, though, for first implementing it way back in 1994 as part of the PowerTalk add-on pack to System 7.5

Screenshot of System 7.5 Keychain:http://www.roughlydrafted.com/RD/Q4.06/9D82740A-139C-432C-8279-AD2D4E04892E_files/img008.jpg [roughlydrafted.com]

Re:I Use A Mac...

[Ilgaz]

In real life, near all OS X native browsers and even commercial password manager 1Password uses keychain. On Gnome and KDE, only their own default browsers use their subsystems.

Apple made it somehow easy to integrate with keychain no matter how your application is coded in whatever language. Even AppleScript/OSAScript "Apps" use Keychain very effectively.

Firefox and Opera doesn't use it because they don't feel like it, that is all. I mean, that is why both browsers can't be "tried" on a up and running OS X since nobody would bother to type in 200 passwords while they got them recorded elsewhere and perfectly used by Omniweb etc.

Missing department

[Atti K.]

"from the avoid-saving-passwords dept." ???

Re:

[hardburn]

A good password manager is potentially better than trying to remember passwords. Excepting Rain Man-style savants (who often have severe cognitive difficulties in other ways), a computer can remember more unique passwords than any humans. Could you memorize a unique, strong, truly random password of at least 8 chars for every site you've ever visited?

There are indeed implementation problems that make this less secure than it could be, but even a naive implementation that stores the passwords in plaintext is

From the hash-based-passwords dept.?

[jonaskoelker]

I think the "real" solution, if you want good password security, is to use the following scheme:

pwd = hash(master_secret || site_id || site_counter).

That is, use as a password the hash value of your master password, something that identifies the site you're logging in at (say, "slashdot" for everything at slashdot.org), and a generation counter such that if your slashdot password gets stolen you can make a new one without changing your master password (and without changing password on your ~gazillion accoun

Re:

[Ilgaz]

I have 780 random passwords which the very high risk ones changes weekly automatically thanks to 1Password which integrated to all native OS X browsers and Firefox.

Firefox developers should get a trial of it to see what they miss by not using system keychain. Opera too. In fact, Opera supported the keychain and switched to Wand.dat for no reason.

Re:

[maxume]

It seems more correct to say that your computer has 780 random passwords.

Flash & Password Management

[catmistake]

Tied for
Worst Browser Functionality Idea

Why focus on Chrome?

[myxiplx]

To be honest, when the best browser is only scoring 7/21 they *all* need some work. Focusing on Chrome just means you're ignoring the bigger picture.

Re:Why focus on Chrome?

[tomknight]

You're assuming that the metric used by this company/person actually means something...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[BlackCobra43]

How many iRods to the e-hogshead does it get?

Never use password managers

[thetoadwarrior]

If you can't remember your password then write it on paper and hide it. Putting it on your computer, especially your Windows PC, is asking for someone take it.

Even if they aren't in clear text the downside to using a password manager is everyone's passwords will be in the same place and in the same format. It's easy pickings.

Re:Never use password managers

[skeeto]

It depends on the account type.

Yeah, don't let the browser store your bank and e-mail passwords.

But your /. account, where logins are done in plaintext rather than https? Go for it. As soon as you log in wirelessly you have broadcasted your password to the world anyway. The password manager is not the weak link here.

Plus, you know, it's only your /. account, not your life savings. The consequences for losing the password are small, so shifting the trade-off towards convenience will be more reasonable.

Re:

[Kz]

let the cookies keep you logged in /. and other non-sensitive accounts.

for everything else, use your own passwords and type them with your own fingers.

Re:

[clone53421]

The cookie is sent via HTTP and it's just as vulnerable as the password. Seems to me we just recently heard about a GMail attack that worked by this exact method...

Re:

[tomknight]

Hmm... could someone use your /. account to commit a crime in your name?

Think:
* Libel
* "Possessing information of use to a terrorist organisation"
* "Inciting racial hatred"
Not sure about US laws, but you can't say whatever you like in the UK...

Of course the same goes for newpaper sites that let people leave comments etc.

Re:

[slimjim8094]

Easy for you to say, you 7-digit!

Imagine if somebody had a 3-or-4 digit ID. Think of the evil they could unleash on the world!

Re:Never use password managers

[yttrstein]

First place a local black hat looks? Under keyboards. One of the things its fun to do with new clients is to walk around their offices and grab every password-slip you can find. All the usual places -- under keyboards, in the desk drawer next to the pens, on the back of a monitor facing a cube wall.. And this one is my favorite:

In a desk drawer but fastened to the underside of the desk surface. Very clever.

Re:

[thetoadwarrior]

Work is a public area. It'd be silly to leave passwords anywhere other than in your wallet in that instance.

And if you leave that lying around I think you should be more worried about card numbers being pinched.

Re:

[Ogive17]

I know people will cringe, but I've got all my PWs written down and taped to the bottom of my desktop calculator. I have 7 different log ins for various programs/systems that all seem to have different PW requirements. Hell if I can remember them over a long weekend especially when they are all on different reset calendars.

I realize it's stupid to have the PWs accessable so near my computer.. but at least now I have a laptop and take it home with me every evening.. so unless someone finds my hidden PW

Re:

[MightyYar]

I used to put mine on the front of the monitor, facing straight out so I could read it without too much effort.

Re:Never use password managers

[poopdeville]

I often leave notes for desk-Nazi's like you: "e@t_a_d1ck" or "Stop looking under my keyboard, asshole"

Re:

[catmistake]

I glue set mousetraps upsidedown to the inside underside of my desk drawers.

Re:Never use password managers

[Paradigm_Complex]

A few months back I did some computer help for someone who had all his passwords in post-it notes stuck around his monitor. I still remember some of them today.

Don't put your password on your windows computer, or on your windows computer. Both are easy pickings.

It's not just about remembering

[Chemisor]

Yeah, so I have a different password for every account I have. There is no friggin' way I'm going to remember them, so I keep them in a gpg encrypted file, which I consult when I need to. But the point of the password manager is not that you don't have to remember the password; it's that you don't have to type it. I do not want to type any passwords. All the sites these days are so paranoid about security, they make you type passwords all the time. Without a password manager I'd have to type a dozen passwor

Re:

[bill_mcgonigle]

Even if they aren't in clear text the downside to using a password manager is everyone's passwords will be in the same place and in the same format. It's easy pickings.

If there's a crypto password datastore where merely having the password file is dangerous then something is wrong with the encryption. Or the master password.

Before someone asks

[Opportunist]

"How can this be exploited" when some subtree memeber of a domain can read credentials that should only be given to the top level member, read http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug [linuxjournal.com].

To save the others the hassle, allow me to sketch something. It's trivial to get the domain a000001.amazon.com under your control. It is, believe me, if you don't, just read it up. Well, maybe not exactly a0000001... but something to the quality of $foo.amazon.com can easily be made to point back to a webpage you control.

Next, create a page for the internets most sought after resource: pr0n. Do like the missionaries, spread the word, unlike them you have ICQ and spam at your disposal to get people to visit your page. On this page, refer to $foo.amazon.com

Then have $foo.amazon.com ask for the credentials.

It's not so much that the threat of hijacking a "real" domain name (i.e. amazon.com itself) is too big after a few ISPs toughened their DNS lookups when the patches didn't come quickly. Few ISPs are left that are actually vulnerable to having their caches completely rewritten. Subdomains can still be hijacked (even after the half-assed patch we got lately), and in combination with browsers that send credentials to whatever subdomain, it's a serious security problem.

Is this really worth noting?

[tomknight]

"Chapin Information Services."

Who??

Seriously, this looks like a typical "storm in a teacup to get people to take me seriously as a security researcher" notification.

Who here really lets any password manager save any password they care about? I have Opera save details for systems that don't matter, everything else I just remember.

Check out the website for more information about this astounding company.

Re:

[Spad]

I thought *everyone* knew who Chapin Information Services was - you must be really out of the loop.

Re:Is this really worth noting?

[qoncept]

Who here really lets any password manager save any password they care about?

I do. And I bet at least one other person does.

Re:

[Kz]

Who here really lets any password manager save any password they care about?

I do. And I bet at least one other person does.

then you're getting what you asked for.

trust no one with your passwords.

Re:Is this really worth noting?

[asdfghjklqwertyuiop]

trust no one with your passwords.

Really? Not even the people who wrote your web browser?

Re:Is this really worth noting?

[tomknight]

I can see why you post anonymously!

My password manager is in my wallet

[mcgrew]

I don't do commerce online, so the only passwords I need are two email accounts, slashdot, and half a dozen idiot-run newspapers. I use the same password for all the idiot newspapers: 111111. That password is for their page counts and advertising and has nothing whatever to do with my own security, I have no reason to worry about them. And I never forget my password. If somebody logs on to the Chicago Tribune using my password, why should I care? Requiring a password to read a newspaper is stupid.

Email and slashdot, of course, are a horse of a different color.

Safari and Chrome are the last two browsers I would expect (well second last) to have this sort of problems.

Re:My password manager is in my wallet

[clone53421]

Idiot-run newspapers are why bugmenot [bugmenot.com] was invented.

Re:

[tomknight]

If a newspaper lets you submit comments then your login could be used to commit libel - in your name. Granted, having a widely known password (like yours is now) could be a defense, it's a PITA all the same to *have* to defend yourself!

I have a couple of old web identities I've used for registration in the past, but now I just use bugmenot (http://www.bugmenot.com/) wherever I can to get into newspaper (et al) sites.

Re:

[mcgrew]

Maybe I should have said "pony of a different color!"

don't save passwords

[Speare]

Putting passwords in your web browser isn't just like hiding your house keys under the doormat, it's like taping the keys of your house to the front door.

I don't keep full passwords on paper, nor do I use one of those password vault devices. Using truly random characters just means I have to write it down in full somewhere. I do have a text file that gives me *just* enough info that my mind can recall the password. For example, I might write "B`" and I recall that means "b1ZZare`" or I might use "W.P" to remember "To1.st0y". I know the rules I use to spell or punctuate words. I use different sorts of passwords for different tiers of security, from web forum, web merchant, web banking, private data, estate data, etc.

Re:

[elcid73]

This is my scheme as well. It always seems to me to be blindingly obvious to do something like this, but it's never really mentioned anywhere.

Re:

[YourExperiment]

I know the rules I use to spell or punctuate words.

It's a good job you never post examples of those rules in a public forum.

Re:

[l3prador]

Actually, modern dictionary crackers are fluent in 1337 and are designed to substitute common replacements such as 1 for i and 0 for o. Taking a dictionary word and changing some of the letters to numbers is not a secure solution.

Re:

[nine-times]

An even better solution is to put all your passwords into some kind of encrypted file, and memorize the password to that encrypted file. Then you can have a different long password for each service, random and invulnerable to dictionary attacks.

Just make it something where you have to copy/paste it manually rather than having your browser automatically fill it in. Then you're only vulnerable to phishing attacks, other social engineering, or someone getting ahold of your vault & vault password.

Re:

[piltdownman84]

I have two standard passwords that I use and then add three characters to the end that are keyboard based S-Boxed of the first three characters of the domain. So lets say my base password is lK89#8 and I visit slashdot.org so I take the sla and hash it out to woq for a password of lK89#8woq. Although that's not my base password or hash function.

Why?

[PhotoGuy]

I never understood the appeal of password managers. And they tend to be obnoxious, getting in your face until you disable them.

If I have a high security password, I'm not going to want to store it in a browser for two reasons: 1) Someone else with physical accesse to my machine, has access to my stuff; 2) If I don't ever have to type my password, I'll often forget it.

For lower-security passwords, I, like many, simply use the same one that's easy to remember, and used for all those stupid forums and other lightweight places that make you register.

I've just never seen the need... It's definitely one of the most hyped up features that seems to have zero utility to me.

Re:

[Kz]

seems to have zero utility to me.

less than zero, since in some browsers it's even hard to disable. (konqueror!!!)

Storing passwords is dumb

[theaveng]

I've always thought storing passwords in your computer is dumb. (1) It makes it extremely easy for people to steal your PC or laptop and get into your sites. (2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were. (3) I think the safest place to store them is in your head.

ORLY?

[argent]

(2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were.

I just restore ~/Library/Keychains from backup. Don't you keep backups?

Re:

[theaveng]

Well it's actually 64 kbit/s, and it's a limitation of the bandwidth only being 4000 hertz wide. My challenge is to see if anyone knows how to get 128 kbit/s out of that narrowband channel.

Re:

[theaveng]

Yes but even then there's still room for growth. Digital v.90 or v.92 dialup modems operate at 8000 symbols/second, which means each symbol carries an 8 bits encoding. The challenge is to find a way to carry 16 bits per symbol, thereby doubling the rate.

MAJOR browser?

[jedie]

How exactly is Chrome (which is backed by a major company) a major browser?

Re:

[Ilgaz]

It is backed by a gigantic dotcom giant which is de facto standard search tool. It is fairly safe to call it major browser since the day it got shipped as non beta.

Just put "Google Chrome" link to Google.com index, see what happens :)

Re:

[Sir_Lewk]

Call me stupid, but I think you just answered your own question. Otherwise, I don't see why you thought "backed by a major company" was so relevant to your comment, unless you are implying backing should be considered a reason it's not a "major browser". In that case, you are an idiot.

Different passwords in different areas?

[IBBoard]

One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site.

And that's a "trick" because...? Surely there are times when you want to have different passwords in different areas. I've got basic HTTP authentication on an admin area of one of my sites. From there I've then got a number of tools, at least one of which requires a separate login. There's situations like that where you want different passwords for different areas.

What annoys me with password managers at the moment is Firefox filling in too many passwords! If you record a password for one set of login forms and then go to any other page on the same domain with a password box with a text box just above it then Firefox blindly guesses that they're a login box (even if they're called "foo" and "bar" when you recorded the details for the fields "username" and "password"). That can really start to cock up some of your settings in things like phpBB's admin control panel if you don't notice what it has auto-filled.

All Password mangers suck

[Big Hairy Ian]

One thing that really pisses me off about just about every browser is being asked if I want it to remember my password. I mean honestly do people really trust Internet Explorer or Firefox to store their valuable passwords in a massively secure way? Call me Mr Paranoid if you like but I don't trust anything that stores more than a hash.

Dumb sites requesting dumb passwords.

[SharpFang]

I avoid storing passwords in most sites, where I can remember them - I have a few "tiers" of passwords, the low-security, medium-security, high-security etc. Except some sites require "no punctuation characters" or "password must include at least 3 digits and at least 3 letters." or "password must be lowercase".
In these cases I make up something to match and let the password manager remember that. I don't care about these sites anyway, they usually suck - I just register with disposable email, grab the info

Depends on website.

[B5_geek]

For most sites I frequently visit (like /.) I don't care if somebody steals my account, logs in as me, and starts spewing crap.

For throwaway passwords on the above sites I like to use "ps -A |md5sum" I like it better then pwgen (don't ask why).

For my serious accounts (like banking) I keep it in my head.

Perfectly secure

[daybot]

I find Safari's password manager perfectly sec^H^HONLINE MEDS, CHEAP V1AGRA, NO PRESCRIPT1ON REQUIRED

Are you sure you have that right?

[argent]

One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site.

Don't you mean "password managers can be tricked into submitting the same password credentials to different parts of the same Web site"?

Wordpress dashboard shows this flaw

[yabos]

Anyone using Wordpress admin + Safari can see this for themselves. Embedded in the Wordpress admin "dashboard" is a frame with a wordpress.com source. This frame will show you statistics about your blog if you're logged in to wordpress.com. The problem is, that in Safari when you have auto fill turned on, it puts the login credentials from myblog.com(i.e. your own blog login credentials) into this form which is hosted on wordpress.com

Re:

[FredFredrickson]

I'm the password man, the password man, I'm the password man, the password man.

I can password back as fast as you can! I can password back as fast as you can!

Re:

[Ilgaz]

So Opera can't be better than Firefox or any other browser on certain aspect for what reason?

You should see my BS meter when I see someone at /. bitches about Opera and I am not a Opera Desktop user, I use Safari with 1Password and I don't really know 99% of my passwords at all.

Re:

[ubrgeek]

Amen. 1Password is great (and seems to keep coming up at discount prices at Maczot, MUPromo, etc.) Now, the iPhone version seems to need work. And by "needs work" I mean "I can't seem to figure out the damn thing ;)

Is there any way to run it through the test (or Safari/Camino/Whatever through the test while it uses 1Password?

Re:Please!

[Spad]

Clear your saved passwords *for their site*:

Part 1: Delete all saved passwords for www.info-svc.com

Re:

[JSBiff]

That's one solution. I began looking into seperate password managers a year or two ago. The two solutions I found looked the best, at the time, were KeePass [keepass.info], and Bruce Schneier's Password Safe [schneier.com].

Ultimately, though, I decided against either one. The problem with using something like that is that, now, I don't actually know the passwords for all of my accounts. If something goes wrong, or I just don't have access to the safe (like maybe I am away from home and forgot to bring my USB key along, or I'm using a co

Apple's Keychain?

[argent]

I wish Firefox would use the Keychain, or I wish Camino would fix the bug where a laggy proxy locks the whole thing up for minutes at a time.

Re:

[clone53421]

You could always have the cookies cleared when you close the browser. No cookies = no logged in sessions, and to log in you'll have to enter the master password before it autofills the form.