
How Browsers Store Your Passwords (and Why You Shouldn't Let Them) - mnazim
http://raidersec.blogspot.in/2013/06/how-browsers-store-your-passwords-and.html
======
kamkha
From [http://www.chromium.org/Home/chromium-security/security-
faq](http://www.chromium.org/Home/chromium-security/security-faq):

Why aren't physically-local attacks in Chrome's threat model?

 _People sometimes report that they can compromise Chrome by installing a
malicious DLL on a computer in a place where Chrome will find it and load it.
(See[https://code.google.com/p/chromium/issues/detail?id=130284](https://code.google.com/p/chromium/issues/detail?id=130284)
for one example.) People also sometimes report password disclosure using the
Inspect Element feature (see e.g.
[https://code.google.com/p/chromium/issues/detail?id=126398](https://code.google.com/p/chromium/issues/detail?id=126398)).

We consider these attacks outside Chrome's threat model, because there is no
way for Chrome (or any application) to defend against a malicious user who has
managed to log into your computer as you, or who can run software with the
privileges of your operating system user account. Such an attacker can modify
executables and DLLs, change environment variables like PATH, change
configuration files, read any data your user account owns, email it to
themselves, and so on. Such an attacker has total control over your computer,
and nothing Chrome can do would provide a serious guarantee of defense. This
problem is not special to Chrome ­— all applications must trust the
physically-local user._

------
mjschultz
Here is a recent discussion on chromium-dev about the password manager:
[https://groups.google.com/a/chromium.org/forum/#!searchin/ch...](https://groups.google.com/a/chromium.org/forum/#!searchin/chromium-
dev/password/chromium-dev/r-HQ5vgeFYE/avzJ8kfvYOkJ)

Evidently, only 0.0085% of users toggle on the "Use a master password"

~~~
columbo
I think the percentage is interesting, but it adds nothing for either side of
the debate (either for or against). I'm not challenging you, I'm talking about
the people going back to that number in the thread you posted.

* I don't even know how to setup a master password and have never heard of the option being available in FF or Chrome. I also don't know what it does. Does it replace all password boxes with a master-password that you enter which then pulls down the appropriate password? Is it a keychain?

Saying "X people don't use this feature" could mean anything. It could mean
the feature is buried in the system, or that the feature isn't descriptive
enough, or that the feature is hard to understand... it doesn't default to
being "people clearly don't want that feature".

[*] I could research it, but I'm giving you my current uneducated opinion to
make a point.

~~~
jellicle
What's the problem? All you have do is click on Edit, Preferences, Security,
Passwords, Use a Master Password.

Easy as pie.

~~~
itsnotlupus
Why, that's almost as easy as remembering the new number to dial emergency
services!

[http://www.youtube.com/watch?v=ab8GtuPdrUQ](http://www.youtube.com/watch?v=ab8GtuPdrUQ)

~~~
Dylan16807
How about I put it this way:

"All you have to do is go to password settings and click the button"

And you only have to go there once ever.

I think it's usually assumed users can navigate menus, because even if they
can't there's not much you can do to help them at this point.

~~~
jamesgeck0
Users can navigate menus. But given the out-of-the-way location of the "Use a
master password" checkbox, what percentage of Firefox's users even know of
it's existence? It's likely pretty low.

~~~
anonymous
> out-of-the-way

It's right there in the security tab. TWO clicks.

1\. open preferences

2\. click on security

And it's RIGHT THERE. That's about as obvious as I can imagine it.

------
mikeleeorg
Also in Chrome:

Go to Settings -> Show advanced settings -> Manage saved passwords -> Click on
a "hidden" password -> Click on "Show" button -> Voila, password shown in
plain text

~~~
jwcrux
Absolutely! This functionality is present in most (if not all) browsers. The
goal of this post was to show how malware could automatically attempt to
extract all credentials.

However, that's certainly a good feature to mention!

~~~
a9entroy
But passwords are already available in plaintext. This fact alone means that
passwords are not exactly hidden from the logged in user.

As an analogy, say you have a house and you have a drawer where you keep all
your secret information. If you really want to keep the information secret,
then you shouldn't allow outside visitors inside your house. You could encrypt
the secret information to make it difficult for the attacker to read the
information. But he still has access to your drawer because you let him into
your house. The attacker can install a remote camera near your drawer to see
how you decrypt the information, or he can directly see the decrypted
plaintext.

So, don't allow anyone into you house.

------
uptown
One thing I've been meaning to test. Does Chrome's form-autofill (the thing
where it fills in as much of a form as it can when you specify an email
address) populate hidden fields if they match? If-so, it seems like potential
for mischief to create some form inputs of type "hidden" or just some
visually-hidden form inputs using style sheets to capture more information
than a user is aware is being populated and submitted.

~~~
hayksaakian
No. Why would it do that.

~~~
ggreer
I assume a real attack wouldn't use <input type="hidden" />. Instead, you'd
style the input such that the user doesn't see it, but the browser thinks it's
visible. Extremely low opacity and/or an incredibly small size could do the
trick. To provoke the browser into autocompleting data, you might even be able
to use JavaScript to fake keystrokes in the stealth form inputs.

Front-end stuff is well outside my area of expertise, so I'm betting someone
already tried these ideas and now browsers protect against them.

------
jrochkind1
Chrome OSX stores in OSX keychain, out of the box. Which is a fairly secure
way to store passwords.

~~~
UnoriginalGuy
Let's assume for the sake of argument that we are running code on both a
Windows machine and an OS X machine, and trying to steal someone's browser
passwords.

While it is undeniable that the OSX keychain adds a roadblock to the theft,
many average users would happily enter their password if the box was displayed
when they ran up their browser (even if the browser wasn't the originating
process) and likely also fall for a fake keychain prompt.

I think the keychain is a good thing (just as it is in Android). Just wanted
to make the point that the keychain for your average non-power user is a minor
roadblock in theft, rather than a "real" security feature.

~~~
Corrado
Yes, but there is _nothing_ that a program can do to prevent the user from
hanging themselves. If an attacker has access to your hardware and user
session then they can do almost anything, and at the OS level too.

At least Chrome extends the supplied OS security features and doesn't try to
re-engineer them from scratch. This makes me more comfortable with Chrome
rather than less.

------
YellowRex
Other side of an airtight hatchway? For this to be at all relevant, you're
already got me running your binary with my user's permissions.

~~~
anonymfus
Or, for example, attacker stole your backup via vulnerability in your NAS. Or,
for example, some idiots share whole system volumes in e2k and Direct Connect
networks. Or ever web:

[https://www.google.ru/search?client=opera&q=intitle:%22index...](https://www.google.ru/search?client=opera&q=intitle:%22index+of%22+wand.dat&sourceid=opera)

~~~
jarek
Just getting the file would not help you for the attack vectors shown in the
article for Chrome (need user account's CryptProtectData), IE-pre-10 (need
copy of registry keys + CryptProtectData), or IE 10 (need binary on user
account).

Firefox would appear to be vulnerable to that approach. Not sure about Opera's
wand.dat, probably vulnerable as well.

~~~
claudius
Opera allows you to set up a master password, if you want it. If you don’t
want it, you can copy around wand.dat as you like (even from your computer to
your phone!) and it just works. :)

------
dbbolton
Slightly off topic:

Why does Chrome, when the registration page includes both email and username
fields, only remember the email but then insert it into the username field
when you attempt to log in? I know some sites let you use the two
interchangeably to login, but doesn't this seem like a silly assumption on
Chrome's part? Why not remember both, and insert the username OR the email
depending on what the field is called?

------
DanBC
Google recently refused to give me access to my account when I'd lost the
password.

While it was intensely frustrating at the time I'm actually grateful that it
is so hard to get an account. I provided considerable amounts of information,
but it wasn't enough for them to hand it over.

Still, when I got access to my super secret hard copy of passwords, and loaded
Chrome onto a new machine, and signed into Google, I was a bit alarmed by just
how much stuff came back from them onto my local machine. I'm currently slowly
migrating to Yubikey and a nice password safe and better passwords for
everything.

------
aclevernickname
if I can channel RMS for a second; If you use Windows at this point, it's very
clear that you do not care about security as much as you care about
convenience. Whatever browser you attempt to put on top of that
backdoor/COFEE-infested nightmare matters almost as much as what bikini you
wear before jumping into a vat of acid.

That said, It's very good to know that Firefox is the safest of the three. If
I ever again have the misfortune of advising windows users on the safest
browser to use, I will definitely let them know that it would take far longer
to compromise their passwords in firefox (even hours longer!) than the other
browsers.

Myself, I'll stick to Firefox with the KWallet extension under Kubuntu.

------
betterunix
Passwords are a terrible way to authenticate people anyway. The sooner we
start using certificates and smartcards, the better.

~~~
blake8086
Aren't both of those a "something you have"?

~~~
betterunix
Technically, a smartcard is both something you have (the card) and something
you know (the PIN). Even if there were no PIN, smartcards are better than
passwords:

1\. The public key stored by the server cannot be used for authentication.
That means that hacking a server will not give the attacker access to anything
beyond that server.

2\. More randomness; there are no dictionary attacks on secret keys, and brute
force attacks are hard to mount.

3\. Defense against phishing: the attacker cannot trick you into giving your
secret key, because the card does not export secret keys.

All of the above address the biggest problems we have with passwords right
now. You are not likely to be tortured for your card or your PIN, just like
you are not likely to be tortured for your password. Sure, smartcards come
with their own set of problems, like dealing with lost/stolen/destroyed cards;
yet these are not terribly hard to solve (banks are able to deal with
lost/stolen/destroyed credit cards). The benefits far outweigh the cost.

------
sytelus
Chrome may be the most unsafe browser in the world just because how it gives
away saved passwords in clear text with extreme ease. This is such a blatant
violation of trust with users that developers who implemented this and thought
this was OK shouldn't be allowed to work on anything related to security. They
did not understood the simple fact that most users of Chrome do not have a
clue about all these intricacies of software security. They use Chrome because
they trust it to keep them safe. When they save their passwords they don't get
any clear warning that many 7 year old can get all of their passwords in 30
seconds without installing or running any additional software on their
machine.

------
nnq
I don't get it, if there is malware on your computer you are compromised
anyway - it could just keylog to get the passwords... so why bother about how
secure is to get the stored passwords for a program running on the same
computer?

...if there was a remotely exploitable browser bug that would make the browser
leak them it would be a threat, but this post seems meaningless from a
security pov.

------
peripetylabs
Every browser seems to implement its own password management scheme. None of
them are as good as the same functionality that already exists in the
operating system. Browsers should request access to passwords from the OS when
needed, perhaps once per session.

------
saljam
I've been thinking about this (and the more general keychain problem)
recently. Wouldn't it make sense to have your keychain stored on your
smartphone, and allow applications access over a standard protocol using
NFC/USB/Bluetooth?

Better still, let the phone do the public key cryptography (as in plan9's
factotum), so that your private keys never leave your phone.

~~~
claudius
How is your phone inherently more secure than your computer?

------
graycat
His Web page commonly has 128 characters per line. So, on a 17" monitor, the
page is just unreadable.

~~~
jwcrux
Hi there! Sorry about the resolution issue.. I'm using Google's blogspot with
settings not adjusted too much (only widened a few things, etc.)

Any suggestions as to what I could do to help you read the content?

~~~
graycat
Thanks for your reply.

The situation is very common on the Web now. My 17" monitor is from NEC years
ago, is razor sharp and rock solid, and I see no great reason to take time out
to change from it. Besides, as another comment in this thread noted, laptops
also have relatively small screens! So do tablets and phones!

I know nothing about using Google's blogspot.

For the Web site I'm building, all screens are just 800 pixels wide, and all
my fonts are nice and large. So, on a big screen, could have a 'pile' of
dozens of such windows each offset a little, and on a small screen could still
see the full width easily without using horizontal scroll bars.

How'd I do that? I'm a beginner at HTML but just stuffed in 800 px some
places, and got 800 pixels. If in a browser I shrink a window to less than 800
pixels, then I get horizontal scroll bars.

Broadly it's easy to assume that there it's reasonable to use lots of space
vertically and let the user do a vertical scroll but try to minimize space
used horizontally so that a user doesn't have to do a horizontal scroll just
to read the text.

In some cases, I just highlight the text, copy it to the clipboard, pull it
into my favorite editor, and flow the text to, say, 60 characters a line.

My view is, in reading, 40 characters per line has some advantages in eye
movement in reading, 60 characters per line is plenty, 72 is almost too many,
80 is about the upper limit, and over 100 is too often a problem and, really,
for easy eye movement in reading, too much.

Heck, even when newspapers had sheet sizes big enough to cover a table top,
they still kept way down the number of characters per line.

But I can't tell the world how to design Web pages. If some people want, say,
300 characters per line and 20 characters per inch on the screen horizontally,
then so be it.

~~~
jzwinck
Your web pages with fixed width of 800px may be fairly annoying to users with
high-DPI displays. Mac Retina displays are perhaps the most recent and well
known, but for years some people have had displays with DPI 50-200% higher
than "normal", and for these people, your 800px decision looks like handcuffs.
If you look back a dozen years you'll see a number of sites that instituted
fixed-pixel-width layouts, then abandoned the approach as people bought more
large, high-res displays.

P.S.: Yes, some operating systems and browsers now zoom in a way that this
doesn't matter so much, but not all, and not without downsides.

~~~
graycat
Thanks.

I don't know what to do about that yet.

If they have a way just to zoom my Web pages, then they will be okay.

But if they have a big screen with lots of pixels, then I don't want my Web
pages taking all of that screen. It's better for the UI/UX for my pages to
take less than the full screen so that my users can see some other screens
while using my site.

------
Shivetya
I use my browsers password store only for harmless profiles, like here and
other blogs. The issue I run into most is that a slight url variation, common
with webmail, toggles its asking to remember.

