Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Safari and Chrome: Tied For the Worst Password Manager

CmdrTaco posted more than 5 years ago | from the remember-this dept.

Security 218

Startled Hippo writes "Safari and Chrome are tied for the worst password manager built into a major Web browser, according to a new study on the issue produced by Chapin Information Services. One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site. The bug has been fixed in Firefox, but Chrome and Safari are still vulnerable to this kind of attack."

Sorry! There are no comments related to the filter you selected.

users can be tricked too... (5, Funny)

Anonymous Coward | more than 5 years ago | (#26119627)

http://www.bash.org/?244321

I should get out more often... (5, Funny)

jonaskoelker (922170) | more than 5 years ago | (#26120189)

http://www.bash.org/?244321

I don't need to go there. I know the answer is "hunter2" (if you're the guy, I just copy-pasted the ***s from bash.org, that's why it shows up as hunter2 on your screen).

Is that a sign I should get out more often? ;)

Re:users can be tricked too... (4, Funny)

Tim99 (984437) | more than 5 years ago | (#26120281)

You insensitive clod. My password is Shift8Shift8Shift8Shift8Shift8Shift8Shift8 So now everyone knows it.

Please! (-1)

Anonymous Coward | more than 5 years ago | (#26119639)

Read the title before frontpaging it, man!

Re:Please! (1, Offtopic)

FredFredrickson (1177871) | more than 5 years ago | (#26119763)

I'm the password man, the password man, I'm the password man, the password man.

I can password back as fast as you can! I can password back as fast as you can!

Re:Please! (1, Redundant)

BrokenHalo (565198) | more than 5 years ago | (#26120041)

Incidentally, has anyone actually tried out the "Password Manager Evaluator v2.0" link from the FA with any other browsers? The author(s) claim Opera comes closest to addressing their criteria, which automatically sent the needle of my bullshitometer climbing. I was about to run it with Firefox but stopped at stage 1 where it told me to clear my existing saved passwords, and I didn't want to do that.

Not that I save any of my high-value passwords at all, but I still manage to accumulate others that I would otherwise forget...

Re:Please! (2, Insightful)

Ilgaz (86384) | more than 5 years ago | (#26120335)

So Opera can't be better than Firefox or any other browser on certain aspect for what reason?

You should see my BS meter when I see someone at /. bitches about Opera and I am not a Opera Desktop user, I use Safari with 1Password and I don't really know 99% of my passwords at all.

Re:Please! (1)

ubrgeek (679399) | more than 5 years ago | (#26120805)

Amen. 1Password is great (and seems to keep coming up at discount prices at Maczot, MUPromo, etc.) Now, the iPhone version seems to need work. And by "needs work" I mean "I can't seem to figure out the damn thing ;)

Is there any way to run it through the test (or Safari/Camino/Whatever through the test while it uses 1Password?

Re:Please! (3, Informative)

Spad (470073) | more than 5 years ago | (#26120569)

Clear your saved passwords *for their site*:

Part 1: Delete all saved passwords for www.info-svc.com

Re:Please! (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#26120639)

Try the tool again it only asks to remove the passwords for the site the toll is running from. No need to remove all your passwords. I ran the ting without removing any passwords. I guess you would need to do some removing if you wanted to run it more than once for the same browser.

Aha! (5, Funny)

fbish (1429251) | more than 5 years ago | (#26119641)

Luckikly, all my passwords are exactly the same, so I'm fine.

Re:Aha! (5, Funny)

fbish (1429251) | more than 5 years ago | (#26119781)

Luckily, I also cannot spell.

Re:Aha! (4, Funny)

Yvan256 (722131) | more than 5 years ago | (#26119879)

"exactly the same" is a bit strange for a password, isn't it?

Re:Aha! (0)

Anonymous Coward | more than 5 years ago | (#26119973)

Mod password strength +2 for being strange without having numbers, capitals and symbols in it. Nobody will ever guess it!

Re:Aha! (2, Informative)

Poltras (680608) | more than 5 years ago | (#26120063)

Space is technically a symbol when talking about password strength. </pedantry>

Re:Aha! (1)

MightyYar (622222) | more than 5 years ago | (#26120241)

Make sure you encode your password with a high enough bit rate or the symbols won't sound right. I uses "--preset extreme" in LAME.

Re:Aha! (1)

poopdeville (841677) | more than 5 years ago | (#26120759)

Password-space is a set, not a symbol.

Re:Aha! (1)

theaveng (1243528) | more than 5 years ago | (#26120247)

I think my old, ex-password is rather strange: "physicsastronomylover" - dates all the way back to my first BBS in 1987. My two favorite subjects in school.

Re:Aha! (0)

Anonymous Coward | more than 5 years ago | (#26120395)

I think my old, ex-password is rather strange: "physicsastronomylover" - dates all the way back to my first BBS in 1987. My two favorite subjects in school.

Dork!

Re:Aha! (4, Funny)

genner (694963) | more than 5 years ago | (#26120507)

"exactly the same" is a bit strange for a password, isn't it?

No it's perfect. If you get torchered you'll be screaming that all your passwords are extactly the same and your captors will be clueless as to why they can't break you.

Re:Aha! (3, Funny)

deroby (568773) | more than 5 years ago | (#26120731)

Some years ago we used to have a stand-alone machine for testing using a local account. As most members of the team needed to be able to log on to it now and then I came up with "just leave it empty" as a password. Whenever someone forgot and had to ask for it, we simply would yell across the floor : that password ? Just leave it empty ! Those who 'knew' remembered then and were able to log in. Others who had overheard it and wanted to use our mega-powerful-machine tried logging in using a blank password, but were stumped to find out they couldn't..
Aaahh, all the fun one can have in the office =)

Re:Aha! (1)

rockout (1039072) | more than 5 years ago | (#26120957)

Am I the only one who, at first, read that as "if you get torched"?

I was very confused, for a moment, as to why someone who was lit on fire would be screaming their passwords.

I Use A Mac... (5, Funny)

Telephone Sanitizer (989116) | more than 5 years ago | (#26119671)

...So I'm safe, right? ;-)

Re:I Use A Mac... (5, Informative)

goombah99 (560566) | more than 5 years ago | (#26119715)

macs do get credit for putting the passwords where they belong: in a centralized password keychain. Firefox rolls it's own separate password manager. At various time firefox's keychain has been found to be insecure and it's separate from your other keychains. There's no simple keychain brownser interface like the centralized keychain protection system safari uses.

If you want to encrypt or hide or transport all your passwords it's easy in safari but hard in firefox since how it's done changes.

Re:I Use A Mac... (5, Interesting)

Jugalator (259273) | more than 5 years ago | (#26119771)

Isn't it time Firefox supported the Mac Keychain [mozilla.org] ? :-/

Re:I Use A Mac... (0, Flamebait)

Ilgaz (86384) | more than 5 years ago | (#26120369)

It shouldn't support Mac Keychain as well as it didn't support Colorsync for years. It should never, ever ship with a spotlight indexer too.

You know, they hate such system wide, free to use, documented OS X features. The OS X Firefox should never be better with more features than Windows or (God forbid) Linux Firefox.

Re:I Use A Mac... (1)

argiedot (1035754) | more than 5 years ago | (#26120423)

Funny you should say that. Linux Firefox is awful compared to how it is on Windows at least. And it doesn't support Gnome Keyring or KDE Wallet either.

Re:I Use A Mac... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26119825)

Yeah, relatively - OS X stores passwords in a proper way: in the central "Keychain", to which you may only get access to by supplying your user credidentials. Does your Linux or Windows have anything like that? No? Trolling failed, then, you Linux/Windows luser of ignoramus stance.

On that note, it should be time for Firefox to finally start making use of this great feature.

Re:I Use A Mac... (3, Informative)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26119895)

Both gnome and KDE have had centralized password management as a standard feature for some time. I don't know whether they predate or postdate the OSX implementation; but they are there.

Windows is an ambiguous case. As best I understand it, MS decided not to implement a flexible system for centralized storage of third party passwords because they wanted everybody to use their .NET Passport authentication, which would interact, through IE, with the windows authentication system. Luckily, the "All your base are belong to Microsoft" theory of authentication largely fell flat, so Passport is only used on a few sites, mostly MS's own properties, so Windows essentially has no centralized credentials mechanism that is of real world use. The sophistication of their mechanism, in environments it was designed for (MS monoculture), should not be underestimated.

Re:I Use A Mac... (2, Informative)

BrokenHalo (565198) | more than 5 years ago | (#26120093)

Does your Linux or Windows have anything like that? No? Trolling failed, then, you Linux/Windows luser of ignoramus stance.

I have no idea about Windows, but there are several such applications available for Linux or any other unices.

For Gnome users, there is Gnome Keyring, and I believe the equivalent for KDE is KDE Wallet. I dare say there are others I haven't heard of.

Re:I Use A Mac... (1, Interesting)

Shin-LaC (1333529) | more than 5 years ago | (#26120621)

If there are "several" such applications, doesn't that in fact mean that there is no single centralized password manager, like the (trollish) GP surmised? Or is it the case that, when you run a KDE application on a mainly-Gnome system, it gets passwords from the Gnome Keyring, and vice versa?

Missing department (3, Insightful)

Atti K. (1169503) | more than 5 years ago | (#26119673)

"from the avoid-saving-passwords dept." ???

Re:Missing department (0)

Anonymous Coward | more than 5 years ago | (#26119729)

"from the avoid-saving-passwords dept." ???

No - "from the im-still-not-awake dept.

Re:Missing department (1)

hardburn (141468) | more than 5 years ago | (#26120267)

A good password manager is potentially better than trying to remember passwords. Excepting Rain Man-style savants (who often have severe cognitive difficulties in other ways), a computer can remember more unique passwords than any humans. Could you memorize a unique, strong, truly random password of at least 8 chars for every site you've ever visited?

There are indeed implementation problems that make this less secure than it could be, but even a naive implementation that stores the passwords in plaintext is better than trying to remember a few passwords and using them across multiple sites.

From the hash-based-passwords dept.? (1)

jonaskoelker (922170) | more than 5 years ago | (#26120271)

I think the "real" solution, if you want good password security, is to use the following scheme:

pwd = hash(master_secret || site_id || site_counter).

That is, use as a password the hash value of your master password, something that identifies the site you're logging in at (say, "slashdot" for everything at slashdot.org), and a generation counter such that if your slashdot password gets stolen you can make a new one without changing your master password (and without changing password on your ~gazillion accounts).

There's a firefox plugin which does something like this, at http://crypto.stanford.edu/PwdHash/ [stanford.edu] . It has the advantage that it doesn't require you to store any information [except your master password in your brain], and so you can compute your password on a friend's computer by visiting their webpage.

I think a solution based on this idea provides the best combination of usability and security. Note that you can of course still use different master passwords for different sites if you want.

Re:From the hash-based-passwords dept.? (1)

deroby (568773) | more than 5 years ago | (#26120789)

sounds a lot like this plugin : http://passwordmaker.org/ [passwordmaker.org]

(off course, that's only based on your explanation and the little I know about how passwordmaker works. This being slashdot I clearly didn't read the website you refer too, nor the help that came with passwordmaker, no siree !)

Re:Missing department (1)

Ilgaz (86384) | more than 5 years ago | (#26120415)

I have 780 random passwords which the very high risk ones changes weekly automatically thanks to 1Password which integrated to all native OS X browsers and Firefox.

Firefox developers should get a trial of it to see what they miss by not using system keychain. Opera too. In fact, Opera supported the keychain and switched to Wand.dat for no reason.

Re:Missing department (2, Insightful)

maxume (22995) | more than 5 years ago | (#26120499)

It seems more correct to say that your computer has 780 random passwords.

Why focus on Chrome? (5, Insightful)

myxiplx (906307) | more than 5 years ago | (#26119691)

To be honest, when the best browser is only scoring 7/21 they *all* need some work. Focusing on Chrome just means you're ignoring the bigger picture.

Re:Why focus on Chrome? (5, Insightful)

tomknight (190939) | more than 5 years ago | (#26119759)

You're assuming that the metric used by this company/person actually means something...

Re:Why focus on Chrome? (5, Funny)

liquidpele (663430) | more than 5 years ago | (#26119957)

I rated Firefox 23.7 mushrooms.

Re:Why focus on Chrome? (0)

Anonymous Coward | more than 5 years ago | (#26120695)

Whoa, really? I'm switching right now, IE is only 18.4 mushrooms.

Re:Why focus on Chrome? (1, Informative)

Anonymous Coward | more than 5 years ago | (#26120149)

A quick googling of Chapin Information Services (no quotes) will give the following article:

http://www.info-svc.com/news/11-21-2006/

It took this company/group/person 2 years to go from one scary result in Firefox to quantified results in 3 browsers. While the threat is valid, I would take the metrics with a grain of salt.

Never use password managers (4, Interesting)

thetoadwarrior (1268702) | more than 5 years ago | (#26119697)

If you can't remember your password then write it on paper and hide it. Putting it on your computer, especially your Windows PC, is asking for someone take it.

Even if they aren't in clear text the downside to using a password manager is everyone's passwords will be in the same place and in the same format. It's easy pickings.

Re:Never use password managers (4, Insightful)

skeeto (1138903) | more than 5 years ago | (#26119971)

It depends on the account type.

Yeah, don't let the browser store your bank and e-mail passwords.

But your /. account, where logins are done in plaintext rather than https? Go for it. As soon as you log in wirelessly you have broadcasted your password to the world anyway. The password manager is not the weak link here.

Plus, you know, it's only your /. account, not your life savings. The consequences for losing the password are small, so shifting the trade-off towards convenience will be more reasonable.

Re:Never use password managers (0)

Anonymous Coward | more than 5 years ago | (#26120629)

Hey! Stop using my account. And change the password back.

Re:Never use password managers (1)

Kz (4332) | more than 5 years ago | (#26120823)

let the cookies keep you logged in /. and other non-sensitive accounts.

for everything else, use your own passwords and type them with your own fingers.

Re:Never use password managers (1)

clone53421 (1310749) | more than 5 years ago | (#26120975)

The cookie is sent via HTTP and it's just as vulnerable as the password. Seems to me we just recently heard about a GMail attack that worked by this exact method...

Re:Never use password managers (2, Insightful)

tomknight (190939) | more than 5 years ago | (#26120981)

Hmm... could someone use your /. account to commit a crime in your name?

Think:
* Libel
* "Possessing information of use to a terrorist organisation"
* "Inciting racial hatred"
Not sure about US laws, but you can't say whatever you like in the UK...

Of course the same goes for newpaper sites that let people leave comments etc.

Re:Never use password managers (1)

maxume (22995) | more than 5 years ago | (#26120077)

Something like Keepass or Password Safe provides decent middle ground; the encryption is reliable enough that someone taking the file isn't a big deal, and if you are worried about malware stealing the passwords while they are decrypted, then you shouldn't be using that password on that computer anyway.

Re:Never use password managers (4, Interesting)

yttrstein (891553) | more than 5 years ago | (#26120191)

First place a local black hat looks? Under keyboards. One of the things its fun to do with new clients is to walk around their offices and grab every password-slip you can find. All the usual places -- under keyboards, in the desk drawer next to the pens, on the back of a monitor facing a cube wall.. And this one is my favorite:

In a desk drawer but fastened to the underside of the desk surface. Very clever.

Re:Never use password managers (2, Informative)

thetoadwarrior (1268702) | more than 5 years ago | (#26120255)

Work is a public area. It'd be silly to leave passwords anywhere other than in your wallet in that instance.

And if you leave that lying around I think you should be more worried about card numbers being pinched.

Re:Never use password managers (1)

Ogive17 (691899) | more than 5 years ago | (#26120561)

I know people will cringe, but I've got all my PWs written down and taped to the bottom of my desktop calculator. I have 7 different log ins for various programs/systems that all seem to have different PW requirements. Hell if I can remember them over a long weekend especially when they are all on different reset calendars.

I realize it's stupid to have the PWs accessable so near my computer.. but at least now I have a laptop and take it home with me every evening.. so unless someone finds my hidden PWs then steals my laptop there isn't much worry.

Plus if I croak suddenly they can get into my stuff easier...

Re:Never use password managers (1)

MightyYar (622222) | more than 5 years ago | (#26120305)

I used to put mine on the front of the monitor, facing straight out so I could read it without too much effort.

Re:Never use password managers (5, Funny)

poopdeville (841677) | more than 5 years ago | (#26120809)

I often leave notes for desk-Nazi's like you: "e@t_a_d1ck" or "Stop looking under my keyboard, asshole"

Re:Never use password managers (3, Insightful)

Paradigm_Complex (968558) | more than 5 years ago | (#26120213)

A few months back I did some computer help for someone who had all his passwords in post-it notes stuck around his monitor. I still remember some of them today.

Don't put your password on your windows computer, or on your windows computer. Both are easy pickings.

master password? (1)

wondershit (1231886) | more than 5 years ago | (#26120687)

I use Opera and there you have the ability to provide a master password. I'm sure Firefox has this feature too. (But I have to admit that due to Opera's proprietary nature I don't know whether the passwords are actually encrypted or not.)

For me a password manager is just a matter of convenience. I know all my passwords but I hate typing in my credentials every time I have to log in somewhere. So I just enter one password at the beginning of the session and have them all.

But I think you are right when it comes to the really important passwords. Everything with money for example I always type in myself (bank account or eBay or stuff like that).

Before someone asks (5, Informative)

Opportunist (166417) | more than 5 years ago | (#26119721)

"How can this be exploited" when some subtree memeber of a domain can read credentials that should only be given to the top level member, read http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug [linuxjournal.com] .

To save the others the hassle, allow me to sketch something. It's trivial to get the domain a000001.amazon.com under your control. It is, believe me, if you don't, just read it up. Well, maybe not exactly a0000001... but something to the quality of $foo.amazon.com can easily be made to point back to a webpage you control.

Next, create a page for the internets most sought after resource: pr0n. Do like the missionaries, spread the word, unlike them you have ICQ and spam at your disposal to get people to visit your page. On this page, refer to $foo.amazon.com

Then have $foo.amazon.com ask for the credentials.

It's not so much that the threat of hijacking a "real" domain name (i.e. amazon.com itself) is too big after a few ISPs toughened their DNS lookups when the patches didn't come quickly. Few ISPs are left that are actually vulnerable to having their caches completely rewritten. Subdomains can still be hijacked (even after the half-assed patch we got lately), and in combination with browsers that send credentials to whatever subdomain, it's a serious security problem.

Is this really worth noting? (5, Insightful)

tomknight (190939) | more than 5 years ago | (#26119735)

"Chapin Information Services."

Who??

Seriously, this looks like a typical "storm in a teacup to get people to take me seriously as a security researcher" notification.

Who here really lets any password manager save any password they care about? I have Opera save details for systems that don't matter, everything else I just remember.

Check out the website for more information about this astounding company.

Re:Is this really worth noting? (1)

Spad (470073) | more than 5 years ago | (#26119817)

I thought *everyone* knew who Chapin Information Services was - you must be really out of the loop.

Re:Is this really worth noting? (4, Insightful)

qoncept (599709) | more than 5 years ago | (#26119995)

Who here really lets any password manager save any password they care about?

I do. And I bet at least one other person does.

Re:Is this really worth noting? (0)

Anonymous Coward | more than 5 years ago | (#26120443)

Jared,
You really ought to be more careful about that sort of thing!

Re:Is this really worth noting? (0)

Anonymous Coward | more than 5 years ago | (#26120475)

I let my PM store *all* my passwords, including my banking passwords. I haven't been hacked/phished all these years and I hope I won't be in the future. I try to stay up-to-date with browser vulnerabilities and I run my own router, with software written by the company I work for and modified by me. Good luck getting past that.

Re:Is this really worth noting? (4, Funny)

tomknight (190939) | more than 5 years ago | (#26120515)

I can see why you post anonymously!

Re:Is this really worth noting? (1)

Kz (4332) | more than 5 years ago | (#26120833)

Who here really lets any password manager save any password they care about?

I do. And I bet at least one other person does.

then you're getting what you asked for.

trust no one with your passwords.

Password Men (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26119741)

I find that Korean password men are particularly effective, probably due to Korean school and memorization techniques.

My password man right now is a 15 year old Korean boy who memorizes a new 25 character user name and password combination for each site I use.

My password manager is in my wallet (2, Insightful)

mcgrew (92797) | more than 5 years ago | (#26119743)

I don't do commerce online, so the only passwords I need are two email accounts, slashdot, and half a dozen idiot-run newspapers. I use the same password for all the idiot newspapers: 111111. That password is for their page counts and advertising and has nothing whatever to do with my own security, I have no reason to worry about them. And I never forget my password. If somebody logs on to the Chicago Tribune using my password, why should I care? Requiring a password to read a newspaper is stupid.

Email and slashdot, of course, are a horse of a different color.

Safari and Chrome are the last two browsers I would expect (well second last) to have this sort of problems.

Re:My password manager is in my wallet (1)

M-RES (653754) | more than 5 years ago | (#26120135)

Email and slashdot, of course, are a horse of a different color.

Invisible Pink Unicorn perchance?

Re:My password manager is in my wallet (1)

mcgrew (92797) | more than 5 years ago | (#26120567)

Maybe I should have said "pony of a different color!"

Re:My password manager is in my wallet (0)

Anonymous Coward | more than 5 years ago | (#26120813)

if its invisible how you can tell its pink? Or for that mater a unicorn?

Re:My password manager is in my wallet (4, Insightful)

clone53421 (1310749) | more than 5 years ago | (#26120641)

Idiot-run newspapers are why bugmenot [bugmenot.com] was invented.

don't save passwords (4, Insightful)

Speare (84249) | more than 5 years ago | (#26119823)

Putting passwords in your web browser isn't just like hiding your house keys under the doormat, it's like taping the keys of your house to the front door.

I don't keep full passwords on paper, nor do I use one of those password vault devices. Using truly random characters just means I have to write it down in full somewhere. I do have a text file that gives me *just* enough info that my mind can recall the password. For example, I might write "B`" and I recall that means "b1ZZare`" or I might use "W.P" to remember "To1.st0y". I know the rules I use to spell or punctuate words. I use different sorts of passwords for different tiers of security, from web forum, web merchant, web banking, private data, estate data, etc.

Re:don't save passwords (1)

elcid73 (599126) | more than 5 years ago | (#26120605)

This is my scheme as well. It always seems to me to be blindingly obvious to do something like this, but it's never really mentioned anywhere.

I admit it is security through obscurity, but... (0)

Anonymous Coward | more than 5 years ago | (#26119909)

I keep my passwords online but where people don't think to look. On you tube of all places!

http://www.youtube.com/watch?v=ebSspdgm70E [youtube.com]

Why? (4, Insightful)

PhotoGuy (189467) | more than 5 years ago | (#26119923)

I never understood the appeal of password managers. And they tend to be obnoxious, getting in your face until you disable them.

If I have a high security password, I'm not going to want to store it in a browser for two reasons: 1) Someone else with physical accesse to my machine, has access to my stuff; 2) If I don't ever have to type my password, I'll often forget it.

For lower-security passwords, I, like many, simply use the same one that's easy to remember, and used for all those stupid forums and other lightweight places that make you register.

I've just never seen the need... It's definitely one of the most hyped up features that seems to have zero utility to me.

Re:Why? (0)

Anonymous Coward | more than 5 years ago | (#26120179)

Hah,

At work my password manager is storing just over 300 passwords to various things. Some I don't use very often.

There is just no way I can remember all that off the top of my head.

Also before it is asked, with many of them I am unable to find a better solution than a password. Unfortunatly not all of us are able to control all the system we use.

Re:Why? (1)

Kz (4332) | more than 5 years ago | (#26120913)

seems to have zero utility to me.

less than zero, since in some browsers it's even hard to disable. (konqueror!!!)

I don't think this applies to real HTTP passwords. (0)

victim (30647) | more than 5 years ago | (#26119937)

Reading the article, this doesn't seem to be about real HTTP authentication passwords, but rather about the interaction of form autofilling and fields that an application might consider to be a password. (Like slashdot uses.)

Granted, somewhere the HTTP standards committee failed the community making ad hoc form based passwords more common than real authentication. I suspect the lack of a "logout" concept has a lot to do with that, though designers' desire to spread their "look and feel" over all elements also contributes.

If you use HTTP authentication this does not apply. If you use <input type=password ...> then, yeah, autofillers may autofill.

They... (1)

XPeter (1429763) | more than 5 years ago | (#26119949)

Are also tied for the worst browsers :)

Storing passwords is dumb (4, Insightful)

theaveng (1243528) | more than 5 years ago | (#26120033)

I've always thought storing passwords in your computer is dumb. (1) It makes it extremely easy for people to steal your PC or laptop and get into your sites. (2) If something happens to require a complete reinstall, the passwords are all lost and you have no clue what they were. (3) I think the safest place to store them is in your head.

Re:Storing passwords is dumb (1)

maxume (22995) | more than 5 years ago | (#26120583)

The safety of the storage isn't always the only, or the most important, consideration. Storing strong passwords in your wallet is probably better overall security than storing weak passwords in your head.

Also, it might help your ENGINEERING CHALLENGE to know that the 56kbps limit is the telco equipment, not the modem:

http://en.wikipedia.org/wiki/Modem#Using_digital_lines_and_PCM_.28V.90.2F92.29 [wikipedia.org]

(DSL works by using different equipment...)

Re:Storing passwords is dumb (1)

theaveng (1243528) | more than 5 years ago | (#26120825)

Well it's actually 64 kbit/s, and it's a limitation of the bandwidth only being 4000 hertz wide. My challenge is to see if anyone knows how to get 128 kbit/s out of that narrowband channel.

Re:Storing passwords is dumb (1)

maxume (22995) | more than 5 years ago | (#26120961)

You are asking for a little bit more than a faster modem, you are asking for current information theory to be discarded (perhaps you know this, perhaps you don't).

( http://en.wikipedia.org/wiki/Shannon_limit [wikipedia.org] )

MAJOR browser? (4, Insightful)

jedie (546466) | more than 5 years ago | (#26120037)

How exactly is Chrome (which is backed by a major company) a major browser?

Re:MAJOR browser? (2, Informative)

Jeoh (1393645) | more than 5 years ago | (#26120099)

It's in the top five (IE, FF, Safari, Chrome, Opera).

Re:MAJOR browser? (0)

Anonymous Coward | more than 5 years ago | (#26120611)

It's in the top five (IE, FF, Safari, Chrome, Opera).

Yeah, but there's a pretty substantial drop-off after the first two.

Re:MAJOR browser? (1)

Ilgaz (86384) | more than 5 years ago | (#26120277)

It is backed by a gigantic dotcom giant which is de facto standard search tool. It is fairly safe to call it major browser since the day it got shipped as non beta.

Just put "Google Chrome" link to Google.com index, see what happens :)

Re:MAJOR browser? (0)

Anonymous Coward | more than 5 years ago | (#26120609)

Just put "Google Chrome" link to Google.com index, see what happens :)

So elinks is a major browser?

Different passwords in different areas? (3, Informative)

IBBoard (1128019) | more than 5 years ago | (#26120039)

One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site.

And that's a "trick" because...? Surely there are times when you want to have different passwords in different areas. I've got basic HTTP authentication on an admin area of one of my sites. From there I've then got a number of tools, at least one of which requires a separate login. There's situations like that where you want different passwords for different areas.

What annoys me with password managers at the moment is Firefox filling in too many passwords! If you record a password for one set of login forms and then go to any other page on the same domain with a password box with a text box just above it then Firefox blindly guesses that they're a login box (even if they're called "foo" and "bar" when you recorded the details for the fields "username" and "password"). That can really start to cock up some of your settings in things like phpBB's admin control panel if you don't notice what it has auto-filled.

Why? (1)

pronik (468721) | more than 5 years ago | (#26120105)

Why are the passwords stored in the browser? If we need some on-PC storage it should be a completely separate service which browser could kindly ask for a password. Do the job right and do it just once.

Re:Why? (2, Insightful)

JSBiff (87824) | more than 5 years ago | (#26120505)

That's one solution. I began looking into seperate password managers a year or two ago. The two solutions I found looked the best, at the time, were KeePass [keepass.info] , and Bruce Schneier's Password Safe [schneier.com] .

Ultimately, though, I decided against either one. The problem with using something like that is that, now, I don't actually know the passwords for all of my accounts. If something goes wrong, or I just don't have access to the safe (like maybe I am away from home and forgot to bring my USB key along, or I'm using a computer which I don't want to stick the key into (because the key might get infected with some virus/trojan if I stick it into a public PC, or maybe their is malware on the PC which, once I've unlocked the password safe, grabs all the account/password info), I can't get into my accounts.

The real, true, ultimate problem isn't that people need a password safe. It's that people need fewer accounts/passwords. We need something like OpenId to become more widespread. Now, you probably wouldn't use OpenId (or some analog) for very sensitive accounts like bank/paypal/amazon.com/etc, but how many times have you been to a site where you wanted to post in a forum, or add a comment to a blog, but then you were confronted with being forced to register an account? On the one hand, that might cut down on spam/noise/trolls (or it might not; if you are a troll or spammer, you just register an account without worrying about every using it again, so you don't care what the password is or if you remember it), but it also cuts down, I'm sure, on worthwhile posts because people can't be bothered to try to remember yet another password (or they just end up using a very small number of passwords everywhere).

I wish more sites used OpenId. Seems like only a very small minority of sites I've visited offer that as an option.

I have to agree with the tags... (0, Redundant)

multimediavt (965608) | more than 5 years ago | (#26120127)

Don't usually agree with some of the tags put on articles lately, but this one I do. "Canthackthebrain" and "useyourmemory" pretty much sum up my reaction to this post and the whole password thing in general. Your brain is the best place to store passwords, especially those that are used regularly. I have four or five strong passwords that I use on a regular basis, for different purposes. I used to use a password manager in the browser to keep track of them, but that quickly became a flawed strategy. Remembering four or five password and username combinations is not that difficult if you use them on at least a monthly basis. I have long known the cognitive principles behind memory with a primary being, in essence: Use it or lose it! The best way to remember something is to apply that stored information regularly.

I use phrases with numbers and special characters in them to replace certain letters. These are either phrases from literature, songs or movie lines that I liked. I use four or five of them and rotate between them for a couple years, then up and change them all with a new set and use those for a couple years. I just found myself more comfortable typing in my passwords (once anyway, multiple times in a session gets rough...patch day!), than relying on a single master password that was often longer than the one needed for the particular login.

Use your brain! It's the safest place to keep a password, and it helps keep your memory abilities sharp. Now, where did I put my effing car keys?!?!

All Password mangers suck (3, Insightful)

Big Hairy Ian (1155547) | more than 5 years ago | (#26120233)

One thing that really pisses me off about just about every browser is being asked if I want it to remember my password. I mean honestly do people really trust Internet Explorer or Firefox to store their valuable passwords in a massively secure way? Call me Mr Paranoid if you like but I don't trust anything that stores more than a hash.

PasswordMaker to the rescue (0)

dfdashh (1060546) | more than 5 years ago | (#26120237)

I use PasswordMaker [sourceforge.net] for my password stuff. I don't really see password management as the browser's job anyway. Convenience can be an issue with this, but fortunately there is a plugin [mozilla.org] for Firefox that helps.

Kender (1)

Kender1 (866541) | more than 5 years ago | (#26120269)

Apparently not all of their tests test the security for your stored passwords. I completed the test with Firefox. It failed 8 of the tests. But I did not even have the password remember function active..

Chapin Information Services (0)

Anonymous Coward | more than 5 years ago | (#26120503)

I love Chapin. They are the best ever, and I pay attention to everything they say. I particularly enjoy their Data Entry services that they rendered to Unified Natural Gas group way back in 1994. Wow, they were doing like 1000 words per minute!

And then they ran RoboNet BBS! Amazing!

I look to Chapin for all security analysis. I love Chapin. And they have those great songs, too! "If I could save time in a bottle/I'd drink until I turned into poo/And if I could sing/A little ding ding/I'm sure that you'd go achoo"...

Why don't cookies get a master password, too?! (1)

eyal0 (912653) | more than 5 years ago | (#26120509)

A neat feature of the pssword manager is that you can use a master password. Without a master password, a trojan horse running on your system can steal all your passwords.

How come there is no master password to protect the cookies? Nowadays as most sites remember who I am in a cookie, a cookie seems just as useful as a password. Did no one else figure this out or did I get it wrong?

Re:Why don't cookies get a master password, too?! (1)

clone53421 (1310749) | more than 5 years ago | (#26120725)

You could always have the cookies cleared when you close the browser. No cookies = no logged in sessions, and to log in you'll have to enter the master password before it autofills the form.

Dumb sites requesting dumb passwords. (1)

SharpFang (651121) | more than 5 years ago | (#26120729)

I avoid storing passwords in most sites, where I can remember them - I have a few "tiers" of passwords, the low-security, medium-security, high-security etc. Except some sites require "no punctuation characters" or "password must include at least 3 digits and at least 3 letters." or "password must be lowercase".
In these cases I make up something to match and let the password manager remember that. I don't care about these sites anyway, they usually suck - I just register with disposable email, grab the info I need and never return.

Depends on website. (1)

B5_geek (638928) | more than 5 years ago | (#26120911)

For most sites I frequently visit (like /.) I don't care if somebody steals my account, logs in as me, and starts spewing crap.

For throwaway passwords on the above sites I like to use "ps -A |md5sum" I like it better then pwgen (don't ask why).

For my serious accounts (like banking) I keep it in my head.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?