Security Basics mailing list archives
How [not] to Secure Your Browser's Saved Passwords
From: "Ali, Saqib" <docbook.xml () gmail com>
Date: Tue, 1 Sep 2009 19:18:28 -0700
Gina Trapani of Lifehacker wrote a small piece on how to save passwords for websites in firefox and secure it using a master password: http://blogs.harvardbusiness.org/trapani/2009/09/how-to-secure-your-browsers-sa.html I personally think storing passwords in the browser is a bad idea. It is very un-secure even with the Master password. In fact, I have my Firefox set to automatically clear history (including passwords and session cookies) every time I close Firefox. There are two other far more secure options for saving and auto-filling the user credentials: 1) Use systems's built-in Trusted Platform Module (TPM) for credential management. Most popular laptops ship with TPM Management Suite that supports credential management as well.; OR 2) Use a Host-proof-hosting (HTH) web based password vaulting system e.g. Passpack. These are cloud enabled password vaulting system that can be accessed from any browser and also support one-click logon (i.e. auto-fill). One key benefit of HTH vaulting systems is that the password hosting server only holds the encrypted passwords, and not the decryption key. The decryption key never leaves the client browser. All encryption/decryption of passwords happens in the client browser, and only the encrypted password is sent to the hosting server. This way even if the actual hosting server is sitting in the Harvard Square, no one can get to my passwords - in a reasonable time-frame. I personally use TPM based credential management for non-web based stuff, and for web-sites credentials, I use passpack, which enables me to get to my passwords from any browser, in a secure fashion. Your thoughts? Do you think saving passwords in a browser is safe and secure? ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- How [not] to Secure Your Browser's Saved Passwords Ali, Saqib (Sep 02)
- Re: How [not] to Secure Your Browser's Saved Passwords Alexander Klimov (Sep 11)