funsec mailing list archives
How [not] to Secure Your Browser's Saved Passwords
From: "Ali, Saqib" <docbook.xml () gmail com>
Date: Tue, 1 Sep 2009 19:15:34 -0700
Gina Trapani of Lifehacker wrote a small piece on how to save passwords for websites in firefox and secure it using a master password: http://blogs.harvardbusiness.org/trapani/2009/09/how-to-secure-your-browsers-sa.html I personally think storing passwords in the browser is a bad idea. It is very un-secure even with the Master password. In fact, I have my Firefox set to automatically clear history (including passwords and session cookies) every time I close Firefox There are two other far more secure options for saving and auto-filling the user credentials: 1) Use systems's built-in Trusted Platform Module (TPM) for credential management. Most popular laptops ship with TPM Management Suite that supports credential management as well.; OR 2) Use a Host-proof-hosting (HTH) web based password vaulting system e.g. Passpack. These are cloud enabled password vaulting system that can be accessed from any browser and also support one-click logon (i.e. auto-fill). One key benefit of HTH vaulting systems is that the password hosting server only holds the encrypted passwords, and not the decryption key. The decryption key never leaves the client browser. All encryption/decryption of passwords happens in the client browser, and only the encrypted password is sent to the hosting server. This way even if the actual hosting server is sitting in the Harvard Square, no one can get to my passwords - in a reasonable time-frame. I personally use TPM based credential management for non-web based stuff, and for web-sites credentials, I use passpack, which enables me to get to my passwords from any browser, in a secure fashion. Your thoughts? Do you think saving passwords in a browser is safe and secure? _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- How [not] to Secure Your Browser's Saved Passwords Ali, Saqib (Sep 01)
- Re: How [not] to Secure Your Browser's Saved Passwords Rob Thompson (Sep 01)