Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How [not] to Secure Your Browser's Saved Passwords

From: Alexander Klimov <alserkli () inbox ru>
Date: Thu, 10 Sep 2009 14:40:10 +0300 (IDT)
On Tue, 1 Sep 2009, Ali, Saqib wrote:

I personally think storing passwords in the browser is a bad idea. It
is very un-secure even with the Master password.[...]

There are two other far more secure options for saving and
auto-filling the user credentials:

1) Use systems's built-in Trusted Platform Module (TPM) for credential
management.[...]

2) Use a Host-proof-hosting (HTH) web based password vaulting system
e.g. Passpack. These are cloud enabled password vaulting system that
can be accessed from any browser and also support one-click logon
(i.e. auto-fill).


Every time someone says that something is "un-secure" you need to ask
him: "What is you threat model?"

A reasonable threat model contains
 (1) laptop theft while it is offline;
 (2) trojan software.

Using secure master password in your browser you get protection
against (1), but no protection against (2). With the alternatives you
mentioned you get the same: with strong passwords you get protection
against (1), but no protection against (2) -- every web password will
be intercepted the first time you use it. If the systems are
equivalent security-wise, it is reasonable to use the one that simpler
and I guess storing passwords with the browser built-in mechanism is
obviously simpler. In addition to complexity, there is an issue of
trust: I personally believe FF authors are less likely to screw up
security than vendors of TPM or HTH.

That is using browser built-in mechanism for password storage is as
secure as you can get.

-- 
Regards,
ASK

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: