Firefox default "saved passwords list"

[ayu]

You know that shiny "remember password" function in Firefox?

Don't use it if you know what's good for you.

The older version of it is just a txt file with the username and password encoded in base64.
And then the newer version (>=3.0, don't know about 4.0) just stores it encrypted in an sqlite database in the profile folder, without a password for default use (and we all know that 99.9% of regular users keep default settings), meaning that you can just steal the database and open it (or just put it in your own profile folder for firefox), and steal the usernames and passwords of a user, if you have access to the machine that is.

Some people think that a "keyring" is a good defense against keyloggers, which in a sense is true, but then you have to make sure that no one can get into the damn keyring.

[ph0bYx]

I use 'remember password' for a few sites, but I also use a master password... Am I in danger, too?

[ayu]

I use 'remember password' for a few sites, but I also use a master password... Am I in danger, too?

Well, at least you are not in immediate danger I would think, but I haven't yet tried to crack a master password, but I guess it all depends on the strength of your password really.

[TheScottyTurner]

Wow, thanks for the info!! That thing saves my life lol, I'm not too good remembering my passwords lol Is it a big enough problem, that you'd recommend not to use it?

[ayu]

Wow, thanks for the info!! That thing saves my life lol, I'm not too good remembering my passwords lol Is it a big enough problem, that you'd recommend not to use it?

I can't really say that I have encountered any malware that has used it.
I think it's more dangerous if it's an aimed threat against a specific target (person/organization).
I know this out of own experience, since I wrote a backdoor a few days ago that exploits this to find passwords on a specific victims machine.

But yeah of course, if used "properly" it could become an even bigger threat to a bigger base of users.

[Raz0r]

I think it's more dangerous if it's an aimed threat against a specific target (person/organization).

Are there other ways to protect your browser other than to disable saved passwords on firefox? Would an intrusion detection program detect this ,but mmm... depends on the attack meathod.Thanks for the info.

[trickb0x]

A good alternative for this (which would work with more than just firefox) is a password manager such as keespass (keepassx for linux) which stores ALL of your passwords in an encrypted file. You use one master password to access all of them and it's easy to put on a flash drive and take wherever you are.

[Pong18]

A good alternative for this (which would work with more than just firefox) is a password manager such as keespass (keepassx for linux) which stores ALL of your passwords in an encrypted file. You use one master password to access all of them and it's easy to put on a flash drive and take wherever you are.

thanks trick for including something for nux. how about Seahorse 2.32.0? what do you think about it?

[lykos]

You can also use firefox in conjunction with a fingerprint scanner to enter passwords.


~[Lykos]~

[ayu]

You can also use firefox in conjunction with a fingerprint scanner to enter passwords.


~[Lykos]~

That is actually a pretty interesting topic for debate

Code: Select all

http://appliedlife.blogspot.com/2007/04/why-biometrics-can-be-bad-identifiers.html

[lykos]

It works extremely well. And its fairly easy to set up. Although it is a single point of failure if someone defeats the fingerprint scanning aspect.


~[Lykos]~

[ayu]

It works extremely well. And its fairly easy to set up. Although it is a single point of failure if someone defeats the fingerprint scanning aspect.


~[Lykos]~

Agreed.

It can be dangerous though, since you are more likely to get physical injuries that way ^^ (i.e. someone chops your fingers off or pokes your eyes out).

So far having the password safely stored in the brain is pretty safe, since we haven't succeeded in really extracting much information from there yet ^^

[lykos]

Hopefully my finger doesn't get cut off and my eyes don't get poked out ^^


~[Lykos]~

[hpprinter100]

http://www.slashgear.com/sony-mofiria-f ... d-0232716/" onclick="window.open(this.href);return false;

Hard to fool

[z3r0aCc3Ss]

You can use KeyScrambler program. 99% protection against keylogging.