Adsense

Friday, June 01, 2007

Firefox 2 - Saved Password Security

Do you use the "Remember passwords for sites" feature in Firefox 2...? It sure is nice to not have to enter your password into those pesky "secure" sites out there like your Banking, E-mail, or other such sites...
It's also great that I don't even have to enable this feature, it just prompts me to start storing passwords after I start using Firefox for the first time! Firefox is great! So lets just assume that the 2nd most popular web browser is appropriately handling this extremely sensitive data.
Or should we...?
How simple could it be for someone to get access to these stored passwords...? As it turns out, using Firefox's default settings (Which I'm sure MOST people are), it's EXTREMELY easy.
All a person needs to do to gain access to your stored passwords in Firefox, assuming that they have a moment's access to your workstation is to perform the following steps...
  1. Click on Tools
  2. Select Options
  3. Click the Security Tab
  4. Click Saved Passwords
  5. Click Show Passwords
This handy-dandy feature supplies the user with a list of web site addresses, user names, and Password (in PLAIN TEXT no less!) This gives a potentially malicious user direct access to everything that they need to find and log into any sites that you have setup to "Remember my Password"! The worst part about all of this is that this is the DEFAULT behavior in Firefox!
This, in my humble opinion, is a huge security flaw in Firefox and I'm blown away by how easy it is for people to unknowingly expose their user names and password to anyone with a few seconds access to their browser...
Posting this information is a double edged sword. On one hand, it alerts potentially "malicious users" to a way to gain access to your passwords. That is not my intentions. On the other hand, getting this information out to as many people as I can (and please help me ein this effort) should allow you to protect yourself from this vulnerability.
So, how can I protect myself?
In Firefox
  • Disable the "Remember password for sites" feature or Setup the "Use a master password" feature in Firefox! These can both be setup in the same place as the "Show Passwords" option listed above!
In General
  • Always lock your workstation when you walk away from it. I never assume that I can trust anyone with free access to my workstation, and I recommend that you do the same!

1 comment:

Nickolas said...

Thanks Mr. Fox! :-P