I finally got around to updating to Firefox 3 yesterday. With all the new features being touted around the web, I was hoping that they would have gotten around to addressing my biggest pet-peeve with the browser. It seems that they didn't! You can read my original post about this issue HERE. Firefox 2 - Saved Password Security.
I'm sure you are diligent about security. Every time you get up to take a walk, hit the restroom or refill your <Insert the caffeinated beverage of your choice>, you always hit [Windows + L] to lock windows. You then leave your system, secure in the knowledge that all your secrets are safe and secure while you're away. What's that?!? You NEVER lock your computer when away from it...? If this is you, and you use Firefox as your main browser, this post might be of great interest.
When you install Firefox and log into a web site, such as MySpace, you might get a popup asking if you would like Firefox to save your password for you. What a great idea. If I let Firefox remember my passwords, I wont have to remember and enter them every time I visit a site. Handy! Better yet, this feature is turned on by default. Thanks Firefox. I, like most of you, probably just assume that my passwords are being handled securely and continue using Firefox for months adding more and more passwords to Firefox for my favorite sites as I go.
How secure are my saved passwords in Firefox 3?
In Firefox 3, it looks something like this.
You try to sign into your favorite Social Network. MySpace in this case.
Firefox is so helpful. Sure! Remember my MySpace password.
What exactly happens with my MySpace passwords in Firefox 3? They're secure, right? You can click [Tools > Options > Security (Tab) > Saved Passwords] to find out.
Well, Well. What do we have here? The URL to the web site and my username. Seems harmless enough. But what's this? A [Show Passwords] button? Lets click it and see what happens...
Gulp. There it is. Everything that someone would need to log into my MySpace account. The site address, my username, and my password in PLAIN TEXT! Anyone with about 20 seconds alone with your computer could easily get this information for themselves.
Try it for yourself and see just how scary it is when you see all the passwords for your banking accounts, your E-Trade account, etc. Better yet, walk your friends and co-workers through this on their own workstations and see the shock on their faces when they see their PLAIN TEXT passwords visible to the world in 3 easy steps that take 10 seconds to perform. I've gotten some pretty startled expressions showing people this.
I definitely think that Firefox should have the Master Password functionality enabled by default and should show the user a warning the first time they try to save a password. It seems like such an innocent thing, but having access to passwords in Plain Text is bad in my opinion.
How to protect yourself
Option 1. Turn off the "Remember passwords for sites" feature on the Tools > Options > Security Tab
Option 2. You can actually protect yourself from this flaw pretty easily, but it makes the feature a tad-bit more annoying. There is a "Use a master password" checkbox on the Security Tab too. If you check this box, you will be required to supply a password to be able to view saved passwords, or before you can use them to log into any web sites. Definitely worth it in my opinion even if the chance of someone having access to your workstation is slim.
Option 3. You should really consider locking your workstation when you are away from it anyway. If this isn't a habit that you already have, its really not that hard to start now. Just press the [Windows Key + L] to lock windows before you leave your computer.
Disclaimer
I'm always torn about writing about this kind of thing. Most of you will use the information to protect yourself, your friends and your co-workers. If nothing else, I've always felt that it is better to be aware of something even if a small percentage of people will use it negatively. For those of you thinking of using this to STEAL other people's passwords. Shame On You!
Just to save you a few seconds of attempting to log into my MySpace account. The email address, user names and passwords in the screen shots above have been altered to protect the innocent. =)
