Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'A note of caution on Firefox's storage of passwords' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A note of caution on Firefox's storage of passwords
Authored by: nmerriam on Jan 24, '07 08:18:19AM

Good lord, this is the single worst security decision I've seen in Firefox. Being able to just show every password and username in plain text is ridiculous! It's one thing to autocomplete and know that someone with physical access to a machine can log on to an account from that system, it's another to show what the actual password used is (since I think the vast majority of people use a few passwords) and let the person see whatever pattern or phrases the user likes to create passwords with.



[ Reply to This | # ]
No worse than auto-fill
Authored by: stewby on Jan 24, '07 10:12:56AM

Auto-fill and display are exactly the same level of security. Javascript can read the value of password fields, which means that if someone visits a page that auto-fills your password they can run Javascript from the URL bar to display that filled password.

If you don't trust the security around physical access to your machine/account, you shouldn't be storing any passwords.



[ Reply to This | # ]
No worse than auto-fill
Authored by: nmerriam on Jan 24, '07 01:19:44PM
Auto-fill and display are exactly the same level of security. Javascript can read the value of password fields, which means that if someone visits a page that auto-fills your password they can run Javascript from the URL bar to display that filled password.
That's still dramatically more work than clicking three times and getting a complete list of web sites with associated user names and matching passwords. Having to visit each site individually and run JS, then combine all that information takes time. Displaying this huge list of information, doing a screen capture, and pasting it in an email to yourself is something that can be done in literally a few seconds while someone's back is turned.

[ Reply to This | # ]
No worse than auto-fill
Authored by: stewby on Jan 24, '07 01:33:41PM

It would be simple to write a script to do most of the work very quickly (which is actually a big part of the reason that it's currently impossible to run AppleScript on existing pages in Camino). Even manually, stealing a few very sensitive passwords would only take a minute or two.

If your whole security model is based on people not having access to your machine unattended, then you should assume that if someone can get 30 seconds of access they can probably get 2 minutes.



[ Reply to This | # ]