Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'No worse than auto-fill' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
No worse than auto-fill
Authored by: stewby on Jan 24, '07 10:12:56AM

Auto-fill and display are exactly the same level of security. Javascript can read the value of password fields, which means that if someone visits a page that auto-fills your password they can run Javascript from the URL bar to display that filled password.

If you don't trust the security around physical access to your machine/account, you shouldn't be storing any passwords.



[ Reply to This | # ]
No worse than auto-fill
Authored by: nmerriam on Jan 24, '07 01:19:44PM
Auto-fill and display are exactly the same level of security. Javascript can read the value of password fields, which means that if someone visits a page that auto-fills your password they can run Javascript from the URL bar to display that filled password.
That's still dramatically more work than clicking three times and getting a complete list of web sites with associated user names and matching passwords. Having to visit each site individually and run JS, then combine all that information takes time. Displaying this huge list of information, doing a screen capture, and pasting it in an email to yourself is something that can be done in literally a few seconds while someone's back is turned.

[ Reply to This | # ]
No worse than auto-fill
Authored by: stewby on Jan 24, '07 01:33:41PM

It would be simple to write a script to do most of the work very quickly (which is actually a big part of the reason that it's currently impossible to run AppleScript on existing pages in Camino). Even manually, stealing a few very sensitive passwords would only take a minute or two.

If your whole security model is based on people not having access to your machine unattended, then you should assume that if someone can get 30 seconds of access they can probably get 2 minutes.



[ Reply to This | # ]