Security Basics mailing list archives
Re: How [not] to Secure Your Browser's Saved Passwords
From: Alexander Klimov <alserkli () inbox ru>
Date: Thu, 10 Sep 2009 14:40:10 +0300 (IDT)
On Tue, 1 Sep 2009, Ali, Saqib wrote:
I personally think storing passwords in the browser is a bad idea. It is very un-secure even with the Master password.[...] There are two other far more secure options for saving and auto-filling the user credentials: 1) Use systems's built-in Trusted Platform Module (TPM) for credential management.[...] 2) Use a Host-proof-hosting (HTH) web based password vaulting system e.g. Passpack. These are cloud enabled password vaulting system that can be accessed from any browser and also support one-click logon (i.e. auto-fill).
Every time someone says that something is "un-secure" you need to ask him: "What is you threat model?" A reasonable threat model contains (1) laptop theft while it is offline; (2) trojan software. Using secure master password in your browser you get protection against (1), but no protection against (2). With the alternatives you mentioned you get the same: with strong passwords you get protection against (1), but no protection against (2) -- every web password will be intercepted the first time you use it. If the systems are equivalent security-wise, it is reasonable to use the one that simpler and I guess storing passwords with the browser built-in mechanism is obviously simpler. In addition to complexity, there is an issue of trust: I personally believe FF authors are less likely to screw up security than vendors of TPM or HTH. That is using browser built-in mechanism for password storage is as secure as you can get. -- Regards, ASK ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- How [not] to Secure Your Browser's Saved Passwords Ali, Saqib (Sep 02)
- Re: How [not] to Secure Your Browser's Saved Passwords Alexander Klimov (Sep 11)