How [not] to Secure Your Browser's Saved Passwords

["Ali, Saqib" <docbook.xml () gmail com>]

Gina Trapani of Lifehacker wrote a small piece on how to save
passwords for websites in firefox and secure it using a master
password:
http://blogs.harvardbusiness.org/trapani/2009/09/how-to-secure-your-browsers-sa.html

I personally think storing passwords in the browser is a bad idea. It
is very un-secure even with the Master password. In fact, I have my
Firefox set to automatically clear history (including passwords and
session cookies) every time I close Firefox

There are two other far more secure options for saving and
auto-filling the user credentials:

1) Use systems's built-in Trusted Platform Module (TPM) for credential
management. Most popular laptops ship with TPM Management Suite that
supports credential management as well.; OR
2) Use a Host-proof-hosting (HTH) web based password vaulting system
e.g. Passpack. These are cloud enabled password vaulting system that
can be accessed from any browser and also support one-click logon
(i.e. auto-fill). One key benefit of HTH vaulting systems is that the
password hosting server only holds the encrypted passwords, and not
the decryption key. The decryption key never leaves the client
browser. All encryption/decryption of passwords happens in the client
browser, and only the encrypted password is sent to the hosting
server. This way even if the actual hosting server is sitting in the
Harvard Square, no one can get to my passwords - in a reasonable
time-frame.

I personally use TPM based credential management for non-web based
stuff, and for  web-sites credentials, I use passpack, which enables
me to get to my passwords from any browser, in a secure fashion.

Your thoughts? Do you think saving passwords in a browser is safe and secure?
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.