techsticle.blogspot.com — Most people take advantage of Firefox's abiltiy to store your passswords for the multitude of sites you visit. How many realize that those passwords are easily accessible to anyone with access to your computer?
Mar 7, 2006 View in Crawl 4
vuzmanMar 7, 2006
The problem with this is that it is insecure by default. That is a very stupid thing to do. Firefox should opt for security by default an not allow the storing and viewing of passwords without setting a master password.
starwedMar 7, 2006
@vuzman: But if the user doesn't set the encryption key opera uses, it must be fairly easy to crack it. It'll probably stop family members etc. from doing it, but I don't see how opera's method can be secure until you set a master password. (Because opera has to store the key it uses somehow.)
vuzmanMar 7, 2006
Tools like these are generally available for similar uses, like retrieving passwords for MS Word documents, IE passwords, etc. This, I believe, would fall under the "special tools" category.
pymehtaMar 7, 2006
This was known even before firefox. The mozilla suit also had the same design. The default master password is off because if the user is security conscious, He would have other information also to protect and the protection is usually provided by operating system account. Thus, unless someone has admin privileges on the computer, he cannot see data in your account.Mozilla introduced the additional level of security by introducing master password. Password stored in such fashion cannot be decrypted (in reasonable time) unless you have master password. This feature was also necessitated by the fact that mozilla allows you to have multiple profiles even for one OS account, each profile potentially could belong to different users.Having said that about rationals, one should also notice that at the time of making decision, Mozilla was not as big a brand as today, and a new user could have easily considered default feature an 'inconvenience' to walk away from it. (I rely on account level security, as I do not like to enter password every time firefox is started.)To conclude, It is a quality feature, but not needed by all.
511pfMar 7, 2006
Storing passwords in the browser is an extraordinarily bad idea. It's one thing if the password is locally viewable. Just wait until there's a browser expoit that steals your passwords by browsing to a web page. It's going to happen. Use a separate password storage utility.
fuego81Mar 7, 2006
01101100 01100001 01101101 01100101%6c%61%6d%65LAME
nothanksApr 9, 2006
This 'vulnerability/feature' does seriously affect business users. Sorry in advance that this is bit long....My scenario:-Business using Thunderbird 1.5 in a managed way for hundreds of users. (Standard config, updates rolled out with Zenworks)-Thunderbird users connect to company IMAP server, authenticated to eDirectory via LDAP. (So we are talking an eDir account that gives access to more than mail).-Thunderbird profiles are protected by;a) users not having administrative access to machines (mostly - those that are administrative should know the risks and lock their machines).b) thunderbird on desktop PC's storing profiles on areas of network disk that only that user can access.c) thunderbird on notebooks use NTFS protection.Many staff do not understand the concept of IT security and refuse to lock their machines when leaving their PC's unattended.A percentage will go home in the evening without locking too - if you let them. A policy of screen locking after (say) 15 minutes of inactivity would be acceptable, but this vulnerability would still allow any curious co-worker to get the cleartext password of a security unaware person in seconds.Work-arounds to this issue:Do these things once, before TB starts:-push the following lines to the prefs.js file:user_pref("wallet.SchemaValueFileName", "44357272.w");user_pref("wallet.crypto", true);-Delete the current ????????.s password fileWhen Thunderbird starts the user will be prompted for their imap password, followed by a master password. They will be advised to enter the same for both. Now the imap password (which also is their LDAP or eDir password) is stored in a much more secure way and TB can not display it in clear text without the master password. If they ever lose the information about what the master password is, just delete the ????.s file from their profile.Note. These users do not have access to other mail servers so there is really no need for anyone to ever need to look at their own password in cleartext. If they forget their password the IT helpdesk will solve that for them (by resetting it)There is a HUGE difference between a strongly encrypted file being available and a cleartext version of the same when it comes to curios co-workers.An alternative is to prime prefs.js so that the password would never be stored for the company mail servers.The downside for both workaround methods is that Thunderbird can no longer start without prompting for a password.
l_jenkinsSep 7, 2006
I just decided to test the average user: Went into the next room, jumped on my brother's CPU, found out he uses the same password for everything he does...and apparently so does my mom, who occasionally uses that CPU for her banking, etc. Now the scary part is that my brother also lets his friends use that CPU at will, giving them access to my mom's bank account. Not an atypical situation for the average user I would think. Big problem.
belfastbikerNov 18, 2006
Thanks for the heads up. Didn't realise since reinstalling my PC that my firefox was wide open like that. Password WAS previously set on my last config.
activiorelMar 31, 2007
I 've found an addon for export your password when you reinstall your OS, the name is Password Exporter, and you can find it here - <a class="user" href="https://addons.mozilla.org/firefox/addon/2848">https://addons.mozilla.org/firefox/addon/2848</a>Vio,<a class="user" href="http://www.free-games.online-instant.com/">http://www.free-games.online-instant.com/</a>
asdfsquaredNov 21, 2007
i want to see comments!
hoaasMay 13, 2008
Could still be a way to disable the viewing from firefox. I don't want to type a password every time I start my browser, neither do I want every person I let near my computer for 30 seconds have a chance to discover my passwords by accident.90% of the people I know have no idea how to dig out passwords from files stored somewhere on the HDD, the remaining 10% can do far worse things towards me if they get access to my computer anyway.
xmidoSep 5, 2008
i dont care about people who can crack the password. i just dont like the idea of how the passwords r just there for anyone to c. i am talking about family members and people who live with me. if i go to the bathroom. my bro could check all my passwords in less than a minute. The master password is inconvenient, it ask u for the master password each time u open the browser. so why the hell am i making firefox remember my passwords if i am going to type the master passwords each time. its defies its purpose. that y i am using opera as my primary browser and firefox as my secondary.
nelasukaNov 14, 2008
Hey there, do you happen to know wha the Vista equivalent of that filepath would be? I want to make sure it's inaccessible...thanks!!