New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Do YOU save passwords on your browser? Major security flaw
asterisk14
Member
in General
Browsers such as Safari or Google Chrome often come with password managers
But new research shows that tracking firms are exploiting the popular tools
Web trackers are stealing information from them to help target advertisements
The security loophole could be used to access people's passwords, raising concerns that hackers could exploit the flaw
Comments
I use passwords.txt on my desktop
Well if the dailymail says so with no sources what so ever, it must be true
Wouldn't sticky notes be easier ;-)
Daily mail not reliable !?!?!?! ;-)
is this 3rd party password managers or built in browser password manager?
Daily mail not reliable !?!?!?! ;-)
I wouldn't trust them without heavy citation, especially in any field that requires in-house knowledge.
lol.
All my passwords are the same no no worries.
Wow, I must admire you. Since there is no admire button, will thanks instead
Reminds me of a Docsis ISP, who was still using Telnet in 2016 with the same password for every modem.
Two mistakes there:
1) you should name the file 'not-passwords', so no-one thinks it's passwords.
2) you should give it a fake file extension like .gif, so no-one thinks to open it with a text editor.
You're welcome.
Why link to this garbage instead of a solid source?
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
This is the interesting part.
I save passwords on Firefox for crap sites. Real important passwords are in my head and not saved anywhere but offline tablet I've got.
I do not realy care. I got a credit of $20.000€ so am always under negative balance. If this is true I may contact ad firms to share my bank account so they can hack my negative balance easy.
My password to everything is hunter2 and nobody will ever find out what it is because all they see is stars
I use a separate FF profile for all my control panel URLs.
No tablets are really offline, they’re all reporting back to Kim Jong Un.
Actually Firefox's password manager, as long as you use a good "master password", is pretty secure. As secure as third party password managers:
https://raidersec.blogspot.fr/2013/06/how-browsers-store-your-passwords-and.html#firefox
Compare it to Chrome or others, explained on the same link above.
I consider myself pretty security-aware in these kind of things and I myself trust Firefox's password manager. The underlying tech is solid enough as long as you use a master password. I also use Firefox for Android as my mobile browser and they sync passwords between desktop and mobile, using your sync password. So, if you use firefox sync, you also need a good sync password.
In short: You can trust Firefox's manager, as long as you have a good master password. Do not trust Chrome's because a simple script on the computer can read the passwords. It doesn't need to be a virus. A friend with a USB stick can plug it in, run the script, and take the USB stick out in 10 seconds. That friend can't do it with Firefox.
If you set it to not autofill, you won't have a problem, because it won't fill hidden forms either. Of course, NoScript will block this sort of deal by default since it's generally a hidden/injected reference through a compromised/shitty ad network/etc. Who the hell uses autofill in 2018?
(Keep in mind that @Harzem's reference is nearly 5 years old, but you CAN still browse through your SQLite DB locally for Chrome. It's not ideal.)
I advertised Firefox furiously, but forgot to address the main issue: Tracker scripts using autofill areas to harvest data.
Firefox autofills forms, which makes it vulnerable to this attack. However what I forgot to mention was how you can protect yourself simply by removing autofill, but keeping saved passwords intact. In about:config, find "signon.autofillForms" and set it to false.
When you do this, you can still use the password manager, you simply need to click on the form and select the username.
I changed this setting quite a while ago, to prevent websites to discover my alternate accounts. When I log out of an account (and even clear cookies), when I visit the page, it autofilled my email address, which I had to delete and input the new one. Until I could delete it, the website can still log it. To prevent this, I disabled auto-autofill. Now it's manual-autofill, which means I click and select the login data before it autofills.
I use this on game accounts with throwaway emails which are only active in my home server when i need to retrieve the data :P
Cool! Works indeed! :-)
Even better: I use pen and paper