7
4
I was just wondering if Windows XP passwords can be hacked. Then why can't a hacker just hack my passwords stored in my browser?
Is it possible for someone to know my browser-saved password while I surf the Internet? Does it become easy for hackers to steal from browsers that have open source code?
How do I safeguard browser-saved passwords?
subanki
Posted 2010-08-29T10:04:19.343
Reputation: 6 702
11
If a hacker gains administrative access to your computer, he can certainly steal the passwords stored in the browser. That is one of the good reasons why you shouldn't store high-sensitive passwords in the browser.
Remember that the browser must be able to decrypt your password into clear-text, in order to be able to submit it for you automatically when you wish to gain access to a site. This is what makes the browser the most vulnerable. In many other systems (including the Windows passwords), the actual passwords are not stored, but instead a one-way hash of the actual password, making it practically impossible to revert the stored value to the actual clear-text password.
driis
Posted 2010-08-29T10:04:19.343
Reputation: 746
5
About the source code part:
There is a debate about it. Some people like the idea of so called "security through obscurity". The core of that idea is that the bad guy doesn't know how system he is attacking works. So in case of browsers that means that he wouldn't have access to source code. In a perfect system, security through obscurity would make a system safer. Unfortunately browsers aren't perfect enough for that. Usually there are bugs which go unnoticed by development team and which may be exploited.
That's why open source browsers like Firefox for example use another security doctrine. Their developers believe that source code should be public. This will allow attackers to know how browser works, but on the other side it will allow security researchers to find bugs and report them so that developers may fix them. The idea is to make a browser so safe that it has no vulnerable places which crackers can exploit. If there are no vulnerabilities, the fact that crackers know how browser works does not help them.
AndrejaKo
Posted 2010-08-29T10:04:19.343
Reputation: 16 459
4This is a good comparison of the two schools of thought. I don't think that there is a debate among security researchers that security through obscurity does not work. The bad guys have infinite time and will figure out how the system works and where te bugs are. The only defense is to make it as easy as possible for the good guys to find the bugs as well. You don't need to make the source code of the entire system open, just use published cryptography algorithms instead of rolling your own. – KeithB – 2010-08-29T19:04:13.687
1@KeithB I Agree with you completely, but it seems you didn't notice that I avoided term "security researcher" and user "some people". While problems with security through obscurity may be self evident to serious security researchers and obvious to large number of programmers, many from computer security point of view less competent people who may be in high enough positions to influence development of applications think that it works. – AndrejaKo – 2010-08-29T20:09:09.390
2"In a perfect system, security through obscurity would make a system safer" -- in a perfect system, it's not needed. – Sirex – 2011-01-19T11:29:18.523
3
Internet Explorer: No encryption or master password.
Firefox: No encryption, master password.
Chrome: Encryption, no master password.
All of these browsers, no matter how you put it, can be hacked by anyone with physical or remote access to your computer.
A browser being open-sourced can go either way in a security debate. On one hand, it's bad because then people will know how it encrypts the password and hack it easier. On the other hand, if it's open source, it'll be more rigorously tested and modified, and hence, much more secure.
My solution is to use a password manager with some decent encryption. Keepass (Windows) and 1Password (Mac) are known for having the best encryption (128-bit Rijndael, though KeePass hashes the password a lot so technically it's way more secure). Both of them have viable browser integration and should be fine for general surfing purposes.
digitxp
Posted 2010-08-29T10:04:19.343
Reputation: 13 502
1
In Firefox, anyone can see your saved passwords when you go to Tools, Options, then the Security Tab, and then click Saved Passwords. Then click "Show Passwords" and voila! you have all of the user's passwords. Yes, there an option to have a master password set, most users do not do this, or are not aware of this option...
studiohack
Posted 2010-08-29T10:04:19.343
Reputation: 13 125
1it is possible to crack Windows password by Brute Force attack. – subanki – 2010-08-29T10:39:36.467
@subanki, yes that is a well known vulnerability. – driis – 2010-08-29T11:37:16.297
1
@subanki cough
– TheLQ – 2010-08-29T15:05:48.287