13
2
For example, Opera has a "wand" feature that remembers user names and password you typed across various sites.
Let's say you get a trojan, which steals data from your PC. Can the trojan decrypt stored passwords by browsers, and use them?
Alex
Posted 2012-04-24T17:43:16.077
Reputation: 951
4
The points noted in Bob's answer are all valid, so I won't bother repeating them; however, I thought a little additional information might also be helpful for some, as your question is a valid concern.
Opera's Wand feature allows you to specify how frequently to ask for your master password under Preferences > Advanced > Security > Ask for password with selections such as "Once per session" (which, as Bob correctly points out, limits your security), "Every x minutes/hours" (if you don't mind fiddling with .ini files, you can customise your own frequency), and "Every time needed" (obviously the most secure option as your password will not be stored in memory during your browsing session). I don't use Firefox but can imagine that there's a similar extension available somewhere.
The Wand data is stored in a file called, wait for it, wand.dat in a format that can be deciphered with relatively little effort if no master password is used; if you do use a master password, it is encrypted using a random component and your master password with an algorithm that currently escapes me (should be easy to look up though).
If you use a password for a site whose security is more important to you than the average login, you can simply choose not to save the password.
Private tabs in Opera (or their equivalent in other browsers) allow you to store that tab's session data separately from that in "normal" tabs, which may add another layer of security.
The security model used in Chrome and its derivatives (that is, sandboxing each tab in a separate thread) gives you even greater security.
You can guard against keyloggers and such by regularly:
To sum up:
Your browser's level of security and that of your logins is up to you to a large extent.
If someone was very skilled and resourceful, they could probably get at your data eventually despite all the above precautions, but it would make your browser's data far more secure and would raise the level of sophistication required to crack it significantly.
Amos M. Carpenter
Posted 2012-04-24T17:43:16.077
Reputation: 1 373
22
If you have malware on your computer, no passwords entered or stored on it can be considered truly safe. Even encrypted passwords such as KeyPass databases, as soon as you enter the details required to decrypt it the attacker can retrieve your passwords.
Browsers typically do not pay very much attention to the security of saved passwords, at least not with default settings.
Let's say you get a trojan, which steals data from your PC. Can the trojan decrypt stored passwords by browsers, and use them?
In a word: yes. Browsers typically do not encrypt remembered passwords, so they can be read with trivial effort. Encryption with a stored key is useless anyway: if the browser is able to decrypt it, other programs running on the same computer can do the same.
I'm most familiar with Firefox, so I'll go with that.
Firefox allows you to set a 'master password'. If you do, it encrypts the stored passwords with the master password. However, for the sake of convenience, you only have to log in using this master password once per session. Once you are logged in, the information necessary to decrypt saved passwords is stored in memory, and can be accessed. A more secure and cumbersome approach would have been to require the master password to be typed every time Firefox needed to look up a saved password.
Even if the saved passwords were perfectly encrypted and completely inaccessible, they must be decrypted and entered on web forms at some point. Which means holding the passwords, unencrypted, in memory. There are actually quite a few 'asterisk revealer' programs designed to grab those passwords out of memory and, well, reveal them. Malware could theoretically do the same.
And malware could also keylog you, allowing the attacker to retrieve any password you typed.
There's a very in-depth study of password security across major browsers (IE, Chrome, FF) here. To summarise, both Chrome and IE10 rely on Windows' encryption routines, which are considered strong. However, they do not protect against other programs running under the same user, i.e. they are useless against malware. Again, any executing program (as Administrator) can grab information from memory or by keylogging anyway.
The method of encryption is most important when you consider the possibility of theft of your saved data for later analysis, e.g. someone sneaking in and copying off your or stealing your computer. In general, all modern browsers do a decent job of protecting against that form of attack. Firefox with a good, strong password is again preferred, since the Windows encrypted data can be recovered by logging into the Windows user account, and the Windows password is not fully safe any longer. Do note that none of it will stop a very determined attacker.
Bob
Posted 2012-04-24T17:43:16.077
Reputation: 51 526
1
NirSoft provides a tool called "IEPassView" which can decrypt Internet Explorer 8 and under passwords. System Information for Windows can do the same; just click on the key at the top.
NirSoft provides "password recovery" tools for many popular browsers (http://www.nirsoft.net/password_recovery_tools.html) -- these make a good "proof of concept" to show that the built-in password storage isn't safe.
Chris
Posted 2012-04-24T17:43:16.077
Reputation: 11
Uhm... that's a bit misleading, actually. You failed to mention that tools like these either don't work at all on logins protected by a master password or need the master password to "decrypt" the login details. At least this goes for Opera/Chrome/Firefox, not sure what IE does, you may well be right there. – Amos M. Carpenter – 2012-04-30T00:06:17.407
1
Lastpass and software like it are good convenient answers. While they don't give you total security (you still need to do the basics like firewall, anti virus, ect.) it's a good way of managing your passwords. Also due to the fact that it's stored on the magical cloud you can access them from anywhere (unlike some local software where you have to store in on your machine to access it).
Griffin
Posted 2012-04-24T17:43:16.077
Reputation: 1 034
1I would note, again, that this would not protect against malware running locally. Firstly, malware could intercept your Lastpass master password. Two-factor authentication can protect against that, but then you could leak the passwords in the process of typing them into the destination webpage. Fact of the matter is, if malware is running (elevated) on your machine, your unencrypted data is screwed. And your encrypted data is screwed as soon as you try to access it. – Bob – 2013-08-18T16:32:07.900
(It's still a good suggestion [I personally use Keepass, none of that cloud rubbish], but I must address the point raised in the question.) – Bob – 2013-08-18T16:33:48.267
@Bob there's also the problem that even on the local machine malware can do the same thing intercepting passwords. Copy and paste can be traced too, so as you use a password it's tracked. There is no good way , 2 factor authentication is REALLY hard to beat tho. – Griffin – 2013-08-18T23:06:02.203
Yup, I'm not saying Keepass is any more secure against locally run malware. – Bob – 2013-08-19T00:59:21.880
Worth noticing that if you use an authenticator, then a malicious attacker's options for stealing your passwords are greatly reduced. – o0'. – 2012-04-27T12:53:12.837