Comments on: Firefox Tip: Disable Password Manager http://robert.accettura.com/blog/2007/05/07/disable-password-manager/ Robert Accettura's Personal Blog on Web Development and Tech Fri, 21 Nov 2008 21:50:53 +0000 http://wordpress.org/?v=2.6.3 By: Tara (PassPack) http://robert.accettura.com/blog/2007/05/07/disable-password-manager/#comment-143133 Tara (PassPack) Thu, 31 May 2007 09:15:25 +0000 http://robert.accettura.com/archives/2007/05/07/disable-password-manager/#comment-143133 @Justin Thanks, "amply cracked" was probably too strong a choice of words. However, there was a ton of press surrounding the lack of security of Firefox's password manager - was that related to people not using the master password? I think the idea to simplify and promote the use of the master password would be a step in the right direction, but what about flat out requiring it? Perhaps that would help protect against tools like FirePassword which is advertised as "The Firefox Username & Password List Decryptor" I had a look at your blog - lots of exciting changes in the works, especially the porting from C to JS. Very cool. Cheers, Tara @Justin
Thanks, “amply cracked” was probably too strong a choice of words. However, there was a ton of press surrounding the lack of security of Firefox’s password manager - was that related to people not using the master password?

I think the idea to simplify and promote the use of the master password would be a step in the right direction, but what about flat out requiring it?

Perhaps that would help protect against tools like FirePassword which is advertised as “The Firefox Username & Password List Decryptor”

I had a look at your blog - lots of exciting changes in the works, especially the porting from C to JS. Very cool.

Cheers,
Tara

]]> By: Justin Dolske http://robert.accettura.com/blog/2007/05/07/disable-password-manager/#comment-142587 Justin Dolske Fri, 25 May 2007 01:12:24 +0000 http://robert.accettura.com/archives/2007/05/07/disable-password-manager/#comment-142587 Tara, that's not quite accurate... The Firefox password manager uses 3DES to encrypt the passwords, and if you're using a master password you're secure. [Someone could steal your profile and try to brute force your master password, but if they can do that they can probably just install a keystroke sniffer or various other malware anyway.] Firefox doesn't require you to set a master password by default, which does mean that anyone with access to your browser's configuration could access your passwords. Tara, that’s not quite accurate…

The Firefox password manager uses 3DES to encrypt the passwords, and if you’re using a master password you’re secure. [Someone could steal your profile and try to brute force your master password, but if they can do that they can probably just install a keystroke sniffer or various other malware anyway.]

Firefox doesn’t require you to set a master password by default, which does mean that anyone with access to your browser’s configuration could access your passwords.

]]> By: Tara (PassPack) http://robert.accettura.com/blog/2007/05/07/disable-password-manager/#comment-142082 Tara (PassPack) Fri, 18 May 2007 10:15:38 +0000 http://robert.accettura.com/archives/2007/05/07/disable-password-manager/#comment-142082 Sorry - I pasted in that link horribly. Here's another go: http://passpack.wordpress.com/2007/03/09/recover-your-passwords-from-your-browser/ Sorry - I pasted in that link horribly. Here’s another go:
http://passpack.wordpress.com/.....r-browser/

]]> By: Tara (PassPack) http://robert.accettura.com/blog/2007/05/07/disable-password-manager/#comment-142081 Tara (PassPack) Fri, 18 May 2007 10:14:25 +0000 http://robert.accettura.com/archives/2007/05/07/disable-password-manager/#comment-142081 It's a good idea to turn that off - the browser's built in password manager is very unsafe. They've all been amply cracked. For those who do use their browser's password manager, you might consider turning it off. No worries, you can still recover your passwords from there: a href="http://passpack.wordpress.com/2007/03/09/recover-your-passwords-from-your-browser/"> This article explains how I run an online password manager, so that article contains a product plug. But regardless of whether or not you are interested in PassPack, it should be helpful anyway. Cheers, Tara Kelly It’s a good idea to turn that off - the browser’s built in password manager is very unsafe. They’ve all been amply cracked.

For those who do use their browser’s password manager, you might consider turning it off. No worries, you can still recover your passwords from there: a href=”http://passpack.wordpress.com/2007/03/09/recover-your-passwords-from-your-browser/”> This article explains how

I run an online password manager, so that article contains a product plug. But regardless of whether or not you are interested in PassPack, it should be helpful anyway.

Cheers,
Tara Kelly

]]>