Language Selection

English French German Italian Portuguese Spanish

Password Management Concerns with IE and Firefox

Filed under
Security

This two-part paper presents an analysis of the security mechanisms, risks, attacks, and defenses of the two most commonly used password management systems for web browsers, found in Internet Explorer and Firefox. The article specifically addresses IE 6 and 7 and Firefox 1.5 and 2.0. Attention is devoted to the following areas:

  • Password storage mechanisms: The means of safeguarding usernames and passwords on the local file system through encryption (addressed in part 1).

  • Attacks on Password Managers: The methods of subverting or bypassing safeguards (partially addressed in part 1; continued in part 2).
  • False sense of security: Users employing password managers without any awareness of the risk factors (discussed in part 2).
  • Usability: Features that enhance or deter the usability of security features (discussed in part 2).
  • Mitigation and Countermeasures: Actions that can be taken by users and corporations to reduce the risk (part 2).

Internet Explorer and Firefox together amass roughly ninety-five percent of all browser market share. [ref 1] AutoComplete [ref 2] and Password Manager [ref 3] are the features that store web form usernames, passwords, and URLs for Internet Explorer (since version 4), and Firefox (since version 0.7), respectively.

Each browser has helpful features to aid the user from being tasked with remembering different usernames and passwords as a means of authentication for web sites. Thus when navigating to a URL such as http://www.gmail.com where form input fields are present, both IE and Firefox will prompt the user if he or she wants to save their username and password. When the user re-visits the same web site the browser will automatically fill the fields.

Although these features greatly simplify the responsibility of the user, they also introduce security considerations that are addressed in the next few sections.

Part One
Part Two

More in Tux Machines

Ubuntu and Linux Mint Development

  • Ubuntu Server Development Summary – 19 Sep 2017
  • Ubuntu Weekly Newsletter 519
    Welcome to the Ubuntu Weekly Newsletter. This is issue #519 for the weeks of September 5 – 18, 2017, and the full version is available here.
  • Ubuntu Desktop default application survey results
    Canonical has released the results of its default applications survey for the 18.04 long-term support release of Ubuntu. The results of the previous survey – for Ubuntu 17.10, dubbed Artful Aardvark – yielded great suggestions, many of which have made their way into the beta version of the operating system. For Ubuntu 18.04, over 15,000 responses were processed by the Ubuntu Desktop team. “The team is now hard at work evaluating many of the suggested applications,” said Canonical.
  • Linux Mint 18.3 “Sylvia” Information Released
    Linux Mint Project Leader Clement Lefebvre, otherwise known as “Clem” released a blog post on Sept. 18, giving some information about the upcoming release of Linux Mint 18.3, dubbed “Sylvia.” In his blog post Lefebvre gave some ideas to some of the pieces of software and changes that will be coming, such as the inclusion of the popular system restoration tool Timeshift. For those of you who haven’t used Timeshift, it’s an application that creates snapshots of your system, and then restores them later, similar to Windows System Restore, or Mac OS’s Time Machine.

Ubuntu GNOME Shell in Artful: Day 13

Now that GNOME 3.26 is released, available in Ubuntu artful, and final GNOME Shell UI is confirmed, it’s time to adapt our default user experience to it. Let’s discuss how we worked with dash to dock upstream on the transparency feature. For more background on our current transition to GNOME Shell in artful, you can refer back to our decisions regarding our default session experience as discussed in my blog post. Read more

Android Leftovers

Linux-driven Sitara SiP module shrinks to 21mm square

Octavo’s OSD335x-SM is a 40 percent smaller version of its AM335x-based OSD335x SiP that adds a 4KB EEPROM. There’s also a compact, open-spec dev board. Last year, Octavo Systems added a new twist to BeagleBone development when it released its 27 x 27mm OSD335x System-In-Package (SiP) module. The OSD335x, which went on to form the basis of the BeagleBone Black Wireless and BeagleBone Blue SBCs, packs a Texas Instruments Sitara AM335x SoC and nearly all the functions of a BeagleBone Black SBC into a BGA module. Octavo has now followed up with a 40 percent smaller OSD335x-SM variant that measures 21 x 21mm (441 sq. mm). Read more