Language Selection

English French German Italian Portuguese Spanish

Password Management Concerns with IE and Firefox

Filed under
Security

This two-part paper presents an analysis of the security mechanisms, risks, attacks, and defenses of the two most commonly used password management systems for web browsers, found in Internet Explorer and Firefox. The article specifically addresses IE 6 and 7 and Firefox 1.5 and 2.0. Attention is devoted to the following areas:

  • Password storage mechanisms: The means of safeguarding usernames and passwords on the local file system through encryption (addressed in part 1).

  • Attacks on Password Managers: The methods of subverting or bypassing safeguards (partially addressed in part 1; continued in part 2).
  • False sense of security: Users employing password managers without any awareness of the risk factors (discussed in part 2).
  • Usability: Features that enhance or deter the usability of security features (discussed in part 2).
  • Mitigation and Countermeasures: Actions that can be taken by users and corporations to reduce the risk (part 2).

Internet Explorer and Firefox together amass roughly ninety-five percent of all browser market share. [ref 1] AutoComplete [ref 2] and Password Manager [ref 3] are the features that store web form usernames, passwords, and URLs for Internet Explorer (since version 4), and Firefox (since version 0.7), respectively.

Each browser has helpful features to aid the user from being tasked with remembering different usernames and passwords as a means of authentication for web sites. Thus when navigating to a URL such as http://www.gmail.com where form input fields are present, both IE and Firefox will prompt the user if he or she wants to save their username and password. When the user re-visits the same web site the browser will automatically fill the fields.

Although these features greatly simplify the responsibility of the user, they also introduce security considerations that are addressed in the next few sections.

Part One
Part Two

More in Tux Machines

University fuels NextCloud's improved monitoring

Encouraged by a potential customer - a large, German university - the German start-up company NextCloud has improved the resource monitoring capabilities of its eponymous cloud services solution, which it makes available as open source software. The improved monitoring should help users scale their implementation, decide how to balance work loads and alerting them to potential capacity issues. NextCloud’s monitoring capabilities can easily be combined with OpenNMS, an open source network monitoring and management solution. Read more

Linux Kernel Developers on 25 Years of Linux

One of the key accomplishments of Linux over the past 25 years has been the “professionalization” of open source. What started as a small passion project for creator Linus Torvalds in 1991, now runs most of modern society -- creating billions of dollars in economic value and bringing companies from diverse industries across the world to work on the technology together. Hundreds of companies employ thousands of developers to contribute code to the Linux kernel. It’s a common codebase that they have built diverse products and businesses on and that they therefore have a vested interest in maintaining and improving over the long term. The legacy of Linux, in other words, is a whole new way of doing business that’s based on collaboration, said Jim Zemlin, Executive Director of The Linux Foundation said this week in his keynote at LinuxCon in Toronto. Read more

Car manufacturers cooperate to build the car of the future

Automotive Grade Linux (AGL) is a project of the Linux Foundation dedicated to creating open source software solutions for the automobile industry. It also leverages the ten billion dollar investment in the Linux kernel. The work of the AGL project enables software developers to keep pace with the demands of customers and manufacturers in this rapidly changing space, while encouraging collaboration. Walt Miner is the community manager for Automotive Grade Linux, and he spoke at LinuxCon in Toronto recently on how Automotive Grade Linux is changing the way automotive manufacturers develop software. He worked for Motorola Automotive, Continental Automotive, and Montevista Automotive program, and saw lots of original equipment manufacturers (OEMs) like Ford, Honda, Jaguar Land Rover, Mazda, Mitsubishi, Nissan, Subaru and Toyota in action over the years. Read more

Torvalds at LinuxCon: The Highlights and the Lowlights

On Wednesday, when Linus Torvalds was interviewed as the opening keynote of the day at LinuxCon 2016, Linux was a day short of its 25th birthday. Interviewer Dirk Hohndel of VMware pointed out that in the famous announcement of the operating system posted by Torvalds 25 years earlier, he had said that the OS “wasn’t portable,” yet today it supports more hardware architectures than any other operating system. Torvalds also wrote, “it probably never will support anything other than AT-harddisks.” Read more