Why you shouldn't let your browser remember passwords.

Post #376,782 by Another Scott 6/22/13 10:51:21 PM Reply	Why you shouldn't let your browser remember passwords. It makes it easier for viruses to get at them... http://raidersec.blo...asswords-and.html Interesting. But check the comments, too. (via Peter Vogel on G+ - https://plus.google....posts/88Aitts957h ) Cheers, Scott.
Post #376,784 by boxley 6/22/13 10:55:36 PM Reply	same reason you shouldn't store them on disk Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 58 years. meep
Post #376,785 by Another Scott 6/22/13 11:12:06 PM Reply	Somebody has to, nicht wahr? If I don't have my username and password on my PC, but the place I'm connecting to does, the problem still exists. If someone gets inside, the information is at risk. One would think that the cloud is run by people who know what they're doing, so accounts are protected, but we know of too many cases where that isn't true. IIRC, Kerberos tries to minimize this problem by passing tokens around. But the server still has a database of valid passwords from which it constructs tokens. Defense in depth makes sense, but it's too easy to forget all this stuff... Cheers, Scott.
Post #376,786 by malraux 6/22/13 11:28:51 PM Reply	LastPass has been cracked before, IIRC Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #376,787 by Another Scott 6/22/13 11:39:33 PM Reply	<boggle>
Post #376,801 by malraux 6/23/13 12:27:44 PM Reply	Re: <boggle> http://news.cnet.com...-20060464-83.html Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #376,804 by Another Scott 6/23/13 12:39:55 PM Reply	Thanks.
Post #376,790 by pwhysall 6/23/13 4:34:23 AM Reply	Database of valid passwords? Or valid password hashes?
Post #376,791 by Another Scott 6/23/13 8:09:01 AM Reply	Dunno. I suppose with public and private keys that there are ways to know whether a username and password are valid without having and storing the actual original values. But AFAIK, the problem remains. If the system is compromised, then it's only a matter of time before account information can compromised as well. But I'm no expert on this stuff... Cheers, Scott.
Post #376,797 by scoenye 6/23/13 11:01:50 AM Reply	Makes little difference http://arstechnica.c...f-your-passwords/ ArsTechnica gave three experts a list of over 16000 cryptographic password hashes. The best one recovered 90% of the plaintext passwords. The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456," "1234567," and "password" are there, as is "letmein," "Destiny21," and "pizzapizza." Passwords of this ilk are hopelessly weak. Despite the additional tweaking, "p@$$word," "123456789j," "letmein1!," and "LETMEin3" are equally awful. But sprinkled among the overused and easily cracked passcodes in the leaked list are some that many readers might assume are relatively secure. ":LOL1313le" is in there, as are "Coneyisland9/," "momof3g8kids," "1368555av," "n3xtb1gth1ng," "qeadzcwrsfxv1331," "m27bufford," "J21.redskin," "Garrett1993*," and "Oscar+emmy2."
Post #376,798 by Another Scott 6/23/13 11:11:53 AM Reply	Neat. Thanks.
Post #376,805 by boxley 6/23/13 12:42:57 PM Reply	shouldnt store passwords on your local disk unprotected is where I was going. How the other end of you connection stores passwords is of interest also. Ensure that your login/password cannot be trivially tracked back to you. boxley and derivatives are used socially, financials are considerably different. Easy to hack boxley, wouldn't help with my protected connections Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 58 years. meep
Post #376,806 by Another Scott 6/23/13 12:50:58 PM Reply	Yup.
Post #376,792 by folkert 6/23/13 8:59:17 AM 6/23/13 9:05:27 AM Reply	Re: Why you shouldn't let your browser remember passwords. ;DR (except to see its about the lovely thing I love to hate) Windows API, nice. People will never learn, even when you show them. Why bother, I see people using IE v6 on their WindowsXP machines because they saw a newer version on a friends machine and were told it screwed something up... so don' let it upgrade. Oh and what about those that still do not have auto-fetch of patches turned on... because they read sometime in the mid 2000s that you can't trust Microsoft and have to approve all the upgrades yourself ONLY. Like they have the ability to comprehend what is going on, read the KB and judge if its a good thing. Heck, there are people asking me how to get the Certificate Warnings from their bank having an unrecognized Certificate Authority/Issuer, because they haven't updated the Certificate store in 5+ years. Yeah, whatever. edit: stupid stray mouse click... -- greg@gregfolkert.net PGP key 1024D/B524687C 2003-08-05 Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C Edited by folkert June 23, 2013, 09:05:27 AM EDT Expand All History

Welcome to IWETHEY!