A beta version of Google Chrome has tied with Safari for last place in tests of how the browsers dealt with password security. The tests - put together by security consultancy Chapin Information Services - ran the most popular browsers against a set of 21 checks. None performed particularly well. Opera 9.62 passed only seven …
Like to see....................
The tests repeated for Firefox using noscript activated.
Never store passwords in the browser
Your favourite motorcycle owners forum or online bank account, they all contain personal information.
If you need to remember a lot of passwords, grab KeePass (Free as in Beer and Speech) and store them all in that. Hell, it'll generate secure passwords for you and let you copy and paste them without ever having to see what they are.
It will run from a memory stick, so no installation required on work / home PCs, and is completely portable.
I'm going to make a browser that passes all categories.
And I shall call it; "Nagfox".
Is that Safari on the Mac, or on Windows?
’cos on the Mac, passwords are stored on the Keychain, and if you don't unlock your Keychain in the first place, Safari can't decrypt squat.
The default configuration is for your Keychain to be unlocked when you log in, but you can change that easily enough, and set it to to auto-lock under various circumstances, which means you'll be prompted for your Keychain password whenever Safari wants to auto-fill a login form. Hit Cancel and it won't auto-fill a thing.
If memory serves, other auto-fill data is stored in the same way.
Given Safari and Google Chrome's common ancestry, it would have been interesting to see how true geeks' beloved Konqueror fared.
"...it is tempting to think that users would be well advised never to save passwords for sensitive websites."
People do that?
Is it me?
"...... form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity,"
For some reason I can only read that as if it were spoken by Gus Hedges from "Drop the Dead Donkey".
"Chapin's tests set a high standard ..."
Not on the evidence of this article they don't. How can completing a form when auto-complete is set to "off" be anything other than "go to fail, go directly to fail"? (Apologies to all, myself included, who regard "fail" as the clear sign of an illiterate fool. It just happened to fit on this occasion.)
"...but looking at the results it is tempting to think that users would be well advised never to save passwords for sensitive websites."
You mean there are people who do? Crikey! That's even *more* embarrasing.
@Mo: Who knows what they tested it on or how? I'm a professional tester and looking at their list of tests tells me that they didn't lock the keychain before performing these tests. It's possible that they don't know how!
It would very be interesting to know which platform(s) these tests were run on (Mac/PC/Linux/all). I believe that they were all run on PC, otherwise the results may have been different (as Mo said, they could lock the keychain).
Suffice to say, there's nothing preventing anyone from coming up with "tests" that prove exactly what they want to prove. If they don't (or won't) tell you how the test was run then the results are meaningless.
My guess is that either this company will soon be selling some kind of "solution" to the problems they've just highlighted OR they only did it for the publicity (Looking at their webpage tells me that they're probably a one or two-man company who need all the publicity they can get).
Pleasantly surprised - IE7 scored 5, which is 2 less than Opera and Firefox, 3 more than Safari and Chrome and 8 or 9 more than I was expecting...
I'd be very interested in the results if some of the browsers had some of the regularly used options enabled - "privacy" modes and Firefox+NoScript for example.
Asking for it / @TeeCee
Quote: "Chapin's tests set a high standard but looking at the results it is tempting to think that users would be well advised never to save passwords for sensitive websites."
'Tempting'? 'Advised'? 'Sensitive websites'?
Jeeze! Anyone who stores *any* password in a browser's password manager needs their head examining! In fact, cautious users never store passwords in cleartext anywhere on a computer.
Paris, cos she's stupid too (allegedly)
@TeeCee. Well remembered! You're right, it's pure Gus-speak :)
Saw that one coming ...
Which is why, over all these years, I've never once saved a password for use in a browser.
Maybe, one day, there'll be a browser password-saving system that meets *my* stringent requirements.
"How can completing a form when auto-complete is set to "off" be anything other than "go to fail, go directly to fail"?"
Because there's a difference between not saving it when autocomplete is off and not completing it when autocomplete is off.
As an example, Firefox doesn't save the password if autocomplete is off, so it'll never get filled in later. But if I go to the effort of modifying the DOM so that it will get saved (e.g. using the Enable Password Manager bookmarklet) then it's obvious that I do want it autocompleted later. Even then, Firefox doesn't autocomplete it automatically, I have to go to the field, hit the down cursor to select the user, and then hit return.
And I'm quite happy with that because I want to decide which passwords I save instead of some arbitrary decision by the website owner. And, in the event of having a keylogger installed, it's probably more secure.
Lock the keychain?
Shoot, no normal user will do that. It's like... like... like not working as root! Not done. Too much work.
But seriously, security != ease of use. Locking the keychain might well be a theoretical solution, but anything that fails to take human nature into account is not security, just mildly entertaining. Or maybe a CMA. Litigation FTW...
"it is tempting to think that users would be well advised never to save passwords for sensitive websites."
Do you write your pin number on your bank card? So why save your online bank password on your browser?
This sort of test
Is only really valid in a default state. So if Keychain is unlocked by default then that's the most appropriate state to test. Same with NoScript on Firefox. All this assuming that the average Joe is dumb (and let's face it, he is).
However, the tests would have been more credible if they had then tested them with the other options that are easily available to the default install.
Just for a flash from the past though, Windows XP was horribly insecure in all tests/attacks largely because its firewall was off by default and that wasn't changed until SP2. XP was appropriatley lambasted for that very reason, so I don't see why other software manufacturer's who have insecure defaults shouldn't be subjected to some derision.
Man + dog report
Makes me want to knock up some report to generate some publicity.
* No, I really don't know -- because I don't use PMs, and I rarely use Firefox.
Try it Yourself
You can put your browser through their tests yourself on their website. I just put FF2 (with NoScript though as Steven Knox said, shouldn't matter) through and still passed 7 though the results were slightly different from FF3's. It passed "Random Name Attr. Prevents Form Fills" but failed "Multi. Schemes Per User Per Authority".
Firefox 3.04 and NoScript
I tried it with Firefox 3.04 with NoScript, and did not allow the site in NoScript. I was unable to get past the 4 step (out of 32).
After allowing the site, I was able to complete the test, and passed on 8 of the 32 tests.
"...users would be stupid to save passwords for any websites."
I fixed it for you.
This title is password protected
>>>Chrome fails to check the location of password requests or the destination to which they are dispatched<<<
What about Firefox? Since anti phishing I would've thought the above requirement would be built, by default, into all browsers. Also, doesn't the master password protect your password list, if not, what's its point?
Admittedly, I don't save passwords to financial or important sites, mainly forums and places like this, and I would never save passwords in IE whatever version, but I thought Firefox's big sell was online security. Is it worth sending a ms to the Firefox team? - they never respond when reporting the crash on exit bug.
Remember my password for me?
Remember the Butlerian Jihad?
When the browser asks to save your password, just say no.
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- Analysis Microsoft's licence riddles give Linux and pals a free ride to virtual domination
- NSFW Oz couple get jiggy in pharmacy in 'banned' condom ad