Like to see....................

The tests repeated for Firefox using noscript activated.

Never store passwords in the browser

Your favourite motorcycle owners forum or online bank account, they all contain personal information.

If you need to remember a lot of passwords, grab KeePass (Free as in Beer and Speech) and store them all in that. Hell, it'll generate secure passwords for you and let you copy and paste them without ever having to see what they are.

It will run from a memory stick, so no installation required on work / home PCs, and is completely portable.

Bosting.

I'm going to make a browser that passes all categories.

And I shall call it; "Nagfox".

What?

"...it is tempting to think that users would be well advised never to save passwords for sensitive websites."

People do that?

Is it me?

"...... form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity,"

For some reason I can only read that as if it were spoken by Gus Hedges from "Drop the Dead Donkey".

Testing

@Mo: Who knows what they tested it on or how? I'm a professional tester and looking at their list of tests tells me that they didn't lock the keychain before performing these tests. It's possible that they don't know how!

It would very be interesting to know which platform(s) these tests were run on (Mac/PC/Linux/all). I believe that they were all run on PC, otherwise the results may have been different (as Mo said, they could lock the keychain).

Suffice to say, there's nothing preventing anyone from coming up with "tests" that prove exactly what they want to prove. If they don't (or won't) tell you how the test was run then the results are meaningless.

My guess is that either this company will soon be selling some kind of "solution" to the problems they've just highlighted OR they only did it for the publicity (Looking at their webpage tells me that they're probably a one or two-man company who need all the publicity they can get).

Title

Pleasantly surprised - IE7 scored 5, which is 2 less than Opera and Firefox, 3 more than Safari and Chrome and 8 or 9 more than I was expecting...

I'd be very interested in the results if some of the browsers had some of the regularly used options enabled - "privacy" modes and Firefox+NoScript for example.

Asking for it / @TeeCee

Quote: "Chapin's tests set a high standard but looking at the results it is tempting to think that users would be well advised never to save passwords for sensitive websites."

'Tempting'? 'Advised'? 'Sensitive websites'?

Jeeze! Anyone who stores *any* password in a browser's password manager needs their head examining! In fact, cautious users never store passwords in cleartext anywhere on a computer.

Paris, cos she's stupid too (allegedly)

@TeeCee. Well remembered! You're right, it's pure Gus-speak :)

@Embarrassingly bad

"How can completing a form when auto-complete is set to "off" be anything other than "go to fail, go directly to fail"?"

Because there's a difference between not saving it when autocomplete is off and not completing it when autocomplete is off.

As an example, Firefox doesn't save the password if autocomplete is off, so it'll never get filled in later. But if I go to the effort of modifying the DOM so that it will get saved (e.g. using the Enable Password Manager bookmarklet) then it's obvious that I do want it autocompleted later. Even then, Firefox doesn't autocomplete it automatically, I have to go to the field, hit the down cursor to select the user, and then hit return.

And I'm quite happy with that because I want to decide which passwords I save instead of some arbitrary decision by the website owner. And, in the event of having a keylogger installed, it's probably more secure.

Lock the keychain?

Shoot, no normal user will do that. It's like... like... like not working as root! Not done. Too much work.

But seriously, security != ease of use. Locking the keychain might well be a theoretical solution, but anything that fails to take human nature into account is not security, just mildly entertaining. Or maybe a CMA. Litigation FTW...

Duh!

"it is tempting to think that users would be well advised never to save passwords for sensitive websites."

Well, duh.

Do you write your pin number on your bank card? So why save your online bank password on your browser?

Man + dog report

Makes me want to knock up some report to generate some publicity.

NoScript?

Is Firefox's PM dependent on Javascript or something else disabled by NoScript*? 'Cos the test was on the security of the PASSWORD MANAGERS, nothing else. So unless the answer to the question is "yes" -- which would raise even more questions about the security of Firefox's PM -- then the NoScript plugin should have no effect on the tests whatsoever. And if the answer is "yes", then the tests with NoScript enabled would be irrelevant (as the PM wouldn't work), wouldn't they?

* No, I really don't know -- because I don't use PMs, and I rarely use Firefox.

This title is password protected

>>>Chrome fails to check the location of password requests or the destination to which they are dispatched<<<

What about Firefox? Since anti phishing I would've thought the above requirement would be built, by default, into all browsers. Also, doesn't the master password protect your password list, if not, what's its point?

Admittedly, I don't save passwords to financial or important sites, mainly forums and places like this, and I would never save passwords in IE whatever version, but I thought Firefox's big sell was online security. Is it worth sending a ms to the Firefox team? - they never respond when reporting the crash on exit bug.

Remember my password for me?

Remember the Butlerian Jihad?

When the browser asks to save your password, just say no.