mozilla-lists.mbou...@spamgourmet.com wrote:
Some of it may be a way of defending against passwords "remembered"
(whether in the browser, as with Mozilla, or in the way that IE keeps
stuff in the Windows registry). Given the antipathy of some developers
towards Mozilla (including the long-time problem of improper sniffing
methodologies, looking explicitly for "Firefox", rather than "Gecko",
and sometimes causing for Gecko browsers that aren't Firefox), I think
there's some number of developers that aren't really thinking much about
the Mozilla method of handling passwords.
Yeah, I think the concern about letting the browser remember passwords
is more those which don't need the user to enter a master password to
access them. Even if the passwords are encrypted, if the user doesn't
have to enter a password to get at them the decryption key must be
stored somewhere on the system, so is just as accessible to anyone able
to steal the password database.
I think this is particularly true with Internet Explorer -- I've always
found Microsoft's methodologies of "remembering" passwords via the
registry to be sloppy, and that they're far too aggressive about
offering to remember, and where it's too difficult to rescind, if the
user changes their mind, or accidentally remembers, when they don't want
to.
Although that stuff is encoded, it's not encrypted (and no requirement
for user authentication for access, beyond having a valid login for
Windows). To me, that's a security-by-obscurity thing, where it seems
likely that a script writer who knows what he is doing should be able to
extract that content from the registry. I've always been surprised that
the security experts don't push Microsoft a lot harder on that one,
although it's entirely possible that there's something that I'm missing.
However, I have seen reviews of comparative browser security, and
working from memory, I remember seeing that without a password, Mozilla
rates medium or medium-to-low, and below Google Chrome, but I think
about even with Internet Explorer. However, with the master password,
Mozilla is at the top.
I do know this -- using the various password recovery tools from
Nirsoft, it's pretty easy to extract remembered passwords. If I'm
troubleshooting on somebody's machine, I will occasionally run these
tools (with the user present), as a way of demonstrating the
vulnerability of passwords saved in the browser (if not protected by a
master password).
Letting the user use a password manager
might even makes it more likely that they'll choose a more secure
password (longer, more difficult to guess) since they don't have to
remember it.
I think also that a majority of developers don't really account for the
idea of using third-party password managers. There's a comparatively few
number of people who use them, and from a development stand point,
trying to account for them merely adds complexity, and their focus tends
to be on facilitating the lowest common denominator of non-technical
user. That, in itself, is a challenge, because there's still far too
many many people who want one-button convenience, and where the
mechanics of proper authentication are an annoyance.
However, I think developers are more focused on defending against
script-based authentication (presumed to be malicious). By requiring
multiple user inputs, then it's far more difficult for an attacker to
present credentials -- not only valid credentials, but a way of
defending against brute-force guessing.
Perhaps that's also part of it. But it only doubles the number of
requests needed to brute force the password (assuming the username has
to be entered again after each attempt at the password). There are more
effective ways of slowing that down, such as only allowing say 5
attempts for a given username before locking the account for 5 minutes
(if the error message doesn't differentiate between incorrect
username/password and account locked, the attacker won't be able to use
that to know if they've got the username right). Most users aren't
delayed at all, but an attacker can only make 5 attempts every 5
minutes, and may not even know that that's what the limit is (so might
even happen to try the correct password while the account is locked).
True, although there is definitely a "speed bump" effect, if you you
have to click on a graphical button that takes you to another page, and
then requires subsequent data entry.
And more sites are moving to setups that do lock-outs after multiple
failed authentication. Thus, for the bad guys, there's a lot more
emphasis of finding places where passwords have been reused.
Consider:
http://www.eweek.com/security/sentry-mba-uses-credential-stuffing-to-hack-sites.html.
The place where this is especially problematic is that so many sites use
email addresses as user IDs, and there's an implied encouragement to end
users to use the same passwords with those IDs. Thus, if an intruder
can get a password that is connected to an ID that is an email address,
then the logical first thing to do is to try that combination at every
possible site that that combination may work with -- not only the email
provider, but sites such as Amazon, PayPal, and more.
I know that several years ago, when Adobe got its user list hacked (and
where user IDs are email addresses), I remember that they did warn users
that those IDs at other sites were vulnerable, if passwords had been
reused.
And this kind of methodology
achieves a lot of the same kind of benefit as CAPTCHA, without annoying
users with CAPTCHA images that are difficult to decipher.
I've noticed that multiple-stage logins seem to be most common with
financial institutions.
Yeah, but they (or at the ones I've used) tend to do other things which
can't be handled by a password manager anyway, like ask for 3 given
digits out of an 8 digit number plus a another piece of "memorable
information" (effectively a second password). Or use a chip+pin card
reader to log in.
With "memorable information", some sites may have several questions, and
where the question posed rotates, from login to login. I've also seen
one site that has a user-selected graphical image (selected at the time
of account creation). I haven't studied the mechanics of that one, but I
know if that image isn't displayed, then it's evidence of tampering.
I haven't checked it, but my suspicion is that a tool such as KeePass
might have capacity of scripting a multiple-stage login.
Possibly; I keep meaning to look into that. I don't have it here right
now to look, but from what I recall I think it has a default method of
automatically filling in login forms (which should work for most basic
cases) but flexibility so you can tell it how to identify the relevant
fields on a site-by-site basis. Not sure whether it handles submitting
the username and password on separate pages though...
That's where I am. I know that KeePass supports scripting, although the
syntax is a little cryptic, and I haven't tried to figure it out.
However, that's definitely something that is for techies, and something
that somebody that isn't a power user is likely to figure out, unless
somebody does it for them.
For what it's worth, I'm guessing that some of the other third-party
tools (such as LastPass or 1Password) are likely to be focused enough on
supporting non-technical users, that their scripting capacity may be
limited, although I'm sure that what's possible or not varies
significantly from tool to tool.
Smith
