Helping people with computers... one answer at a time.
Saving passwords for you is a convenient feature of most browsers. It's important to understand that with that convenience comes risk.
If I consider my computer to be physically secure, am I reasonably safe letting Firefox remember my passwords (without using a master password), or am I being incredibly stupid to do that? What if I do use a master password?
•
I certainly wouldn't say incredibly stupid at all. But it's definitely an additional risk, and one that needs to be understood.
But you're correct in considering physical security first. The problem is that people often assume they have more physical security than they actually do.
And master passwords? Well, they're nice, but they too have their limitations.
•
If you're at all wondering why this is even an issue, in Firefox do the following:
- Click on the Tools menu
- Click on the Options menu item
- Click on the Security tab
- Click on the Saved Passwords... button
- Click on the Show Passwords button
Yes, the Show Passwords button.
A few clicks and all your passwords are visible.
While I've obscured my own information, that dialog shows a list of URLs, Usernames and Passwords as remembered in my copy of Firefox. All we had to do was walk up to the computer follow the simple instructions above to make all passwords clearly visible.
That should have you thinking very carefully about your security.
Anyone who can walk up to your computer can do that, and pretty darned quickly.
What can you do? There are several approaches.
-
Do nothing but rely on physical security. Depending on your circumstances, this may be a viable approach. The key is that you must be certain about your physical security. That means you know that you machine cannot be easily stolen, and that no one can simply walk up to it and access Firefox's remembered password list.
-
Clear the list and stop remembering passwords. This is actually what I recommend for laptop or portable computers. As an alternative, I use Roboform which allows me to store my password database where I choose, and I choose to store it on an encrypted TrueCrypt volume.
-
Use a master password. Firefox allows you to select a master password which is used to encrypt the stored passwords. In theory, without knowing the master password, you cannot access the stored passwords. Here's the problem: I was able to find at least one password cracking tool aimed specifically at the Firefox master password. If someone with malicious intent can steal your computer, or Firefox's encrypted files, they still have a reasonable chance of breaking through this security and gaining access to your stored passwords. As with any password, one key is to make it as strong as possible.
That last one concerns me slightly.
My take is simply this: it's like a padlock. It'll keep most people out. However, if someone who knows what they're doing comes along with a large enough crowbar or a bolt cutter it's possible that they could get it.
The real question is what should you do? Unfortunately, I can't answer that for you. It's a situation where you need to understand and balance the real risks that you face, the cost of a compromise, and the inconvenience.
I can throw out a few rules of thumb that I would use:
-
Never allow your passwords to be remembered on a portable computer - at least not without some additional level of much stronger security.
-
If you're ever uncertain, at a minimum throw a master password on the list. That's a fast and only moderately inconvenient way to keep out all but the most dedicated or knowledgeable hacker.
I'll also put it another way: even though its theft is unlikely, as a result of writing up this little thought exercise I've just cleared the list of remembered passwords on my home desktop and unchecked the option to remember for me. The cost of failure is simply too high should my machine ever be stolen or otherwise compromised.
I'm much more comfortable relying on Roboform and TrueCrypt.
Article C3961 - December 25, 2009 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
December 29, 2009 3:29 PM
Well, I feel motivated to do something more about password security... but I'm not sure what? Maybe get a small flash drive and install Roboform on it?
December 30, 2009 6:31 PM
I keep passwords in an Excel file and password protect that file. They are always with me and I understand that this is very hard to crack and gain entry to the file.
December 31, 2009 2:04 PM
amherst college says to lock your computer...will that make it safe?
xp/vista...windows-key+l or options+l....seems to me if you can lock it, a few folks know how
to unlock it and help themselves? tu for your
hard work...
01-Jan-2010
January 4, 2010 8:57 PM
By having the browser remember one's password does not seem all that secure. I'm OK with typing in the password each and every time. However, when one uses a computer at work or in some public places, there is always the risk of key loggers being installed in the computers. So, which method would be better for privacy and security.
05-Jan-2010
March 9, 2010 8:29 PM
Leo,
You could enable FIPs encryption in Firefox. It is little known that FIPs is standard on Firefox and can be enabled under advanced options and under encryption devices. Cracking a master password with FIPs enabled and a salt is virtually impossible.
TrueCrypt can't be recommended as none of its encryption techniques has ever been verified since the creators are anonymous. Lately they have been deleting posts criticizing any faults in the program, which is disturbing.