"Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. . . .†http://it.slashdot.org/it/06/11/21/2319243.shtml OK, this one disturbed me enough motivate me to go into my saved passwords and wipe clean any important or financial site passwords . . . such as PayPal, banks, phone service, etc . . . I got to the "PriusChat" line and froze . . . Hummmm . . . it stayed, even though PriusChat sorta qualified as important. I hope, at the minimum, y'all are utilizing the “Master Password†feature if you are having Firefox remember your user names and passwords.
hmm. i don't tend to store passwords in any browser- but just to be sure i don't inadvertently do so, i disabled that feature. thanks for the warning.
I use Mozilla rather than Firefox so I'm going to give this a good read before I make a decision. I sure don't want to use Safari as my default browser.
I just don't ever save passwords or logins for anything that has to do with my finances or personal info. If you let the computer remember them, what happens when your computer crashes, or if you ever clear out the passwords? It also means that whoever can physically get on your computer will be able to access all that secure info wth no effort.
<div class='quotetop'>QUOTE(Godiva @ Nov 22 2006, 06:15 PM) [snapback]353210[/snapback]</div> I thought Mozilla and Firefox were the same thing....Mozilla FirefoX....boy , do I feel stupid now.
<div class='quotetop'>QUOTE(Schmika @ Nov 22 2006, 08:30 PM) [snapback]353304[/snapback]</div> Mozilla.org makes Firefox, Thunderbird and a number of other applications. They also make something called the Mozilla suite. My browser's icon is a blue square with a big white "M". Firefox's icon is a circle with a fox chasing it's tail. I don't think they are the same browser and I'm not sure what the differences are. If you look on the Mozilla downloads page you'll see Firefox, Thunderbird and Mozilla. Click Mozilla and you'll get this: Mozilla suite " Web-browser, advanced e-mail and newsgroup client, IRC chat client, and HTML editing made simple -- all your Internet needs in one application." The Mozilla Suite is what the old Netscape Navigator suite used to be.
I never store critical passwords on the computer. I store passwords that are not critical: If someone gets onto my computer and gets my PriusChat log-on, the worst they could do is post in my name, or if they get my CU password they could read articles on the web site. But my bank password, no way!
I just set a master password for Firefox - then before sending out any password info, it makes you type your master password into firefox first. It'll do as a temporary fix until they issue a patch (likely really quickly). It's also important to note that even with this flaw, Firefox will still only send the passwords if the hidden form being submitted is ON the authorized website - it's unlikely any legit sites (banks and the like) would purposefully put hidden forms on their servers to steal your passwords. It's more of an issue on "myspace"-type sites because users can post their own code on there and because it's all under the same domain, it can trick the browser into authenticating on the wrong path. For commercial sites where users can't post their own pages, it's pretty-much a non-issue unless someone at the site wants to steal a password from you. Dave
<div class='quotetop'>QUOTE(DaveG @ Nov 22 2006, 10:52 PM) [snapback]353405[/snapback]</div> A Master Password in Firefox, or any other program for that matter, should not be thought of as a “temporary fix.†With the Master Password option (which really shouldn't be an “optionâ€), Firefox strongly encrypts the actual passwords on your computer . . . you personally need to enter your Master Password twice if you wish to view your passwords in plain text – but even that does not prevent this exploit if the exploit is coming from a “trusted site.†I think a good analogy of this exploit would be a safe deposit box . . . the security, the bank employees (Firefox) and the keys (Master Password) may be there to keep the contents of the box safe and allow you to open it . . . but once it is opened, you (Firefox) will let anybody stick their hands in the box if they say “I am Joe Blow.†Without using a Master Password, anyone who walks into the bank (your computer) can access your box. These seem to be two separate but related problems. EEEEkkkkk!!!!! The RCSR attack is much more likely to succeed because neither Internet Explorer nor Firefox are designed to check the destination of form data before the user submits them. The user sees a trusted website address in the browser's address bar because the exploit is conducted at the trusted website. http://www.info-svc.com/news/11-21-2006/ I still trust Firefox more than I do Internet Explorer 7. As of this writing, so does Secunia . . . Internet Explorer 7.x Affected By 3 Secunia advisories . . . rated Moderately critical http://secunia.com/product/12366/
have to go with Presto and others here. it is EXTREMELY unwise to use any kind of password manager for financial sites or any other sites that have payment information or a billing history with you (wireless, cable, credit cards, etc) and the reason why is PHYSICAL security. anyone who has physical access to your computer can access these sites by simply clicking on a saved link?? that is tremendously foolish. if your computer was stolen or more commonly, sold by yourself and you forgot to remove or didnt remove all traces of personal information (this happens way more often than one would think!!) i have a Mac laptop with links to all my financial services (do not access any of these financial sites from a windows based computer EVER and the Mac has multiple layers of security including a bootup password. but even with that security, i never allow it to save passwords. the only thing Firefox saves on my password screen is basic stuff. need log-ins for everything. i have mine for my e-mail (doesnt work, i am required to re log in every 7 days or so...) and a multitude of other sites like yahoo, my space, Priuschat, engadget, and a handful of newspaper sites. thankfully half of the above sites now track passwords with cookies so dont even need them anymore but cookies dont last forever.
I restrict my browser to non financial passwords and usernames. Because all my computing is on a notebook, I find a paper trail (although the best) to be too inconvenient, so I have my passwords in a program not widely known, and the single microsoft app on my drive is very rarely used, and shut down as soon as I am finished with it. For a while I had all my passwords on an external USB key drive attached to my keychain, but the Prius smart key scuttled that approach, since my keys now live somewhere at the bottom of my pack. All in all, if I can have my passwords encrypted on a Macintosh, and a master password REQUIRED EVERY TIME I REQUEST A SECONDARY PASSWORD, I'd feel OK about security.
What's a financial password? Over here, banks use challenge/response tokens, not passwords. You get a calculator (some banks have you insert your bank card into the calculator, some banks deliver unique calculators, each with a personal key built in). To get into your account, activate the calculator with a PIN, enter the challenge digits from the website login screen on the calculator and enter the calculator response in your browser. So you can only get in with something you know (the PIN) AND something you have (the unique calculator and/or bank card). It's not 100% safe, but better than just a password...
i have challenges for my work log-ins that require me to answer a series of randomly selected personal questions. security is important as it should be in any professional environment. passwords in conjunction with usernames are used when accessing financial sites from the internet.
<div class='quotetop'>QUOTE(DaveinOlyWA @ Nov 23 2006, 07:14 AM) [snapback]353449[/snapback]</div> Not if you have the Master Password set. The Master Password can be thought of as the key to the safe deposit box in which all your different variations of passwords for all the different web sites you visit are stored. You only need to remember your one Master Password to unlock all your passwords. You don't have to remember the passwords for PriusChat, the bank, ebay, PayPal, etc. etc. etc. If you use the Master Password option, all your passwords are encrypted on your hard drive. Even if YOU wish to see your passwords, you have to enter your Master Password a second time. When Firefox places the passwords in the login form on the screen, it only shows "********" Someone can sit down in front of, or steal, my computer and they would not have access to my passwords . . . unless they can guess my nonsensical Master password. Storing your passwords on your hard drive in a strongly encrypted form is a very safe thing to do . . . especially considering the alternatives many people use . . . such as: 1) Using short, weak passwords so you can remember them in your head. 2) Using the same short, weak password over and over for many different web sites. 3) Writing your passwords on sticky notes and placing them on the computer or in the desk drawer. The problem with this security flaw is how Firefox handles the password for individual sites. If some enterprising PriusChatter wished to enter some code into a post, Firefox may read that as a legitimate request for a password from that trusted site . . . but the hacked code secretly sends the phished passwords to the attacker's personal computer. :angry: A banking site is not going to have a forum type situation where someone can easily enter the hack codes . . . and even if they did, you would still be toast when you logon manually. Until this is cleared-up, I am keeping all my financial and other important passwords out of the Password Manager and reverting back to pulling that sticky note out of the “*******†:blink: Firefox is capable of securely storing passwords you enter in web forms to make it easier to log on to Web sites. You can manage the saved passwords and delete individual passwords by clicking Show Passwords. To stop saving passwords altogether, uncheck this option. Even with this option checked, however, you'll still be asked whether to save passwords for a site when you first visit it. If you select Never for This Site, that site will be added to an exceptions list. To access that list or to remove sites from it, click the Exceptions... button. Firefox can protect sensitive information such as saved passwords and certificates by encrypting them using a master password. If you create a master password, each time you start Firefox, it will ask you to enter the password the first time it needs to access a certificate or stored password. You can set, change, or remove the master password by by checking or unchecking this option or by clicking the Change Master Password... button. If a master password is already set, you will need to enter it in order to change or remove the master password. http://www.mozilla.org/support/firefox/options#security
My computer can go a month if not longer between shut-downs, and my browser is active the entire time. So a master password doesn't strike me as much security. Even if I turned off the browser between sessions, malware could simply hang out and wait for me to unlock the master, and then query FFx with a rather short list of financial institutions.
well i just got a message that AVG has released a new version 7.5 of their anti-virus suite. had to reboot for that. also have to reboot for misc window updates, which speaking of, i get a message every day to download a security update for macromedia which never seems to be successful. any one else have this issue?
I wish they'd do tokens or OTP schemes in the US like they're starting to roll out in EU. american financial institutions have no freakin' *clue* how to do security anywhere near right, and simply stonewall any attempts to bring them up to speed on how. . _H*
Put me in the category of those who never allow passwords that matter be saved by my browser. It just doesn't make any sense. For forums I always say yes. For things involving my money -- no way.
