Ref: https://www.youtube.com/watch?v=rxoAndiV4QE

As the video states, this method is easily available on most modern
browsers (Note: I've confirmed it on Fx and Chrome).

This seems like a big security hole.

--
Sailfish
CDC Covid19 Trends: https://www.facebook.com/groups/624208354841034
Rare Mozilla Stuff: http://tinyurl.com/z86x3sg

Sailfish wrote:

> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>
> As the video states, this method is easily available on most modern
> browsers (Note: I've confirmed it on Fx and Chrome).
>
> This seems like a big security hole.

If your going to save your passwords in the browser (or a password
manager) you should have a master password protecting them.

But even without "peeking" at the password like that, you could just
login using the saved password, then use the mechanism on that site to
change the password.

On 2024-01-05 19:12, Sailfish wrote:
> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>
> As the video states, this method is easily available on most modern
> browsers (Note: I've confirmed it on Fx and Chrome).
>
> This seems like a big security hole.

Not to me, because to get my browser to write the password there you
have first to type the Master Password.

And before that, you need login to the computer.

--
Cheers, Carlos.

Sailfish <NIXCAPSsailfish@NIXCAPSunforgettable.com> wrote:

> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>
> As the video states, this method is easily available on most modern
> browsers (Note: I've confirmed it on Fx and Chrome).
>
> This seems like a big security hole.

Wouldn't that require the hacker to have physical access to your
computer to run the web browser from there since that is where is the
encrypted password cache file? The auto-fill option takes login
credentials from the password cache on the host where the user loads the
web browser, not by navigating to some common web site to use their own
web browser on their own host.

Any time anyone gets physical access to your computer, and they can
logon under your Windows account that has admin privileges, they can do
whatever you can do. If you use Windows auto-login, you've granted
ANYONE with physical access to get into your Windows account to do what
you can do under your Windows account. If you require a logon password
to your Windows account, make sure you use a strong password.

In addition, you should go into your BIOS and set a system password that
must be entered when the computer is booted. They must enter a password
when booting your host, and when logging into your Windows account.

If you don't restrict physical access to your computer, anyone can open
it up, yank the drive with OS, and mount it in their own computer to
bypass a lot of Windows security. Unless you enable Bitlocker which is
what many companies do with portable they assign to their employees. If
your hardware is deficient of the requirements for Bitlock, you could
try TrueCrypt's volume encryption (I've never used it myself). If you
don't want to encrypt entire volumes, you can still use TrueCrypt to
created encrypted containers (you password mount as drives) for your
sensitive data.

If you don't secure booting of your computer, use a secure login that is
not automatic for your Windows account, don't encrypt your volume(s) or
use encrypted containers, and grant physical access to your computer,
you choose not to secure you computer, and that includes the password
cache in a web browser, especially if you don't use a global password on
the cache to require access *before* the web browser goes around
auto-filling loggon fields. How much security you add depends on how
secure you feel with what you did implement.

I don't use a master password with my web browser's password cache as I
feel safe enough using the other security measures to prevent someone
from booting my computer, logging into my Windows account, and physical
access requires home invasion. For a mobile computer that I tote around
outside my home, yeah, I'd use a master password on the web browser's
password cache.

For the web browser on my smartphone, well, it's locked, so a thief
would have to get past the password to use the phone to get at the web
browser. I could add a master password there, though, if I was more
paranoid. I can't remember the last time my smartphone was not under my
physical control, though. I've not yet been assualted to steal my
smartphone.

Sailfish wrote:
> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>
> As the video states, this method is easily available on most modern
> browsers (Note: I've confirmed it on Fx and Chrome).
>
> This seems like a big security hole.
>

I checked this in Firefox, and with the master password enabled, I don't
think that's the case.

I just checked my own installation (which does have a master password),
and nothing that this guy suggests is there. On several different saved
passwords, there is no setting for "input type", much less a setting for
"password" that can be changed to text.

I haven't tried this on a profile that doesn't have a master password.

As far as I'm aware, the master password ensures that the database of
passwords is encrypted.

It's worth noting a set of utilities at nirsoft.net that includes a
number of password recovery tools -- browsers, mail clients, Wi-fi
access keys, network shares, etc. When I've run these, I can find
passwords for virtually any browser except Firefox (and for that matter,
Thunderbird and Seamonkey). Sometimes, when I'm working with
non-technical users, I will run these tools on their computer, as a way
of demonstrating the vulnerability of saved passwords -- and why Firefox
(and Thunderbird and Seamonkey) are preferable, because of the ability
to encrypt password stores.

A few months ago, I was working with a user and reviewing Thunderbird
configs. The user was using a master password, but by using the Nirsoft
tool, I found some configuration issues with profiles, where there were
copies of password stores that weren't encrypted. I don't remember the
detail, but running those scans allowed me the ability to clean up the
configs, where there were no saved passwords that weren't in the correct
password store (and password-protected).

As noted elsewhere in this thread, some of the threat would be from an
opponent that already has access to the computer, but to me, the primary
threat would be malware that knows where to look for stored passwords,
and then exfiltrate that data.

To me, the only safe way of storing passwords outside of a separate
password manager is in Mozilla applications, and *with* a master
password enabled.

Smith

VanguardLH graced us with on 1/5/2024 12:30 PM:
> Sailfish <NIXCAPSsailfish@NIXCAPSunforgettable.com> wrote:
>
>> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>>
>> As the video states, this method is easily available on most modern
>> browsers (Note: I've confirmed it on Fx and Chrome).
>>
>> This seems like a big security hole.
>
> Wouldn't that require the hacker to have physical access to your
> computer to run the web browser from there since that is where is the
> encrypted password cache file? The auto-fill option takes login
> credentials from the password cache on the host where the user loads the
> web browser, not by navigating to some common web site to use their own
> web browser on their own host.
>
> Any time anyone gets physical access to your computer, and they can
> logon under your Windows account that has admin privileges, they can do
> whatever you can do. If you use Windows auto-login, you've granted
> ANYONE with physical access to get into your Windows account to do what
> you can do under your Windows account. If you require a logon password
> to your Windows account, make sure you use a strong password.
>
> In addition, you should go into your BIOS and set a system password that
> must be entered when the computer is booted. They must enter a password
> when booting your host, and when logging into your Windows account.
>
> If you don't restrict physical access to your computer, anyone can open
> it up, yank the drive with OS, and mount it in their own computer to
> bypass a lot of Windows security. Unless you enable Bitlocker which is
> what many companies do with portable they assign to their employees. If
> your hardware is deficient of the requirements for Bitlock, you could
> try TrueCrypt's volume encryption (I've never used it myself). If you
> don't want to encrypt entire volumes, you can still use TrueCrypt to
> created encrypted containers (you password mount as drives) for your
> sensitive data.
>
> If you don't secure booting of your computer, use a secure login that is
> not automatic for your Windows account, don't encrypt your volume(s) or
> use encrypted containers, and grant physical access to your computer,
> you choose not to secure you computer, and that includes the password
> cache in a web browser, especially if you don't use a global password on
> the cache to require access *before* the web browser goes around
> auto-filling loggon fields. How much security you add depends on how
> secure you feel with what you did implement.
>
> I don't use a master password with my web browser's password cache as I
> feel safe enough using the other security measures to prevent someone
> from booting my computer, logging into my Windows account, and physical
> access requires home invasion. For a mobile computer that I tote around
> outside my home, yeah, I'd use a master password on the web browser's
> password cache.
>
> For the web browser on my smartphone, well, it's locked, so a thief
> would have to get past the password to use the phone to get at the web
> browser. I could add a master password there, though, if I was more
> paranoid. I can't remember the last time my smartphone was not under my
> physical control, though. I've not yet been assualted to steal my
> smartphone.

Yours and the others points are granted but mostly rely on using a
Master password or the inability of "hacker" to gain access to one's
computer, presumedly via hacking the login password.

However, riddle me this? How many people wontedly leave their computer
on when going to lunch or a meeting? I would say quite a few, even more
than not. Also, using the Master password is tedious; especially for
those who visit multiple password-protected sites.

All one would need to do is while the person is away, quickly bring up
Fx or Chrome and quickly enter amazon.com (or any heavily used site
like, twitter, facebook, instagram, tiktok, &c) in the URLbar and when
login prompt occurs, press f12 and inspect the password field.

I would think that lots of people don't use unique passwords for every
site getting one from a well-trafficked stands a good chance of being
valid for other, as well.

Admittedly, smartphones are more secure.

--
Sailfish
CDC Covid19 Trends: https://www.facebook.com/groups/624208354841034
Rare Mozilla Stuff: http://tinyurl.com/z86x3sg

On Fri, 5 Jan 2024 14:30:08 -0600, VanguardLH wrote:
> Wouldn't that require the hacker to have physical access to your
> computer to run the web browser from there since that is where is the
> encrypted password cache file?

Is that still true if remote desktop or remote access or remote
troubleshooting (or whatever Microsoft is calling it this week) is
enabled? I believe it is enabled by default; I think I remember
disabling it when I got my current Windows 10 and Windows 11
machines.

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

On Fri, 05 Jan 2024 10:12:24 -0800, Sailfish wrote:
>
> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>
> As the video states, this method is easily available on most modern
> browsers (Note: I've confirmed it on Fx and Chrome).
>
> This seems like a big security hole.

A number of people have suggested using a master password in the
browser, and I agree that would help.

In my opinion, it is better still to store _no_ passwords in the
browser, but have them all in a decent password manager. That puts
another roadblock in the way of bad actors, just figuring out which
program even contains your passwords.

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

Am 06.01.24 um 02:53 schrieb Stan Brown:
> On Fri, 5 Jan 2024 14:30:08 -0600, VanguardLH wrote:
>> Wouldn't that require the hacker to have physical access to your
>> computer to run the web browser from there since that is where is the
>> encrypted password cache file?
>
> Is that still true if remote desktop or remote access or remote
> troubleshooting (or whatever Microsoft is calling it this week) is
> enabled? I believe it is enabled by default; I think I remember
> disabling it when I got my current Windows 10 and Windows 11
> machines.

Remote Access being active is a gigantic hole in a security concept.
Also check the firewall settings.

--
"Gutta cavat lapidem." (Ovid)

Am 06.01.24 um 02:55 schrieb Stan Brown:
> On Fri, 05 Jan 2024 10:12:24 -0800, Sailfish wrote:
>>
>> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>>
>> As the video states, this method is easily available on most modern
>> browsers (Note: I've confirmed it on Fx and Chrome).
>>
>> This seems like a big security hole.
>
> A number of people have suggested using a master password in the
> browser, and I agree that would help.
>
> In my opinion, it is better still to store _no_ passwords in the
> browser, but have them all in a decent password manager. That puts
> another roadblock in the way of bad actors, just figuring out which
> program even contains your passwords.

I trust Mozilla and its password manager more than any other third party
software except the manufacturer of the OS.

Never ever I let someone else access my computers.

--
"Gutta cavat lapidem." (Ovid)

On 06/01/2024 06:03, Jörg Lorenz wrote:
> Am 06.01.24 um 02:55 schrieb Stan Brown:
>> On Fri, 05 Jan 2024 10:12:24 -0800, Sailfish wrote:
>>>
>>> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>>>
>>> As the video states, this method is easily available on most modern
>>> browsers (Note: I've confirmed it on Fx and Chrome).
>>>
>>> This seems like a big security hole.
>>
>> A number of people have suggested using a master password in the
>> browser, and I agree that would help.
>>
>> In my opinion, it is better still to store _no_ passwords in the
>> browser, but have them all in a decent password manager. That puts
>> another roadblock in the way of bad actors, just figuring out which
>> program even contains your passwords.
>
> I trust Mozilla and its password manager more than any other third party
> software except the manufacturer of the OS.

I assume you don't use Autofill for logins and passwords, and use a
primary password for FF's password manager.

> Never ever I let someone else access my computers.

Do you use FF sync for your computers? If so, do you not consider that
is "someone else" accessing your computer?

I trust my third party password manager (and it's not Lastpass!).

--

Jeff

On 06.01.24 09:19, Jeff Layman wrote:
> On 06/01/2024 06:03, Jörg Lorenz wrote:
>> Am 06.01.24 um 02:55 schrieb Stan Brown:
>>> On Fri, 05 Jan 2024 10:12:24 -0800, Sailfish wrote:
>>>>
>>>> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>>>>
>>>> As the video states, this method is easily available on most modern
>>>> browsers (Note: I've confirmed it on Fx and Chrome).
>>>>
>>>> This seems like a big security hole.
>>>
>>> A number of people have suggested using a master password in the
>>> browser, and I agree that would help.
>>>
>>> In my opinion, it is better still to store _no_ passwords in the
>>> browser, but have them all in a decent password manager. That puts
>>> another roadblock in the way of bad actors, just figuring out which
>>> program even contains your passwords.
>>
>> I trust Mozilla and its password manager more than any other third party
>> software except the manufacturer of the OS.
>
> I assume you don't use Autofill for logins and passwords, and use a
> primary password for FF's password manager.

How do you come to this conclusion?

>> Never ever I let someone else access my computers.
>
> Do you use FF sync for your computers? If so, do you not consider that
> is "someone else" accessing your computer?

Hä? That is utter nonsense: Do you know what encryption means?

> I trust my third party password manager (and it's not Lastpass!).

Your choice.

--
"Roma locuta, causa finita." (Augustinus)

On 06/01/2024 08:37, Jörg Lorenz wrote:
> On 06.01.24 09:19, Jeff Layman wrote:
>> On 06/01/2024 06:03, Jörg Lorenz wrote:
>>> Am 06.01.24 um 02:55 schrieb Stan Brown:
>>>> On Fri, 05 Jan 2024 10:12:24 -0800, Sailfish wrote:
>>>>>
>>>>> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>>>>>
>>>>> As the video states, this method is easily available on most modern
>>>>> browsers (Note: I've confirmed it on Fx and Chrome).
>>>>>
>>>>> This seems like a big security hole.
>>>>
>>>> A number of people have suggested using a master password in the
>>>> browser, and I agree that would help.
>>>>
>>>> In my opinion, it is better still to store _no_ passwords in the
>>>> browser, but have them all in a decent password manager. That puts
>>>> another roadblock in the way of bad actors, just figuring out which
>>>> program even contains your passwords.
>>>
>>> I trust Mozilla and its password manager more than any other third party
>>> software except the manufacturer of the OS.
>>
>> I assume you don't use Autofill for logins and passwords, and use a
>> primary password for FF's password manager.
>
> How do you come to this conclusion?

A quick examination of history would show what sites you've accessed.
Going to any of those sites would lead to an automatic login, so no
security there. If a primary password has to be entered first, that
would be a lot better.

>>> Never ever I let someone else access my computers.
>>
>> Do you use FF sync for your computers? If so, do you not consider that
>> is "someone else" accessing your computer?
>
> Hä? That is utter nonsense: Do you know what encryption means?

What encryption are you referring to? The OS, FF, your sync access to
The Cloud? Is FF sync not in "The Cloud"? From
<https://www.scmagazine.com/news/apple-backed-data-breach-report-says-2-6-billion-records-leaked-in-2-years>:
"Cloud security was cited as being increasingly important, as 80% of
breaches include data stored in the cloud."

I've just noticed you're a Mac user. I thought you were a Windows user,
and the average user of that has, I believe, less knowledge of security.
We would all do better to follow the advice in the last paragraph here:
<https://neovera.com/icloud-security-breach-learn-anything/>

>> I trust my third party password manager (and it's not Lastpass!).
>
> Your choice.

And many others. I can't stop companies I deal with storing information
in The Cloud, but I store *nothing* in it.

--

Jeff

Sailfish <NIXCAPSsailfish@NIXCAPSunforgettable.com> wrote:

> However, riddle me this? How many people wontedly leave their computer
> on when going to lunch or a meeting? I would say quite a few, even more
> than not. Also, using the Master password is tedious; especially for
> those who visit multiple password-protected sites.

How many people wontonly leave their cars unlocked after parking to go
into a bank or store, or in front of their garage? How many people
wontonly leave their house doors and windows unlocked even when going to
sleep? Just because security is available doesn't not mandate everyone
employs it.

The master password is entered only once per web session. Not until you
exit the web browser, and later reload it, are you prompted for the
master password. Lots of users leave their web browser loaded despite
they aren't using it for long intervals. I exit the web browser when
I'm done with it; however, with boot and logon passwords in place, and
because physical access is required to my computer, I don't feel the
need to use a master password on Firefox's password cache. If I decided
to use a master password (which encrypts the password cache), I'd
probably leave FF loaded all the time, and even add a pinned icon for it
on the Taskbar. But then leaving FF loaded all the time to avoid having
to enter the master password obviates the point of having the master
password, but with screen saver locking the Windows session, me hitting
Win+L to lock the Windows session when I walk away, the boot password,
the login password, and preventing physical access to my computer, I'm
covered.

After all, no one has to edit the HTML code of a login web page to get
your login credentials. They can monitor the EMF radiated by the keys
on your keyboard, or use a keylogger, or just stand over your shoulder.

> All one would need to do is while the person is away, quickly bring up
> Fx or Chrome and quickly enter amazon.com (or any heavily used site
> like, twitter, facebook, instagram, tiktok, &c) in the URLbar and when
> login prompt occurs, press f12 and inspect the password field.

And all one would need to do when someone left their house unlocked to
go to the pharmacy to pick up their meds is to walk up to the door and
walk in. If security is available but you don't avail yourself of it,
the fault with a security lapse is not the fault of the software.

> I would think that lots of people don't use unique passwords for every
> site getting one from a well-trafficked stands a good chance of being
> valid for other, as well.

I use an algorithm (that I can remember instead of using password
software) to create a unique password at every domain. It even accounts
for some variations of the password, so I may have to try 1 to 3 times
to enter a password. Using the same password at every domain is
something boobs do.

I remember some TV game show where the question was how many passwords
do you have. Answers were 1, 2, and up to 5. Those boobs were reusing
the same password(s) at every site where they login. I probably visit
about 250 sites that have logins, and every one of them has a password
unique to just that domain.

While I have a memorized algorithm that lets me remember passwords, I
still use the FF password cache for convenience. However, FF password
entry doesn't work at all sites, so I have to revert to my memorized
algorithm.

You don't have to us the FF password manager to enter them in login web
forms. If you can't memorize your own algorithm to create unique
passwords at every site, use 3rd-party software. Don't have it pre-fill
the web login form. Have it show, and you copy, and have it copy and
you paste. Don't use auto-fill which is what the article was about if
you are uber-paranoid. Auto-fill pre-enters the strings when the web
form is rendered. If auto-fill is off, changing the HTML code to text
will show an empty login field since it has not yet been populated.

You can also disable auto-prefill in Firefox. The field doesn't get
filled when the web page appears, so the article's technique is nulled,
but you can still click on the field to /then/ populate it with entries
in the password cache. You get the convenience of a password cache, but
values are not pasted into the web form until *you* decide.

With FF configured to *not* use auto-fill, you can still get auto-fill
similarity by either FF showing a drop-down list for username, or you
right-click on the field to select a cached entry. If you use those
drop-down lists, the next input is auto-filled. That is, if you use the
drop-down list for username and pick from the cache, the next page shown
for password will have FF auto-fill the password fill (and then you can
use your trick). However, if on the username page you simply type in
the string (that FF shows you in the drop-down list), the password page
will not be auto-filled, so you have to enter manually, or pick an entry
from Firefox's drop-down list. Alas, there is no way to completely
disable FF's auto-fill feature.

If you use a 3rd-party password manager (and turn off the one in FF),
you can use one that doesn't paste anything until you decide. That
means the login fields in the web page are not pre-filled for you to
then change HTML code (which will simply show empty fields). Yep, to
prevent abuse of the 3rd-party password manager, it should have a master
password, too. If you use auto-fill, you might as well as put a .txt
file on the desktop. However, it can't be used unless someone logs into
your Windows account, can get past the boot password, or yanks your
drive or boots to a different OS to read the .txt file under another OS.

Stan Brown <the_stan_brown@fastmail.fm> wrote:

> VanguardLH wrote:
>
>> Wouldn't that require the hacker to have physical access to your
>> computer to run the web browser from there since that is where is the
>> encrypted password cache file?
>
> Is that still true if remote desktop or remote access or remote
> troubleshooting (or whatever Microsoft is calling it this week) is
> enabled? I believe it is enabled by default; I think I remember
> disabling it when I got my current Windows 10 and Windows 11
> machines.

For remote access, you would have to login at your computer using the
login credentials for the Windows account on the remote host. Well, if
you're allowing remoting into your already-powered on computer and
giving out your Windows account login credentials (or leaving your
Windows session open all the time, or using auto-login in Windows), you
decided to grant access to your computer and to your Windows account.

As for remote troubleshooting, that still uses RDP. The remoting user
(you) would have get granted by the local user at their host.

https://support.microsoft.com/en-us/windows/solve-pc-problems-over-a-remote-connection-b077e31a-16f4-2529-1a47-21f6a9040bf3
Step 3 has them grant you access. You don't get it until they give it
to you.

If there wasn't a safeguard to granting access to a remoting user, no
malware or scam sites would be fettered to getting into everyone's
computer. Anyone could remote into your computer whenever they wanted.

If you run an RDP or VNC server on your host, and you don't mandate the
remoting user input a password, you've opened your computer to everyone.

Of course, it's possible to socially engineer the boobs to grant you
remote access. Can't think of any security that surmounts the user from
overcoming it. Users are the weakest link in security.

VanguardLH wrote:

> The master password is entered only once per web session. Not until you
> exit the web browser, and later reload it, are you prompted for the
> master password. Lots of users leave their web browser loaded despite
> they aren't using it for long intervals.

I use a password manager (that has a browser add-in) it can lock after a
period of inactivity, or after a maximum duration, or when the windows
session itself locks etc ...

Stan Brown <the_stan_brown@fastmail.fm> wrote:

> On Fri, 05 Jan 2024 10:12:24 -0800, Sailfish wrote:
>>
>> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>>
>> As the video states, this method is easily available on most modern
>> browsers (Note: I've confirmed it on Fx and Chrome).
>>
>> This seems like a big security hole.
>
> A number of people have suggested using a master password in the
> browser, and I agree that would help.
>
> In my opinion, it is better still to store _no_ passwords in the
> browser, but have them all in a decent password manager. That puts
> another roadblock in the way of bad actors, just figuring out which
> program even contains your passwords.

But, under the scenario assumed by the OP, couldn't someone physically
at your computer (a necessity for the OP's scenario) just click on the
Bitwarden icon to select a password, and have Bitwarden copy and paste
automatically? Once the login fields are filled in is when the HTML
trick might work to show the password (although for the Gmail example
there is now a Show Password checkbox, so no HTML editing needed). Only
because auto-fill or pre-fill injects strings into the values of the
elements in the web page is why you could change the attribute of the
element to show the text instead of show a bunch of asterisks. Without
auto-fill by Firefox, or pre-fill by a password manager, those elements
don't yet have values.

Of course, under the OP's scenario, as as the OP claims, with the vast
majority of users not using a master password on the web browser's
password cache, why does anyone have to delve into the HTML code of the
login web page? They can just go to Settings -> Passwords, and wander
around the entire list of login credentials. There is an eye icon next
to passwords to show them as text. Don't even have to visit the web
sites to see the passwords in the password manager.

A master password helps in blocking access to the password list in FF;
however, the master password survives during the entire web session to
eliminate you having to reenter the master password on every visit to
the web sites. If someone leaves FF running all the time (they don't
exit after done with a web session) then there is no prompt for the
master password upon returning to the same web session. Another reason
you should exit the web browser when you're done with it instead of
leaving it loaded 24x7.

A master password helps, but only when prompted for it, and that's for a
new session in the web browser. If FF prompted on every login page for
the master password, it would be a major nuisance, and soon get dropped
by users.

https://support.mozilla.org/en-US/kb/use-primary-password-protect-stored-logins
"After you have defined and set your primary password, you will be
prompted to enter it once for each Firefox session, ..."

Imagine the nuisance of doing yardwork or working in the garage if you
had to unlock your house doors when you needed something inside the
house to continue your outside work.

Using a Windows login (no auto-login feature), a screen saver with
password, and Win+L to immediately lock the workstation when you leave
already makes it difficult for anyone to even get at or use your web
browser. Using a boot password makes sure no one can boot your computer
to a different OS (USB, CD) to bypass Windows security to read FF's
password cache. There have long been methods to restrict access to your
Windows account, and that helps protect any passwords stored by FF. A
master password encrypts the cache, but that's a bit over the top for me
as being too much a nuisance (I exit FF when done with it).

Andy Burns <usenet@andyburns.uk> wrote:
> VanguardLH wrote:
>
> > The master password is entered only once per web session. Not until you
> > exit the web browser, and later reload it, are you prompted for the
> > master password. Lots of users leave their web browser loaded despite
> > they aren't using it for long intervals.
>
> I use a password manager (that has a browser add-in) it can lock after a
> period of inactivity, or after a maximum duration, or when the windows
> session itself locks etc ...
>
I use a secure[ish] password algorithm that I can remember so I never
store passwords in my browser (I have always regarded that as insecure).

I use the secure[ish] password algorithm only for web sites that I
really don't care if someone breaks in, i.e. shops (where I don't
store credit card details), forums, etc. For places where I want the
password to be secure it's stored separately in a well protected
password manager.

--
Chris Green
·

Andy Burns <usenet@andyburns.uk> wrote:

> VanguardLH wrote:
>
>> The master password is entered only once per web session. Not until you
>> exit the web browser, and later reload it, are you prompted for the
>> master password. Lots of users leave their web browser loaded despite
>> they aren't using it for long intervals.
>
> I use a password manager (that has a browser add-in) it can lock after a
> period of inactivity, or after a maximum duration, or when the windows
> session itself locks etc ...

Yep, 3rd-party password managers have more features than the ones built
into the web browsers. I'll revisit Bitwarden to see if I may use it
instead of the password manager in Firefox, Edge-C, or Chrome. Looks
like Bitwarden works on Windows, MacOS, Linux for desktop platforms, and
iOS, and Android for mobile platforms.

As I recall, the master password is not shared across instances of
Firefox using Firefox Sync, but the password cache is. So, wherever I
use Firefox (that connects to my Mozilla Account - used to be called
Firefox Sync), I have access to my passwords. Bitwarden mentions cloud
sync, but not sure it is included in their free version. I'm not toting
around an encrypted USB drive to make portable my password cache. I saw
mention in forums about a Bitwarden password vault that uses end-to-end
encryption to share password across multiple devices.

Seems I would also have to use a master password with Bitwarden as with
Firefox's master password to prevent anyone with physical access to my
desktop or smartphone from simply copying/pasting login credentials into
web forms. A master password would be a nuisance, but maybe additional
timeout options to expire access to the password cache in Bitwarden
would reduce the nuisance.

I use Firefox Mobile on Android. It allows adding some [curated]
extensions, but not all that are available for the Firefox Desktop.
Bitwarden is one I can install in Firefox Mobile.

Which one do you use?

VanguardLH wrote:

> Which one do you use?

I pay for Enpass Premium, it stores everything in one encrypted file,
which is does win/linux/android and can be synced via various cloud
services.

Previously my laptops had fingerprint readers, which I used to unlock
the password manager, but I had to settle for replacement laptops
without fingerprint readers a year or so ago, they keep saying they'll
add hardware token support (I have yubikeys) but they never seem to get
round to it ...

On Sat, 6 Jan 2024 07:03:07 +0100, Jörg Lorenz wrote:

> I trust Mozilla and its password manager more than any other third party
> software except the manufacturer of the OS.
>
> Never ever I let someone else access my computers.

KeePass (open source) doesn't store the database 'in the cloud'. It's
stored locally. It can be protected with both a password and a key file.

--
s|b

On Fri, 05 Jan 2024 10:12:24 -0800, Sailfish wrote:

> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>
> As the video states, this method is easily available on most modern
> browsers (Note: I've confirmed it on Fx and Chrome).
>
> This seems like a big security hole.

The video is 11 years old, you'd think this would have been fixed. Does
it still work if there's a Primary Password active?

--
s|b

On 05.01.24 23:27, Sailfish wrote:
> However, riddle me this? How many people wontedly leave their computer
> on when going to lunch or a meeting? I would say quite a few, even more
> than not. Also, using the Master password is tedious; especially for
> those who visit multiple password-protected sites.

Then discussion ends here. Exactly here. Why discus the security of
browser passwords when somemeone is stupid enough to go out for lunch
without logging out? In case of correct configuration this will be done
shortly after leaving for lunch at least.

In good companies this can be a reason to be fired immediately. In mine
it was.

--
"Roma locuta, causa finita." (Augustinus)

On 06.01.24 10:37, Jeff Layman wrote:
> On 06/01/2024 08:37, Jörg Lorenz wrote:
>> On 06.01.24 09:19, Jeff Layman wrote:
>>> On 06/01/2024 06:03, Jörg Lorenz wrote:
>>>> Am 06.01.24 um 02:55 schrieb Stan Brown:
>>>>> On Fri, 05 Jan 2024 10:12:24 -0800, Sailfish wrote:
>>>>>>
>>>>>> Ref: https://www.youtube.com/watch?v=rxoAndiV4QE
>>>>>>
>>>>>> As the video states, this method is easily available on most modern
>>>>>> browsers (Note: I've confirmed it on Fx and Chrome).
>>>>>>
>>>>>> This seems like a big security hole.
>>>>>
>>>>> A number of people have suggested using a master password in the
>>>>> browser, and I agree that would help.
>>>>>
>>>>> In my opinion, it is better still to store _no_ passwords in the
>>>>> browser, but have them all in a decent password manager. That puts
>>>>> another roadblock in the way of bad actors, just figuring out which
>>>>> program even contains your passwords.
>>>>
>>>> I trust Mozilla and its password manager more than any other third party
>>>> software except the manufacturer of the OS.
>>>
>>> I assume you don't use Autofill for logins and passwords, and use a
>>> primary password for FF's password manager.
>>
>> How do you come to this conclusion?
>
> A quick examination of history would show what sites you've accessed.

Sorry. You are a Troll. No one can: Everything is deleted when closing
the browser. What do you try to prove at any price?

I'm out of this bizarre discussion.

--
"Roma locuta, causa finita." (Augustinus)

On 06-01-2024 14:05, s|b wrote:
> On Sat, 6 Jan 2024 07:03:07 +0100, Jörg Lorenz wrote:
>
>> I trust Mozilla and its password manager more than any other third party
>> software except the manufacturer of the OS.
>>
>> Never ever I let someone else access my computers.
>
> KeePass (open source) doesn't store the database 'in the cloud'. It's
> stored locally. It can be protected with both a password and a key file.
>
PasswordSafe is available for Windows and Linux. It stores its database
locally protected with a password or with Yubikey. Does not synchronize
or use the cloud.