Wednesday 9 February 2011

Securing Browser Saved Passwords

It recently became apparent to me that my online 'remembered' passwords were not being held securely.


Not only can someone write (or download) a simple script/program to gain access to the site address I have remembered a password for, the username I have used and  my actual password in clear text


...they can also get to all these details easily through Google Chrome and Firefox with next to no skill required.


In this blog I will explain the methods used to easily retrieve saved passwords and the ways in which to secure yourself against them.





For a very brief synopsis of the security findings jump to straight to the conclusion!




Retrieving a browsers Saved Passwords


With Google Chrome

To view a person's saved passwords someone with access to the computer needs to just follow these simple steps.

Click on the wrench (settings) symbol and then select options.



Select 'Personal Stuff' and then click on 'Show Saved Passwords'.



This presents the user with a list of site addresses and usernames for the browsers saved passwords, further selecting one of these address and username combinations and selecting 'Show Password'  (shown as 'Hide password' in my below image) displays the password for this entry.



For Mozilla FireFox

Similarly to view saved passwords in Mozilla Firefox anyone with access to the browser can follow the below steps.
In the browser go to the 'Tools' Dropdown menu and select Options.



From here go to the 'Security' tab and select 'Saved Passwords' .



This presents the user with a list of site addresses and usernames for the browsers saved passwords , further selecting 'Show Passwords' and selecting 'Yes' to confirm



... presents the user with all the saved passwords in plain text.




Other Browsers

While Opera and Internet Explorer do not have as easy routes to gaining access to the passwords saved on them, both can be made to produce the saved passwords on them by using free, easy to download and use programs such as those in the examples below...


Opera
http://nirsoft.net/utils/opera_password_recovery.html


Internet Explorer
http://www.nirsoft.net/utils/internet_explorer_password.html


Securing Browser Saved Passwords
To secure your browser passwords you really have only four real options

  • Ignore the security issue and hope for the best.
Or being sensible!
  • Don't save you passwords.
  • Use a Master Password (explained in the next section).
  • Instead of using the browser to save your passwords use external password saving software such as KeyPass to save them in a fully encrypted form.
KeyPass

KeyPass is a great free program that secures passwords for pretty much everything you run on your PC , it is totally free and critically acclaimed so as far as this blogger is concerned it is safe!

You can download it from here and setting up is relatively easy but if you need it there is a guide on installation here and a guide on initial steps of use here . For more info on it and its cryptography methods see the wikipedia page on it here!


    MASTER PASSWORD
    Setting a 'Master Password'  protects the users saved passwords by requiring the input of a master password when accessing saved passwords and by being used to authenticate sessions where the users saved passwords are utilised.
    How To set up a Master password
    At present only Mozilla Firefox and Opera (out of the browsers covered) allow for a Master Password to be set.


    For Mozilla Firefox
    In the browser go to the 'Tools' Dropdown menu and select Options.



    Then under the 'Security Tab' check the 'Use a master password' checkbox and select 'Change Master Password'.



    From the produced window you can set a master password.



    For Opera
    While in the main browser press 'Ctrl' and 'F12' and in the produced 'preferences' window select the  'Advanced' tab and select 'Set Master Password'.



    And then in the produced 'Password' window a master password can be entered.



    Issues with master password
    The main problem with the master password is that it can be removed by deleting the file that contains it from the host computer leaving any passwords saved after that time accessible through the methods stated earlier.

    Dealing with this issues
    To solve this issue a simple free folder lock program such as 'Folder Lock 6.5.5' (get it here)  can be used to lock and the folder where the master password is stored.


    NOTE: These methods will delete your saved passwords!


    For Mozilla Firefox the Master Password File is stored in
    C:\Users\'userName '\AppData\Roaming\Mozilla\Firefox\Profiles\2opel50c.default ('userName' is the name of the windows user and '2opel50c.default' may be under a different .default folder name)


    To reset the master password delete the file 'key3.db' (also to reset the master password and delete all passwords saved you can go to chrome://pippki/content/resetpassword.xul from the url bar and select reset).


    For Opera the Master Password File is stored in
    C:\Users\'userName'\AppData\Roaming\Opera\Opera

    To reset the master password delete the files 'opcert6.dat' and 'wand.dat'



    In Conclusion

    Saving passwords on your browser is not secure unless you use:

    • Secure password saving software such as keypass
    • A master password and even then a few more steps are required if you want be totally secure!


    Hope this helped!

    Posted by at

    1 comment:

    1. Unknown9 February 2011 at 14:57

      Nice! I would like to know more about when someone syncs their passwords with a plug-in or their Google account in Chrome... what are the risks there? Maybe an idea for your next post?!?

      ReplyDelete

    Subscribe to: Post Comments (Atom)