Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

Saving passwords in the browser vs chance of keyloggers listening for keystrokes

Opinions:  Better to allow passwords to be stored in the browser or not allow but risk a keylogger capturing input data in the future by not storing passwords?
0
Scott Fell,  EE MVE
Asked:
Scott Fell,  EE MVE
  • 3
  • 3
  • 3
  • +4
12 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
You should make sure your computer is very secure. Mine is and keyloggers are a non-issue. That does not happen to me.

And yes, I do store passwords via Internet Explorer in Windows Credentials.
0
 
Dave BaldwinFixer of ProblemsCommented:
I'm not worried about keyloggers either and I allow all my browsers to store passwords for me.  I'm pretty sure that all the browsers encrypt the usernames and passwords that they store.

The main security issue about letting the browser save your credentials is when other people can use your computer and can login to your accounts without your permission.  Since I'm the only one here, that's not a problem for me.
0
 
dgrafxCommented:
I don't believe one can detect commercial key-loggers with programs such as Malwarebytes but can detect "bad" key-loggers. So keep your computer secure - don't let unauthorized people on them - routine updates - scan for malware - et cetera ...

I too am not worried about them ...
But at the same time I wouldn't completely ignore the potential threat.

And I also let browsers save this info for me - very handy and I "trust" that the info is secure enough.

Not the greatest answer in the world but just trying to help!
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Scott Fell, EE MVEDeveloperAuthor Commented:
This came up because I suggested not to let the browser store passwords.   I typically don't and am a glutton for punishment, plus on some sites I used obscure passwords that I have to look up.   But somebody mentioned they were hacked because of a keylogger they didn't know about and felt it was more secure to not have to type in a password all the time.  

I thought that was a valid point.  

The use would not be of your experience.
0
 
Dave BaldwinFixer of ProblemsCommented:
A side note:  Chrome will 'auto-populate' fields even when the page says not to.
0
 
dgrafxCommented:
>>A side note:  Chrome will 'auto-populate' fields even when the page says not to.<<

Not sure what is meant by "even when the page says not to".

When you specify on an input autocomplete="off" then chrome will not fill it in.
i.e. <input type="text" name="x" autocomplete="off">
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Browsers are the first place malware  will look for passwords. It is generally not a secure practice, IMHO, to allow any browser to remember passwords.  I use a password manager for that.   Since the password manager uses encryption,  there is less need to worry.  Key loggers cannot capture,  AFAIK, passwords if they are entered by a password manager.
0
 
John HurstBusiness Consultant (Owner)Commented:
I think Credential Manager is encrypted as well, altough entering may not be encrypted. But key loggers need to be installed and that is easy to thwart.
0
 
Dave BaldwinFixer of ProblemsCommented:
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Firefox is probably the mossy secure.  But I have learned not to trust anything I don't completely understand.
0
 
Rich RumbleSecurity SamuraiCommented:
Unless you set a master password, none of your stored passwords are secure, they may be encrypted, but it's with a default string, which is no encryption at all really. You should not in my opinion trust the browser to store your passwords, and should use a password manager like PasswordSafe. PWD managers use harder to crack (rather SLOWER) algorithms for the master password than most browsers do. There are viri that steal direct from your browser's saved passwords, and if you've ever tried to recover even a master password protected browser password, you wouldn't trust the browser either.
Have a look at some of my articles around password choice and speed vs complexity.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
http://www.experts-exchange.com/Security/Misc/A_15519-How-to-make-stronger-and-longer-passwords.html
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
IE has no master password. Chrome and Firefox don't offer to set a master password by default, however "null" is used as an encryption for the database, so technically they are encrypted by default. Please try to recover your own pass and see for yourself :) Nirsoft, securityxploded and even JohnTheRipper can recover the passwords with ease, JtR can do so against most popular password mangers, but it will take longer because of password "stretching" techniques.
-rich
0
 
BillDLCommented:
Coincidentally I was recovering some passwords last night on somebody else's computer using some of the free programs by Nir Sofer (Nirsoft) as suggested by richrumble.

I did read that he had had to remove the command line options from many of his programs in an effort to prevent Google from flagging his site as malicious because they own the online malware scanning site VirusTotal.  His programs are frequently flagged as potentially unwanted programs because they dig deep into the system, mimic some malware activity, and could potentially be used from the command line for malicious purposes.

As an example, the password for a configured POP3 email account in Windows Live Mail is stored in an XML-tagged plain text file as an encrypted string that is easily and instantly decrypted by Mail Pass View (http://www.nirsoft.net/utils/mailpv.html).

Password "vaults" like KeyPass allow you to copy out a password and paste into a field outwith the program, don't they?
I wonder whether the Windows clipboard is used, in which case it would be easy to grab the contents of the clipboard using fairly standard scripted methods.

I do not allow passwords to be cached by the browser for sensitive sites, but for the likes of EE I have no problem as the password is quite unique from the general pattern that I use for some of my other more secure passwords, and I have no really personal info available to steal.
0
 
Rich RumbleSecurity SamuraiCommented:
The windows clipboard is used, and there are Viri for password managers too:
https://www.schneier.com/blog/archives/2014/11/citadel_malware.html
http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-master-passwords/
Copy and Paste is easily grabbed by a keylogger, and it's not hard to target specific pages or applications, but copy and paste in my experience is far less targeted.
I still use the password manager over the browser storage. I have my favorites, and I use private or incognito browsing for every session, but I'm a tin-foil-hat type. Also it being the holidays, buy gift cards with cash at a brick and mortar, then go online and make your purchases with the gift cards ;p
-rich
0
 
Scott Fell, EE MVEDeveloperAuthor Commented:
Thank you everybody for your insight.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Hope we helped some.
0
 
BillDLCommented:
Thank you Scott
0
 
John HurstBusiness Consultant (Owner)Commented:
Thanks Scott, and I was happy to help.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 3
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now