Solved

Saving passwords in the browser vs chance of keyloggers listening for keystrokes

Posted on 2014-11-26
17
267 Views
Last Modified: 2014-12-01
Opinions:  Better to allow passwords to be stored in the browser or not allow but risk a keylogger capturing input data in the future by not storing passwords?
0
Comment
Question by:Scott Fell,  EE MVE
  • 3
  • 3
  • 3
  • +4
17 Comments
 
LVL 90

Accepted Solution

by:
John Hurst earned 84 total points
Comment Utility
You should make sure your computer is very secure. Mine is and keyloggers are a non-issue. That does not happen to me.

And yes, I do store passwords via Internet Explorer in Windows Credentials.
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 126 total points
Comment Utility
I'm not worried about keyloggers either and I allow all my browsers to store passwords for me.  I'm pretty sure that all the browsers encrypt the usernames and passwords that they store.

The main security issue about letting the browser save your credentials is when other people can use your computer and can login to your accounts without your permission.  Since I'm the only one here, that's not a problem for me.
0
 
LVL 24

Assisted Solution

by:dgrafx
dgrafx earned 84 total points
Comment Utility
I don't believe one can detect commercial key-loggers with programs such as Malwarebytes but can detect "bad" key-loggers. So keep your computer secure - don't let unauthorized people on them - routine updates - scan for malware - et cetera ...

I too am not worried about them ...
But at the same time I wouldn't completely ignore the potential threat.

And I also let browsers save this info for me - very handy and I "trust" that the info is secure enough.

Not the greatest answer in the world but just trying to help!
0
 
LVL 52

Author Comment

by:Scott Fell, EE MVE
Comment Utility
This came up because I suggested not to let the browser store passwords.   I typically don't and am a glutton for punishment, plus on some sites I used obscure passwords that I have to look up.   But somebody mentioned they were hacked because of a keylogger they didn't know about and felt it was more secure to not have to type in a password all the time.  

I thought that was a valid point.  

The use would not be of your experience.
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 126 total points
Comment Utility
A side note:  Chrome will 'auto-populate' fields even when the page says not to.
0
 
LVL 24

Assisted Solution

by:dgrafx
dgrafx earned 84 total points
Comment Utility
>>A side note:  Chrome will 'auto-populate' fields even when the page says not to.<<

Not sure what is meant by "even when the page says not to".

When you specify on an input autocomplete="off" then chrome will not fill it in.
i.e. <input type="text" name="x" autocomplete="off">
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 83 total points
Comment Utility
Browsers are the first place malware  will look for passwords. It is generally not a secure practice, IMHO, to allow any browser to remember passwords.  I use a password manager for that.   Since the password manager uses encryption,  there is less need to worry.  Key loggers cannot capture,  AFAIK, passwords if they are entered by a password manager.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 84 total points
Comment Utility
I think Credential Manager is encrypted as well, altough entering may not be encrypted. But key loggers need to be installed and that is easy to thwart.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 126 total points
Comment Utility
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 83 total points
Comment Utility
Firefox is probably the mossy secure.  But I have learned not to trust anything I don't completely understand.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 82 total points
Comment Utility
Unless you set a master password, none of your stored passwords are secure, they may be encrypted, but it's with a default string, which is no encryption at all really. You should not in my opinion trust the browser to store your passwords, and should use a password manager like PasswordSafe. PWD managers use harder to crack (rather SLOWER) algorithms for the master password than most browsers do. There are viri that steal direct from your browser's saved passwords, and if you've ever tried to recover even a master password protected browser password, you wouldn't trust the browser either.
Have a look at some of my articles around password choice and speed vs complexity.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
http://www.experts-exchange.com/Security/Misc/A_15519-How-to-make-stronger-and-longer-passwords.html
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
IE has no master password. Chrome and Firefox don't offer to set a master password by default, however "null" is used as an encryption for the database, so technically they are encrypted by default. Please try to recover your own pass and see for yourself :) Nirsoft, securityxploded and even JohnTheRipper can recover the passwords with ease, JtR can do so against most popular password mangers, but it will take longer because of password "stretching" techniques.
-rich
0
 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 41 total points
Comment Utility
Coincidentally I was recovering some passwords last night on somebody else's computer using some of the free programs by Nir Sofer (Nirsoft) as suggested by richrumble.

I did read that he had had to remove the command line options from many of his programs in an effort to prevent Google from flagging his site as malicious because they own the online malware scanning site VirusTotal.  His programs are frequently flagged as potentially unwanted programs because they dig deep into the system, mimic some malware activity, and could potentially be used from the command line for malicious purposes.

As an example, the password for a configured POP3 email account in Windows Live Mail is stored in an XML-tagged plain text file as an encrypted string that is easily and instantly decrypted by Mail Pass View (http://www.nirsoft.net/utils/mailpv.html).

Password "vaults" like KeyPass allow you to copy out a password and paste into a field outwith the program, don't they?
I wonder whether the Windows clipboard is used, in which case it would be easy to grab the contents of the clipboard using fairly standard scripted methods.

I do not allow passwords to be cached by the browser for sensitive sites, but for the likes of EE I have no problem as the password is quite unique from the general pattern that I use for some of my other more secure passwords, and I have no really personal info available to steal.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 82 total points
Comment Utility
The windows clipboard is used, and there are Viri for password managers too:
https://www.schneier.com/blog/archives/2014/11/citadel_malware.html
http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-master-passwords/
Copy and Paste is easily grabbed by a keylogger, and it's not hard to target specific pages or applications, but copy and paste in my experience is far less targeted.
I still use the password manager over the browser storage. I have my favorites, and I use private or incognito browsing for every session, but I'm a tin-foil-hat type. Also it being the holidays, buy gift cards with cash at a brick and mortar, then go online and make your purchases with the gift cards ;p
-rich
0
 
LVL 52

Author Comment

by:Scott Fell, EE MVE
Comment Utility
Thank you everybody for your insight.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
Hope we helped some.
0
 
LVL 38

Expert Comment

by:BillDL
Comment Utility
Thank you Scott
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Thanks Scott, and I was happy to help.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now