Solved

How viable is a user-password hack-able which was saved in an Internet Web Browser

Posted on 2015-02-05
12
181 Views
Last Modified: 2015-02-10
When we click 'Yes' to 'Save Password' when asked by an Internet Browser, we understand that this user-password is being saved by the web browser.  In Expert-Exchange page we noticed that there is an option next to the username that permit to see the password, which we find very helpful since its displays it and we just click on it (see pic below).

web-passwd
Since this password is being viewed on the screen, how viable is for malware, phishing or any bad-intention apps to steal this info?  If so, what can we do?

Note:
We are interested on How-To hack or retrieve passwords, just want to know how to protect ourselves,
Password-Save-Google.jpg
0
Comment
Question by:rayluvs
  • 4
  • 4
  • 4
12 Comments
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 300 total points
ID: 40592912
Short answer is to NEVER save a password in a browser. The default b browser is the first place malware will look for passwords.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40593038
And the long answer?

It's not that easy. Chrome will not let you look at your own passwords, unless you re-authenticate. It will depend on what OS and browser you combine, name the version, too. Do you run an administrative account?
0
 

Author Comment

by:rayluvs
ID: 40593130
We use Chrome (desktop not the Windows 8 apps version) and admin user and windows 8 pro.  Note: we have installed Safari, Opera, MS Internet and Firefox (only use them if needed; 99.9% of the time we use Chrome).

Please explain "re-authenticate".
0
 
LVL 53

Accepted Solution

by:
McKnife earned 200 total points
ID: 40593264
If you use an administrative user, malware is already winning a lot. No security-interested person would do that and on the same hand ask for password security. So reconsider.

Re-authenticate: open the url chrome://settings/passwords (paste chrome://settings/passwords into your address bar)
->try to unmask a password, you will have to re-authenticate.
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 300 total points
ID: 40593765
Long answer (I was using my phone for the short answer) is mostly the same.  Don't save any passwords in a browser.  Use a password manager (roboform, dashlane, passwordbox, 1password, keypass, etc).  I prefer using Roboform2Go.  It resides on my USB stick and goes everywhere with me.  Once in a while I will sync the whole lot to my roboform everywhere account, then sync my phone to the account, then delete all data from the account (I don't trust that even with 2 factor authentication all 200+ passwords won't get hacked).  I can use obtuse passwords and passphrases and so many of them because I have a password manager.
0
 

Author Comment

by:rayluvs
ID: 40595477
Understood on "re-authenticate".

So to be clear, if we check "remember password" when logging in to EE, that password is saved somewhere in Google chrome folder and available to any malware software snooping around?

Also, if the above question is true, then when checking on any website "remember password", the password is saved in readable text, not encrypted?

Finally, are the other browsers we have installed (Internet Explorer, Safari, Opera and FireFox) also submitted to the same weakness as Chrome?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40595499
Passwords are encrypted, but that may not help. It is just safer to use a password manager. Would you rather have something hidden really well or store it in a vault?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40595583
"So to be clear, if we check "remember password" when logging in to EE, that password is saved somewhere in Google chrome folder and available to any malware software snooping around?" - no! Firstly, you confuse things. We don't check "remember password" but chrome asks us if it should remember it and you can give your consent or not. What you see a checkbox for is "keep me logged in" which effectively stores the logon info in a cookie, which is a different thing altogether. So if we keep on judging the password manager of chrome and compare it with some external password manager, well, why not have a little read first, how chrome works and how, let's say RoboForm works in comparison to that?
Why come here, without having the slightest idea (sorry, but so it seems) and solely rely on "experts"?
Please do some work first, show that you have understood some things and let's discuss what is still unclear. Google will have documented chrome's password manager and so will RoboForm - please be so kind and read those, before we go on. Sorry for the straight words, but this is not the first question where you act exactly like this, but it feels like maybe number 20 (and I only count those where I participated).
0
 

Author Comment

by:rayluvs
ID: 40595923
Sorry you see it that way, but have to says it's not.  We really do our research prior placing any question on EE.  Even though a lot of EE answers are informative, straight-forward and direct, some are just a link (thus, more reading for us) and others are bits of info while others we don't understand certain terms.  Therefore, we try to be give more clearer and give more detailed in our questions in order for the experts to understand us; hence, help us.

As to this question, it was originated when we noticed the EE page could display the password saved when you check the box below the field and wanted to know how viable is for malicious software to grab this data.  Being that this page is from EE, and haven't seen one like it before, we wanted your input on how secure this type of practice is.

So please excuse our ignorance on certain issues and how we go about our questions. That said, we want to say we really appreciate all your help on the topic.
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 300 total points
ID: 40596059
Some browsers ate better than others when it comes to this.  Taking into consideration everything else I've said,  note that IE will allow you to display passwords on most pages while other browsers will not.

I think the crux of your question is should we or shouldn't we display passwords and how easy is it for that to be exploited.

1. Don't d display or have the browser remember passwords (I personally not only use Roboform, but use 2 factor authentication wherever possible).
2. I can't speak directly to the exploit question,  but in my recent dealings I have used a utility that shows hidden fields and windows.  This is freely avaliable,  so a piece is malware doing something similar is not far fetched.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 40596238
Rayluvs, while it is certainly looking very easy to check the box "show password", how would malware go about to do this? Would a malware executable that runs in the background read the url, and decide it's an interesting one and then locate the mouse pointer and move it somehow to the correct position, click on it and somehow grab the displayed password? Oh no. This matter is quite complicated and while you will someday have found out how things work in chrome version 40, by that time it there will be version 45 and things will work all the way different, maybe.

To give you an idea of the mechanisms, look at http://raidersec.blogspot.de/2013/06/how-browsers-store-your-passwords-and.html - but please acknowledge that this article is old and about older versions.

The developers, be they from Mozilla, google or apple or Microsoft are not dumb. Their idea of a secure password handling in browsers is under constant change. But never will there be a point in time, when you are safe to enter passwords while a malware is running on your machine. And it does not matter if you use a browser internal or external password manager. It could be that some password manager software will be able to send a password to a website in a secure manner, but still, if a malware is running on the machine, the information displayed after entering the password is at risk, so why care?

If your question would have been "where should I keep my web logon passwords for best security", I would say "use keepass or the like". If it had been "where should I keep my passwords so that it requires no effort to manage them and still be secure that no other user on the same machine can see them" I would say use your browser internal pw manager unless you have highly sensitive account info, which should not be accessible unless you yourself would have to authenticate to the software that holds the passwords, or better, should be entered manually on each use, but only on fully trusted systems.

But you haven't asked this. You wondered about a certain page (ee) displaying a checkbox that would enable you to see a saved (or newly entered) password. That checkbox needs interaction with the mouse, unless the malware is capable (and willing) to control the mouse, I don't see any danger.

The problem is: if a malware is on your machine, can you be certain that it does not record the screen contents and record all your keystrokes? You can't

So to my mind, what you have asked is really of no relevance from a security perspective.
0
 

Author Comment

by:rayluvs
ID: 40601803
Thanx all.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
bypass UAC - always notifiy 4 55
Sql server Memory Issue 5 55
Asa 5520 Configuration 3 61
Cisco ACS 3415 - making a bootable USB 3 76
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now