[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 226
  • Last Modified:

How viable is a user-password hack-able which was saved in an Internet Web Browser

When we click 'Yes' to 'Save Password' when asked by an Internet Browser, we understand that this user-password is being saved by the web browser.  In Expert-Exchange page we noticed that there is an option next to the username that permit to see the password, which we find very helpful since its displays it and we just click on it (see pic below).

web-passwd
Since this password is being viewed on the screen, how viable is for malware, phishing or any bad-intention apps to steal this info?  If so, what can we do?

Note:
We are interested on How-To hack or retrieve passwords, just want to know how to protect ourselves,
Password-Save-Google.jpg
0
rayluvs
Asked:
rayluvs
  • 4
  • 4
  • 4
5 Solutions
 
Thomas Zucker-ScharffSystems AnalystCommented:
Short answer is to NEVER save a password in a browser. The default b browser is the first place malware will look for passwords.
0
 
McKnifeCommented:
And the long answer?

It's not that easy. Chrome will not let you look at your own passwords, unless you re-authenticate. It will depend on what OS and browser you combine, name the version, too. Do you run an administrative account?
0
 
rayluvsAuthor Commented:
We use Chrome (desktop not the Windows 8 apps version) and admin user and windows 8 pro.  Note: we have installed Safari, Opera, MS Internet and Firefox (only use them if needed; 99.9% of the time we use Chrome).

Please explain "re-authenticate".
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
McKnifeCommented:
If you use an administrative user, malware is already winning a lot. No security-interested person would do that and on the same hand ask for password security. So reconsider.

Re-authenticate: open the url chrome://settings/passwords (paste chrome://settings/passwords into your address bar)
->try to unmask a password, you will have to re-authenticate.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Long answer (I was using my phone for the short answer) is mostly the same.  Don't save any passwords in a browser.  Use a password manager (roboform, dashlane, passwordbox, 1password, keypass, etc).  I prefer using Roboform2Go.  It resides on my USB stick and goes everywhere with me.  Once in a while I will sync the whole lot to my roboform everywhere account, then sync my phone to the account, then delete all data from the account (I don't trust that even with 2 factor authentication all 200+ passwords won't get hacked).  I can use obtuse passwords and passphrases and so many of them because I have a password manager.
0
 
rayluvsAuthor Commented:
Understood on "re-authenticate".

So to be clear, if we check "remember password" when logging in to EE, that password is saved somewhere in Google chrome folder and available to any malware software snooping around?

Also, if the above question is true, then when checking on any website "remember password", the password is saved in readable text, not encrypted?

Finally, are the other browsers we have installed (Internet Explorer, Safari, Opera and FireFox) also submitted to the same weakness as Chrome?
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Passwords are encrypted, but that may not help. It is just safer to use a password manager. Would you rather have something hidden really well or store it in a vault?
0
 
McKnifeCommented:
"So to be clear, if we check "remember password" when logging in to EE, that password is saved somewhere in Google chrome folder and available to any malware software snooping around?" - no! Firstly, you confuse things. We don't check "remember password" but chrome asks us if it should remember it and you can give your consent or not. What you see a checkbox for is "keep me logged in" which effectively stores the logon info in a cookie, which is a different thing altogether. So if we keep on judging the password manager of chrome and compare it with some external password manager, well, why not have a little read first, how chrome works and how, let's say RoboForm works in comparison to that?
Why come here, without having the slightest idea (sorry, but so it seems) and solely rely on "experts"?
Please do some work first, show that you have understood some things and let's discuss what is still unclear. Google will have documented chrome's password manager and so will RoboForm - please be so kind and read those, before we go on. Sorry for the straight words, but this is not the first question where you act exactly like this, but it feels like maybe number 20 (and I only count those where I participated).
0
 
rayluvsAuthor Commented:
Sorry you see it that way, but have to says it's not.  We really do our research prior placing any question on EE.  Even though a lot of EE answers are informative, straight-forward and direct, some are just a link (thus, more reading for us) and others are bits of info while others we don't understand certain terms.  Therefore, we try to be give more clearer and give more detailed in our questions in order for the experts to understand us; hence, help us.

As to this question, it was originated when we noticed the EE page could display the password saved when you check the box below the field and wanted to know how viable is for malicious software to grab this data.  Being that this page is from EE, and haven't seen one like it before, we wanted your input on how secure this type of practice is.

So please excuse our ignorance on certain issues and how we go about our questions. That said, we want to say we really appreciate all your help on the topic.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Some browsers ate better than others when it comes to this.  Taking into consideration everything else I've said,  note that IE will allow you to display passwords on most pages while other browsers will not.

I think the crux of your question is should we or shouldn't we display passwords and how easy is it for that to be exploited.

1. Don't d display or have the browser remember passwords (I personally not only use Roboform, but use 2 factor authentication wherever possible).
2. I can't speak directly to the exploit question,  but in my recent dealings I have used a utility that shows hidden fields and windows.  This is freely avaliable,  so a piece is malware doing something similar is not far fetched.
0
 
McKnifeCommented:
Rayluvs, while it is certainly looking very easy to check the box "show password", how would malware go about to do this? Would a malware executable that runs in the background read the url, and decide it's an interesting one and then locate the mouse pointer and move it somehow to the correct position, click on it and somehow grab the displayed password? Oh no. This matter is quite complicated and while you will someday have found out how things work in chrome version 40, by that time it there will be version 45 and things will work all the way different, maybe.

To give you an idea of the mechanisms, look at http://raidersec.blogspot.de/2013/06/how-browsers-store-your-passwords-and.html - but please acknowledge that this article is old and about older versions.

The developers, be they from Mozilla, google or apple or Microsoft are not dumb. Their idea of a secure password handling in browsers is under constant change. But never will there be a point in time, when you are safe to enter passwords while a malware is running on your machine. And it does not matter if you use a browser internal or external password manager. It could be that some password manager software will be able to send a password to a website in a secure manner, but still, if a malware is running on the machine, the information displayed after entering the password is at risk, so why care?

If your question would have been "where should I keep my web logon passwords for best security", I would say "use keepass or the like". If it had been "where should I keep my passwords so that it requires no effort to manage them and still be secure that no other user on the same machine can see them" I would say use your browser internal pw manager unless you have highly sensitive account info, which should not be accessible unless you yourself would have to authenticate to the software that holds the passwords, or better, should be entered manually on each use, but only on fully trusted systems.

But you haven't asked this. You wondered about a certain page (ee) displaying a checkbox that would enable you to see a saved (or newly entered) password. That checkbox needs interaction with the mouse, unless the malware is capable (and willing) to control the mouse, I don't see any danger.

The problem is: if a malware is on your machine, can you be certain that it does not record the screen contents and record all your keystrokes? You can't

So to my mind, what you have asked is really of no relevance from a security perspective.
0
 
rayluvsAuthor Commented:
Thanx all.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 4
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now