?
Solved

How viable is a user-password hack-able which was saved in an Internet Web Browser

Posted on 2015-02-05
12
Medium Priority
?
201 Views
Last Modified: 2015-02-10
When we click 'Yes' to 'Save Password' when asked by an Internet Browser, we understand that this user-password is being saved by the web browser.  In Expert-Exchange page we noticed that there is an option next to the username that permit to see the password, which we find very helpful since its displays it and we just click on it (see pic below).

web-passwd
Since this password is being viewed on the screen, how viable is for malware, phishing or any bad-intention apps to steal this info?  If so, what can we do?

Note:
We are interested on How-To hack or retrieve passwords, just want to know how to protect ourselves,
Password-Save-Google.jpg
0
Comment
Question by:rayluvs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 4
12 Comments
 
LVL 29

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 1200 total points
ID: 40592912
Short answer is to NEVER save a password in a browser. The default b browser is the first place malware will look for passwords.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40593038
And the long answer?

It's not that easy. Chrome will not let you look at your own passwords, unless you re-authenticate. It will depend on what OS and browser you combine, name the version, too. Do you run an administrative account?
0
 

Author Comment

by:rayluvs
ID: 40593130
We use Chrome (desktop not the Windows 8 apps version) and admin user and windows 8 pro.  Note: we have installed Safari, Opera, MS Internet and Firefox (only use them if needed; 99.9% of the time we use Chrome).

Please explain "re-authenticate".
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 56

Accepted Solution

by:
McKnife earned 800 total points
ID: 40593264
If you use an administrative user, malware is already winning a lot. No security-interested person would do that and on the same hand ask for password security. So reconsider.

Re-authenticate: open the url chrome://settings/passwords (paste chrome://settings/passwords into your address bar)
->try to unmask a password, you will have to re-authenticate.
0
 
LVL 29

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 1200 total points
ID: 40593765
Long answer (I was using my phone for the short answer) is mostly the same.  Don't save any passwords in a browser.  Use a password manager (roboform, dashlane, passwordbox, 1password, keypass, etc).  I prefer using Roboform2Go.  It resides on my USB stick and goes everywhere with me.  Once in a while I will sync the whole lot to my roboform everywhere account, then sync my phone to the account, then delete all data from the account (I don't trust that even with 2 factor authentication all 200+ passwords won't get hacked).  I can use obtuse passwords and passphrases and so many of them because I have a password manager.
0
 

Author Comment

by:rayluvs
ID: 40595477
Understood on "re-authenticate".

So to be clear, if we check "remember password" when logging in to EE, that password is saved somewhere in Google chrome folder and available to any malware software snooping around?

Also, if the above question is true, then when checking on any website "remember password", the password is saved in readable text, not encrypted?

Finally, are the other browsers we have installed (Internet Explorer, Safari, Opera and FireFox) also submitted to the same weakness as Chrome?
0
 
LVL 29

Expert Comment

by:Thomas Zucker-Scharff
ID: 40595499
Passwords are encrypted, but that may not help. It is just safer to use a password manager. Would you rather have something hidden really well or store it in a vault?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40595583
"So to be clear, if we check "remember password" when logging in to EE, that password is saved somewhere in Google chrome folder and available to any malware software snooping around?" - no! Firstly, you confuse things. We don't check "remember password" but chrome asks us if it should remember it and you can give your consent or not. What you see a checkbox for is "keep me logged in" which effectively stores the logon info in a cookie, which is a different thing altogether. So if we keep on judging the password manager of chrome and compare it with some external password manager, well, why not have a little read first, how chrome works and how, let's say RoboForm works in comparison to that?
Why come here, without having the slightest idea (sorry, but so it seems) and solely rely on "experts"?
Please do some work first, show that you have understood some things and let's discuss what is still unclear. Google will have documented chrome's password manager and so will RoboForm - please be so kind and read those, before we go on. Sorry for the straight words, but this is not the first question where you act exactly like this, but it feels like maybe number 20 (and I only count those where I participated).
0
 

Author Comment

by:rayluvs
ID: 40595923
Sorry you see it that way, but have to says it's not.  We really do our research prior placing any question on EE.  Even though a lot of EE answers are informative, straight-forward and direct, some are just a link (thus, more reading for us) and others are bits of info while others we don't understand certain terms.  Therefore, we try to be give more clearer and give more detailed in our questions in order for the experts to understand us; hence, help us.

As to this question, it was originated when we noticed the EE page could display the password saved when you check the box below the field and wanted to know how viable is for malicious software to grab this data.  Being that this page is from EE, and haven't seen one like it before, we wanted your input on how secure this type of practice is.

So please excuse our ignorance on certain issues and how we go about our questions. That said, we want to say we really appreciate all your help on the topic.
0
 
LVL 29

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 1200 total points
ID: 40596059
Some browsers ate better than others when it comes to this.  Taking into consideration everything else I've said,  note that IE will allow you to display passwords on most pages while other browsers will not.

I think the crux of your question is should we or shouldn't we display passwords and how easy is it for that to be exploited.

1. Don't d display or have the browser remember passwords (I personally not only use Roboform, but use 2 factor authentication wherever possible).
2. I can't speak directly to the exploit question,  but in my recent dealings I have used a utility that shows hidden fields and windows.  This is freely avaliable,  so a piece is malware doing something similar is not far fetched.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 800 total points
ID: 40596238
Rayluvs, while it is certainly looking very easy to check the box "show password", how would malware go about to do this? Would a malware executable that runs in the background read the url, and decide it's an interesting one and then locate the mouse pointer and move it somehow to the correct position, click on it and somehow grab the displayed password? Oh no. This matter is quite complicated and while you will someday have found out how things work in chrome version 40, by that time it there will be version 45 and things will work all the way different, maybe.

To give you an idea of the mechanisms, look at http://raidersec.blogspot.de/2013/06/how-browsers-store-your-passwords-and.html - but please acknowledge that this article is old and about older versions.

The developers, be they from Mozilla, google or apple or Microsoft are not dumb. Their idea of a secure password handling in browsers is under constant change. But never will there be a point in time, when you are safe to enter passwords while a malware is running on your machine. And it does not matter if you use a browser internal or external password manager. It could be that some password manager software will be able to send a password to a website in a secure manner, but still, if a malware is running on the machine, the information displayed after entering the password is at risk, so why care?

If your question would have been "where should I keep my web logon passwords for best security", I would say "use keepass or the like". If it had been "where should I keep my passwords so that it requires no effort to manage them and still be secure that no other user on the same machine can see them" I would say use your browser internal pw manager unless you have highly sensitive account info, which should not be accessible unless you yourself would have to authenticate to the software that holds the passwords, or better, should be entered manually on each use, but only on fully trusted systems.

But you haven't asked this. You wondered about a certain page (ee) displaying a checkbox that would enable you to see a saved (or newly entered) password. That checkbox needs interaction with the mouse, unless the malware is capable (and willing) to control the mouse, I don't see any danger.

The problem is: if a malware is on your machine, can you be certain that it does not record the screen contents and record all your keystrokes? You can't

So to my mind, what you have asked is really of no relevance from a security perspective.
0
 

Author Comment

by:rayluvs
ID: 40601803
Thanx all.
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question