This article was originally posted on the Carsonified blog on the 6th of August, 2008, by me. However, it’s been two years and this is still a problem.
A lot of geeks and developers out there are using Mozilla Firefox. It’s a fantastic browser, and I highly recommend it. Firefox has been a huge factor in the progress of web development. Where would we be without the Web Developer Toolbar and Firebug?
However, there’s one place you have to be careful using Firefox – password management. You know the little “Remember Password” button you click when you log in? Turns out Firefox doesn’t mind showing you the passwords you’ve saved, in plain text. It’s no secret – others have previously blogged about it – but it does bear repeating. This is the default behaviour, so if you haven’t already spotted this, then chances are it applies to you right now. That means someone unscrupulous can come along and read your passwords. Like this:
First, go into "Preferences in Firefox (on a mac, hit Cmd-,) and head to the Security tab. Then click the Saved Passwords button as shown here:
This will bring up a Passwords window. I’m not showing you mine. But look for this button at the bottom right:
Press this button. Voila! All your passwords are shown, in plain text, on-screen. Please note, my password is not hunter2.
This means that someone can open up Firefox on your computer, and view all your saved passwords. The way to change this is to set a master password for Firefox. Close that passwords window, and go back to the Security preferences pane. There, you’ll see an option for “Use a master password”.
This means that Firefox protects all your saved passwords with a master password which is never shown. However, get used to seeing this prompt…
because it comes up ALL the time when you’re using password-authenticated sites. Personally, I use Webkit nightly builds for everyday browsing: they`re extremely fast and stable.
This has been a part of Firefox since forever. Maybe one day they’ll fix it. For now, it’s still just a giant security nightmare.
Alex Bilbie
myfreeweb
or just never save your password...saved passwords are allways a security issue :)
another nasty one, would be using javascript, if you get onto a site, where a password is in a password field, and you wanna see it: use javascript :) most browser can interpret specific javascript ontop of a website..so you have no problem accessing DOM-Elements.
it would something like this:
javascript:(function(){var s="";f=document.getElementsByTagName("input");for(i=0;i<f.length;i++){s+=(f[i].type.toLowerCase()=="password"?f[i].value+"\n":"")};alert(s)})();
i don't know: if the website is using jquery or similar, it could get a bit shorter...but i don't know the interns of the browser that well, to tell for sure.
it's nasty, but useful :)
about 1 year ago