How safe are your browser passwords?

Are you one of those people who stores all of your web logins in your browser? I have had lots of people tell me that it is unsafe to store your userids and passwords in your browser. But not being one to take other people’s word for it I decided to test it myself.

Firefox

Firefox stores passwords on a per profile basis in a file called signons.sqlite, the userids and passwords stored in that file are base-64 encoded using a key stored in key3.db. Note that I said encoded, not encrypted. Encoded means that anyone with access to signons.sqlite and key3.db

can reverse the encoding to reveal the userids and passwords. There are several tools available to do just that. Below is a screenshot from Password Fox one of the so-called password recovery tools that decode Firefox passwords. As you can see it displays both the userid and the password.

If you have access to the browser you don’t even need one of the recovery tools. If you go into the Tools -> Options -> Security screen there is a “Saved Passwords” button which will gladly show you the userids and if you click the “Show Passwords” button, the passwords as well.

One of the other features of Firefox is the ability to add a master password. The master password is used to encrypt the userids and passwords in the password store. The master password must be provided when you start Firefox and is used to decode the userids and passwords as required. This means that without the master password that the “password recovery” tools like Password Fox can still tell what sites you have stored, but can’t view the userids or passwords.

There is another advantage of setting a master password. With a master password set when you click the “Saved Passwords” button you must enter the master password before the you can view the stored information.

Of course, there are a number of tools out there to “recover” the Firefox master password. Under the covers these tools are all brute force engines.

What this tells me is that if you use a high quality password, or better yet a high quality passphrase there shouldn’t be any real risk to storing your Internet userids and passwords in Firefox.

Internet Explorer

Ok, I am a Firefox user normally, so I haven’t spent a whole lot of time on IE. But here is a quick overview.

Unfortunately Internet Explorer suffers from the same problems. IE PassView is one of many tools that can display Internet Explorer Passwords.

Unfortunately as far as I know IE 8 does not appear to have a master password or provide any other way to encrypt the userids and passwords.

Summary

In a nutshell; I wouldn't store userids and passwords in Internet Explorer. I feel safe enough with storing userids and passwords in Firefox as long as a strong passphrase is used as a master password to encrypt them.

Of course there is still the issue of what the browsers do with passwords in memory. Perhaps that is research for another day, but for the moment I think I am prepared to take that risk.

Interesting Post on Data Breaches

A little behind in my reading...I just read a post by Bryan Sartin at VerizonBusiness.com. The post is a good read, but one thing stuck with me. Bryan states...

"I would estimate that payment cards represent as little as 1.2 – 1.5 percent of all data thefts. The remaining 98.x percent being occupied primarily by personally identifiable data (PII), then account credentials, company-proprietary data, and a few other categories in a distant fourth and fifth by incidence...When stolen, payment card data tends to lead to fraud. That’s the whole point of stealing it. The ensuing fraud is detectable and fraud analysis and detection tools have made it almost elementary to identify the likely source of a suspected payment card breach for almost 10 years."

The point is that compromises of payment card information are rarely detected by the company who breached the card information. Rather the breach is detected by the payment card industry and traced back to the company due to the fraud and tools utilized by the payment card industry.

No similar capabilities exists to trace the source of personally identifiable information, account credentials, intellectual property and other lost information.

Would you even know if your company was breached?

Seth Godin on Tribes

Somebody recently put me on to the TED talks. I have been through several but one that has intrigued me is Seth Godin on Tribes. In a nutshell what Mr. Godin is talking about is that the Internet provides anyone with an impassioned cause the capability to create a movement or a tribe of people to spread your message.

Definitely worth a listen.

Mandiant Memoryze Review and other free Mandiant Tools

In followup to my ISC diary of January 2nd. Russ McRee of holisticinfosec.org has published his review of Mandiant's Memoryze tool. Russ was so impressed with Memoryze he awarded it the 2008 Toolsmith Tool of the Year!

For those of you who didn't read the first diary...Memoryze is a free tool from Mandiant to assist with Windows memory analysis. It is one small piece of Mandiant's Mandiant Intelligent Response (MIR) product, released for public consumption

Russ's review can be found at http://holisticinfosec.org/toolsmith/docs/february2009.pdf

Another outstanding free tool released by Mandiant in the last few weeks is Hilighter. Hilighter is a tool that assist in the viewing and analysis of log files and other text files. I have only played with it a little bit, but so far I am very impressed.

Mandiant has other free incident response tools available on their website as well:

Red Curtain - helps find and analyze unknown malware

Web Historian - assists with review of websites found in browser history files

First Response - incident response management software

If these first few releases are any indication it appears that the Mandiant folks are committed to providing top quality free tools to the incident response community.

Enjoy!

The Academy...Home!

Sometimes an idea comes along that was so obviously needed that you wonder why you didn't think of it yourself. One of those ideas is The Academy!

Because of very persistent marketing most people in the security industry have heard of The Academy. Peter Giannoulous has done an amazing job of promoting his security video website in an almost viral way using all sorts of Web 2.0 from Linkedin to Twitter and everything inbetween.

Now Peter has gone one step further, launching The Academy Home. This site has the same general idea...videos on how to configure security...but the audience is much different. The Academy Home is aimed at the average computer user. Finally a good quality security website aimed at your parents and grandparents who are not savvy computer professionals and sorely in need of good quality, knowledge appropriate guidance.

So please help make this endeavour successful! Let all of your non-tech-savvy friends and relatives know about The Academy Home. Maybe you will even get a couple of nights off from tech-support. (-8

SANS Log Management Survey

I don't make personal pleas often, but this is something I truly believe can be significant in the security industry.

SANS is surveying individuals on log management practices in their organizations. The more people who take the survey the more useful the results. so please give up 10 minutes of your time to complete the survey. Even if you have not yet started a log management project...please take the survey...your information is at least as important as those who have, if not more.

Thanks in advance!