Comments on: Password Security Best Practices: An In-Depth Guide https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/ Straight-talking security advice from the Malware Experts Sun, 24 Sep 2023 15:00:57 +0000 hourly 1 By: diwul62 https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789739 Sun, 18 Feb 2018 14:00:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789739 Definitely a great article (sorry for this late reaction).

I hope, one day, there will be an article about using secure password / password managers whilst using Android browsers.
Q: How save are the built in password managers, when using a master password?

My experience is that rd party desktop password managers, that are working fine on desktop pc’s and usually have good add-ons for Windows Internet browsers in place, well, they very much fail when using wellknown browsers on a tablet.

Personally I use Chrome (Windows) and Chrome on Android its built in password manager for non-financial sites (like forums).
I never use my tablet-browser for banking purposes though..

I use Roboform to log into banking sites (or some other, strictly personal, sites).

]]>
By: Umbra@Emsisoft https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789712 Mon, 29 Jan 2018 01:57:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789712 In reply to Michael Hach.

hello,

I’m running Bitwarden with the latest stable Chrome, no issue so far.

]]>
By: Michael Hach https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789711 Sun, 28 Jan 2018 03:59:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789711 I’m guessing that you said BitWarden cannot be run as a native application yet has shown itself to be the case as I tried to use it with my current version of Chrome and the developers at Bitwarden said that the Beta version of a new Chrome is required to run it, at least wrt importing the password list that the Browser automatically stores for me, at this time. I guess I’ll have to make a selection from your list of candidates – any suggestions of one over another??

]]>
By: thegeekkid https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789710 Sat, 27 Jan 2018 16:59:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789710 In reply to Robert Bonomo.

Nope… and actually, I just used 12345 as the password since I was just testing whether or not it was stored in plain text or was machine reversible if you didn’t have the master password (I wasn’t testing for password strength or attacks on the password, I was testing for attacks on the data at rest).

Not only is the url not encrypted, but neither is metadata such as when the site was last accessed and others. Sure… probably not a huge deal; but the more a potential attacker knows about you and your habits, the easier their job becomes. In terms of the data that *is* encrypted, it looks like AES128; but I’m not 100% sure on that… I didn’t actually try to figure that out. Like you, I figured it would have to be a decent algorithm.

]]>
By: harish arsham https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789709 Sat, 27 Jan 2018 04:42:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789709 In reply to Robert Bonomo.

Please trial

]]>
By: Robert Bonomo https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789708 Sat, 27 Jan 2018 04:24:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789708 In reply to thegeekkid.

Ah OK. I thought you may have tried brute force. Yes I opened the password file with DB sqlite reader and the login URL was not encrypted and wondered why not. Will have to presume Mozilla did their due diligence and is using something strong for encryption. Otherwise they would be the laughing stock.

]]>
By: thegeekkid https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789706 Fri, 26 Jan 2018 20:57:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789706 In reply to Robert Bonomo.

I booted up a testing VM from a pre-configured snapshot (fresh Windows 10 install with browsers, notepad++ and a few other misc applications installed), updated FireFox to the latest version, set a master password, then submitted fake credentials to a random login page and saved the credentials. Once that was done, I attempted to use a password extractor from nirsoft which failed. I then inspected the db3 and db4 sqlite files and the json file that contains the passwords. I did confirm that the username and password was encrypted, but the (substantial) metadata stored in the password manager regarding each login was not.

]]>
By: Robert Bonomo https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789705 Fri, 26 Jan 2018 20:20:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789705 In reply to thegeekkid.

Looking into KeePass now.
So what did you use for your test?

]]>
By: thegeekkid https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789704 Fri, 26 Jan 2018 18:59:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789704 In reply to thegeekkid.

Ok… so I just ran a test on the latest version of FireFox. Assuming you use a (strong) master password, the passwords themselves are fairly safe. The problem is that there is still information disclosed in plain text that would not be in a fully encrypted password manager such as KeePass, LastPass, dashlane, etc.

You would honestly be better off using KeePass (which is free) with the browser extension – it would perform the same ease of access as the built in manager, and wouldn’t have the information disclosure issue.

]]>
By: thegeekkid https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789703 Fri, 26 Jan 2018 06:37:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789703 In reply to Robert Bonomo.

Honestly, it’s been awhile since I’ve needed to get into a password protected Firefox password manager (the large majority of people don’t set the master password). The last time that I did, I found that there was no encryption what-so-ever even with a master password. I believe I read somewhere that it may have been added in recent years. I’ll spin up my sandbox VM tomorrow and experiment with it and let you know what I find. :)

]]>
By: Robert Bonomo https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789702 Fri, 26 Jan 2018 05:54:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789702 In reply to thegeekkid.

Let’s look at Mozilla. I don’t use Chrome. I realise that if you do not use a master password on Firefox then then it is as you say. It’s useless. Now throw in a password. One like the above K3s+zL4xq&KW*H, or just a long enough phrase like !le?pickle^elephant*chien++

They are words in 2 languages. But you will never see that phrase in real life.

The question me and the other poster are really asking is how strong is the Firefox encryption of the passwords file provided you use a good password and not 12345 because what you described in your first post is you are able to break bad practices by looking at the low hanging fruit. I’m certain you can.

Brute force could be used but in how much time and I’m not talking about a Nation State Agency breaking the top terrorist’s computer.

I’m talking about a normal Jane Doe on the street who was compromised. Will that malware writer spend ages breaking that password file or move on to something easier which has a better chance of success like a burglar not wasting time breaking into a wired house and move the the neighbour who is not wired.

]]>
By: thegeekkid https://www.emsisoft.com/en/blog/29524/how-to-create-manage-store-passwords/#comment-789698 Thu, 25 Jan 2018 18:08:00 +0000 https://blog.emsisoft.com/?p=29524#comment-789698 In reply to Robert Bonomo.

The built-in password manager (by default) on browsers is either not encrypted (meaning the passwords are stored as plain text somewhere), or at best it uses machine reversible encryption (which means that it doesn’t take much for someone with a decompiler to reverse the encryption). This means that I don’t need to know a password to get in, I just use a standard tool to extract the passwords from the local database. Yes, depending on the browser, there may be ways to change that; but if you are going to store passwords on your computer, it would generally be considered preferable to use an application that is specifically designed for that (and therefore better prepared to handle the security implications).

]]>