Password management problems in IE and Firefox (The last part)

Review part I

5.2 Add password management shortcomings in Firefox 2.0

Firefox 2.0's password manager (November 2006) has a vulnerability that allows user information (from the current page) to send to any URL if they click on a dangerous link. This vulnerability is called Reverse Cross-Site Request (RCSR), it originates from the actual URL control browser so that this information is sent through web forms. The user has visited the site before and saved the information on the password manager, so the attack is likely to attack. The theft of this information was made available on MySpace.com and discovered by CIS. The normal pages that allow users to send original HTML are almost always easy to encounter this type of attack.

RCSR is more dangerous than the attack described in Section 5.1 because XMLHttpRequest does not allow requests other than the current domain name. In addition, links (which allow forms to be submitted) can appear in video formats, programs or can be games to make it difficult to detect.

5.3 Detecting Internet Explorer passwords

5.3.1 Restore password

Many companies have commercial software to recover passwords from Internet Explorer AutoComplete. ElcomSoft provides a program to do this work called Advanced Internet Explorer Password Recovery (AIEPR). Once started it can restore any AutoComplete information on any Internet Explorer version from 3 to 6 as long as the user is logged in. Software programs such as PassView working on Internet Explorer versions 4 through 6 and IEPassView for IE7 versions are provided free of charge.

5.3.2 Malware

Internet Explorer often uses a good way to combat the malware invasion. However, there are still gaps for malware to infiltrate AutoComplete information. These programs increase confidential information and then send it back to the attacker. The BackDoor-AXJ is a Trojan program that stores AutoComplete and other victim information then sends this information back to the operator. Srv.SSA-KeyLogger is a backdoor that is installed underground on Internet Explorer and acts as a main record. Backdoors also implicitly initialize AutoComplete and steal data from Protected Storage and then send it back through the HTTP GET protocol.

5.4 Discover passwords in Firefox

5.4.1 You can easily access text passwords.

For Firefox Password Manager users, the information entered can be seen in clear text as instructed below:

On Windows XP:

Firefox 1.5
Tools | Options | Privacy | Passwords | View Saved Passwords | View Passwords | Show Passwords

Firefox 2.0
Tools | Options | Security | Show Passwords | Show Passwords

5.4.2 Master Password attacks

Recently tools have been developed to perform password attacks on Master Password in Firefox. The following attacks are still very dangerous:

1. Brute force
2. Dictionary
3. Hybrid

Firemaster is an unlocking tool designed for Master Password in Firefox. The tool was written in C ++ by NY Talekar in January 2006; The source code for this program is now available online. Other tools are written in C for the main function being developed. When the tools are improved, the password database can be trusted with the Master Password to deal with attacks. Therefore it cannot be said that a poor password can be broken in a few seconds. Moreover, having no password exposes the password database immediately. This is basically equivalent to marking the options menu in Firefox to show passwords.

5.4.3 Multiple username / passwords on a URL

Firefox has an interesting feature that will allow multiple audits for the same page. For example, say two fictional characters, Alice and Bob, use Firefox Password Manager on the same Windows XP account but have different bank accounts on the same page ( www.pncbank.com ). Password Manager will allow multiple username and password pairs. Password Manager will recognize when using each web account based on username and automatically enter the password field. This feature provides the ability to observe the following user information:

URL
bob
k9x763s
alice
n63ld23f

Based on security models, no individual pairs will use the same account; however, this problem is still risky because not all organizations work well. In addition, there is a related problem if a username / password pair is entered incorrectly for a certain page (as an error in switching two logins to completely different new pages). This information will be saved (even if it is not used) and can be compromised at some point in the future without knowing about the attendee.

5.4.4 Service-limited attacks

Any user or program with the permission to have a local user profile on the file system is also capable of attacking the password manager. If the files ( keyN.db , certN.db , secmod.db , signons.txt ) are deleted or changed, the username and password cannot be retrieved. The most important file in these files is KeyN.db and signons.txt , they keep their own functions and data is encrypted accordingly.
To secure the password database we should copy the files keyN.db , certN.db , secmod.db , and signons.txt to a secure address. So if these files are changed or deleted and Password Manager is not available, it can still ensure that the password database can be restored by copying them back to the Firefox profile folder.

6, Mistakes in security

Users do not fully understand or know the risks they may encounter when they use password management systems for browsers. This danger is associated with a lack of interest in keeping any username or password in spite of accessing a simple news group or something more secretive and sensitive, such as messages. Financial news at online brokerage sessions. Users expect the browser to be able to link to the operating system and will protect their information and abstract security technology. In fact the risks can occur more easily than what users are thinking. Browsers are as dangerous as applications because they are installed on most computer systems, used by many people, and store all usernames and passwords that users enter.

7, Usability

The proper features of password management in Internet Explorer and Firefox are shown below in Table 2. Some key differences are the ability to see passwords explicitly in Firefox that are not available in Internet Explorer. This is seen as a characteristic as well as a security risk, depending on whether the Master Password is set or not. In addition, Firefox has a useful feature that allows usernames and passwords to be explicitly prevented in some pages (for example, sensitive information for specific pages cannot be risky). In AutoComplete, this choice is only once and cannot be easily changed unless you understand the main functions of the registry. Furthermore AutoComplete has another advantage in Password Manager that users can choose to save URLs, usernames or passwords without the need for all three credentials like in Firefox.

Features Internet Explorer 7 Firefox 2.0Reminders to save passwords

yes

yes

Ability to easily change on "saved" or "unsaved" preferences

yes

The ability to not save any information in forms

yes

yes

Ability to easily access passwords in encrypted format (plaintext)

yes

Ability to choose to save URL, username or password

yes

Table 2 : Comparison of utility features of Internet Explorer and Firefox.

8, Prevention strategies

8.1, User-based prevention

8.1.1, Avoid

One way to prevent password compromise is to limit the use of managers for both Internet Explorer and Firefox. However, this can make users tend to choose the same password for multiple pages, which is very detrimental to security. Thus, the avoidance should be done if there is an alternate method to replace it. There is also a way for users to accidentally save passwords in a normal browsing process.

8.1.2, Disable password management

This will cause the password manager to prevent the ability to store usernames and passwords, although it may fall into a state similar to the above. This strategy differs from the method discussed in 8.2.

8.1.3, Alternate 'confirmed' password managers

A common method that users save passwords is in an application called Password Safe . The application designed by Bruce Schneier, which is an open source Windows utility, is a popular method for saving and accessing passwords. The passwords are encrypted with Schneier's Blowfish 0 digit block and are protected with Safe Combination .

Prudence and initial steps should be practiced before using any new program. However, a program with the purpose of saving sensitive information will focus more deeply than any browser, especially in the password retention feature. Focusing on open source password managers and designed with well-known cryptography are the reasons that make it a valuable option. Both AutoComplete and Password Manager provide simplicity and convenience to users; There is no need to go to another application to increase access to usernames and passwords.

8.1.4, Password complex

As stated in the previous sections, having a solid master password can effectively prevent attacks.

As mentioned above, Internet Explorer does not allow you to select a master password for AutoComplete; The security of information stored with AutoComplete is directly linked to the Windows user account password. Choosing a stronger Windows password will provide even more protection. Despite this, Windows passwords are not easy to compromise in a few minutes. Creating a stronger password in Password Manager for Firefox can significantly reduce compromise risks. A good password must be more than 8 characters long and must be mixed with alphanumeric characters, which will significantly increase security. Password cracking attacks can be carried out with Firefox Password Manager, but it is not a mainstream trend and with more careful use it is possible to compete. In many cases, Firefox users increase their protection by using a password similar to the Internet Explorer side.

8.2, Reconstruction based on Web development expert

According to the views of Web developers, commercial sites and financial institutions can perform user protection against future password compromises. Both Internet Explorer and Firefox have this protection if the tag attributes in HTML are set appropriately. Consider an example that is representative from MSDN and how easy it is to incorporate this change in any web page. By using this method, risk prevention centers can prevent password saving in Internet Explorer and Firefox.

This text will be saved:

This text is not saved:

Banks using this feature include Washington Mutual, Chase Manhattan as well as Fidelity, E * Trade, Vanguard, Schwab, etc. Many organizations are not used as PNC Bank Oppenheimer treasuries. If each site is equipped with this issue, there will not be any benefit from using password managers in the browser. Thus, this method only makes sense for each individual organization if it is appropriate. Using this method will not guarantee the client's safety (as shown in section 5.1). HTML and JavaScript can be changed at the client, switching from 'OFF' to 'ON'.
Settlement security of Windows business operations

It is possible to disable Internet Explorer AutoComplete feature for enterprise security. Using Group Policy Objects (GPO) is an easy solution to manage a large number of computer systems by controlling user and machine settings with their own policies. Using Windows Server 2003 in an Active Directory environment completely disables AutoComplete settings across an organization or company.

Conclude

The risk in password-saving techniques of browsers like Internet Explorer and Firefox needs to be further assessed. Any system that controls key functions in many areas needs further consideration. Users also need to have more knowledge about risks and benefits from using a password management system. Current methods to reduce the risk or attack as described in the document are only temporary solutions. Users always expect the best security system. Thus, the next generation of password management systems needs to focus more to meet user needs.