Password management problems in IE and Firefox (The last part)

Review part I

5.2 Add password management shortcomings in Firefox 2.0

Firefox 2.0's password manager (November 2006) has a vulnerability that allows user information (from the current page) to send to any URL if they click on a dangerous link. This vulnerability is called Reverse Cross-Site Request (RCSR), it originates from the actual URL control browser so that this information is sent through web forms. The user has visited the site before and saved the information on the password manager, so the attack is likely to attack. The theft of this information was made available on MySpace.com and discovered by CIS. The normal pages that allow users to send original HTML are almost always easy to encounter this type of attack.

RCSR is more dangerous than the attack described in Section 5.1 because XMLHttpRequest does not allow requests other than the current domain name. In addition, links (which allow forms to be submitted) can appear in video formats, programs or can be games to make it difficult to detect.

5.3 Detecting Internet Explorer passwords

5.3.1 Restore password

Many companies have commercial software to recover passwords from Internet Explorer AutoComplete. ElcomSoft provides a program to do this work called Advanced Internet Explorer Password Recovery (AIEPR). Once started it can restore any AutoComplete information on any Internet Explorer version from 3 to 6 as long as the user is logged in. Software programs such as PassView working on Internet Explorer versions 4 through 6 and IEPassView for IE7 versions are provided free of charge.

5.3.2 Malware

Internet Explorer often uses a good way to combat the malware invasion. However, there are still gaps for malware to infiltrate AutoComplete information. These programs increase confidential information and then send it back to the attacker. The BackDoor-AXJ is a Trojan program that stores AutoComplete and other victim information then sends this information back to the operator. Srv.SSA-KeyLogger is a backdoor that is installed underground on Internet Explorer and acts as a main record. Backdoors also implicitly initialize AutoComplete and steal data from Protected Storage and then send it back through the HTTP GET protocol.

5.4 Discover passwords in Firefox

5.4.1 You can easily access text passwords.

For Firefox Password Manager users, the information entered can be seen in clear text as instructed below:

On Windows XP:

Firefox 1.5
Tools | Options | Privacy | Passwords | View Saved Passwords | View Passwords | Show Passwords

Firefox 2.0
Tools | Options | Security | Show Passwords | Show Passwords

5.4.2 Master Password attacks

Recently tools have been developed to perform password attacks on Master Password in Firefox. The following attacks are still very dangerous:

  1. Brute force
  2. Dictionary
  3. Hybrid

Firemaster is an unlocking tool designed for Master Password in Firefox. The tool was written in C ++ by NY Talekar in January 2006; The source code for this program is now available online. Other tools are written in C for the main function being developed. When the tools are improved, the password database can be trusted with the Master Password to deal with attacks. Therefore it cannot be said that a poor password can be broken in a few seconds. Moreover, having no password exposes the password database immediately. This is basically equivalent to marking the options menu in Firefox to show passwords.

5.4.3 Multiple username / passwords on a URL

Firefox has an interesting feature that will allow multiple audits for the same page. For example, say two fictional characters, Alice and Bob, use Firefox Password Manager on the same Windows XP account but have different bank accounts on the same page ( www.pncbank.com ). Password Manager will allow multiple username and password pairs. Password Manager will recognize when using each web account based on username and automatically enter the password field. This feature provides the ability to observe the following user information:

URL
bob
k9x763s
alice
n63ld23f

Based on security models, no individual pairs will use the same account; however, this problem is still risky because not all organizations work well. In addition, there is a related problem if a username / password pair is entered incorrectly for a certain page (as an error in switching two logins to completely different new pages). This information will be saved (even if it is not used) and can be compromised at some point in the future without knowing about the attendee.

5.4.4 Service-limited attacks

Any user or program with the permission to have a local user profile on the file system is also capable of attacking the password manager. If the files ( keyN.db , certN.db , secmod.db , signons.txt ) are deleted or changed, the username and password cannot be retrieved. The most important file in these files is KeyN.db and signons.txt , they keep their own functions and data is encrypted accordingly.
To secure the password database we should copy the files keyN.db , certN.db , secmod.db , and signons.txt to a secure address. So if these files are changed or deleted and Password Manager is not available, it can still ensure that the password database can be restored by copying them back to the Firefox profile folder.

6, Mistakes in security

Users do not fully understand or know the risks they may encounter when they use password management systems for browsers. This danger is associated with a lack of interest in keeping any username or password in spite of accessing a simple news group or something more secretive and sensitive, such as messages. Financial news at online brokerage sessions. Users expect the browser to be able to link to the operating system and will protect their information and abstract security technology. In fact the risks can occur more easily than what users are thinking. Browsers are as dangerous as applications because they are installed on most computer systems, used by many people, and store all usernames and passwords that users enter.

7, Usability

The proper features of password management in Internet Explorer and Firefox are shown below in Table 2. Some key differences are the ability to see passwords explicitly in Firefox that are not available in Internet Explorer. This is seen as a characteristic as well as a security risk, depending on whether the Master Password is set or not. In addition, Firefox has a useful feature that allows usernames and passwords to be explicitly prevented in some pages (for example, sensitive information for specific pages cannot be risky). In AutoComplete, this choice is only once and cannot be easily changed unless you understand the main functions of the registry. Furthermore AutoComplete has another advantage in Password Manager that users can choose to save URLs, usernames or passwords without the need for all three credentials like in Firefox.

Features Internet Explorer 7 Firefox 2.0Reminders to save passwords

yes

yes

Ability to easily change on "saved" or "unsaved" preferences

yes

The ability to not save any information in forms

yes

yes

Ability to easily access passwords in encrypted format (plaintext)

yes

Ability to choose to save URL, username or password

yes

 

Table 2 : Comparison of utility features of Internet Explorer and Firefox.

8, Prevention strategies

8.1, User-based prevention

8.1.1, Avoid

One way to prevent password compromise is to limit the use of managers for both Internet Explorer and Firefox. However, this can make users tend to choose the same password for multiple pages, which is very detrimental to security. Thus, the avoidance should be done if there is an alternate method to replace it. There is also a way for users to accidentally save passwords in a normal browsing process.

8.1.2, Disable password management

This will cause the password manager to prevent the ability to store usernames and passwords, although it may fall into a state similar to the above. This strategy differs from the method discussed in 8.2.

8.1.3, Alternate 'confirmed' password managers

A common method that users save passwords is in an application called Password Safe . The application designed by Bruce Schneier, which is an open source Windows utility, is a popular method for saving and accessing passwords. The passwords are encrypted with Schneier's Blowfish 0 digit block and are protected with Safe Combination .

Prudence and initial steps should be practiced before using any new program. However, a program with the purpose of saving sensitive information will focus more deeply than any browser, especially in the password retention feature. Focusing on open source password managers and designed with well-known cryptography are the reasons that make it a valuable option. Both AutoComplete and Password Manager provide simplicity and convenience to users; There is no need to go to another application to increase access to usernames and passwords.

8.1.4, Password complex

As stated in the previous sections, having a solid master password can effectively prevent attacks.

As mentioned above, Internet Explorer does not allow you to select a master password for AutoComplete; The security of information stored with AutoComplete is directly linked to the Windows user account password. Choosing a stronger Windows password will provide even more protection. Despite this, Windows passwords are not easy to compromise in a few minutes. Creating a stronger password in Password Manager for Firefox can significantly reduce compromise risks. A good password must be more than 8 characters long and must be mixed with alphanumeric characters, which will significantly increase security. Password cracking attacks can be carried out with Firefox Password Manager, but it is not a mainstream trend and with more careful use it is possible to compete. In many cases, Firefox users increase their protection by using a password similar to the Internet Explorer side.

8.2, Reconstruction based on Web development expert

According to the views of Web developers, commercial sites and financial institutions can perform user protection against future password compromises. Both Internet Explorer and Firefox have this protection if the tag attributes in HTML are set appropriately. Consider an example that is representative from MSDN and how easy it is to incorporate this change in any web page. By using this method, risk prevention centers can prevent password saving in Internet Explorer and Firefox.

This text will be saved:

This text is not saved:

Banks using this feature include Washington Mutual, Chase Manhattan as well as Fidelity, E * Trade, Vanguard, Schwab, etc. Many organizations are not used as PNC Bank Oppenheimer treasuries. If each site is equipped with this issue, there will not be any benefit from using password managers in the browser. Thus, this method only makes sense for each individual organization if it is appropriate. Using this method will not guarantee the client's safety (as shown in section 5.1). HTML and JavaScript can be changed at the client, switching from 'OFF' to 'ON'.
Settlement security of Windows business operations

It is possible to disable Internet Explorer AutoComplete feature for enterprise security. Using Group Policy Objects (GPO) is an easy solution to manage a large number of computer systems by controlling user and machine settings with their own policies. Using Windows Server 2003 in an Active Directory environment completely disables AutoComplete settings across an organization or company.

Conclude

The risk in password-saving techniques of browsers like Internet Explorer and Firefox needs to be further assessed. Any system that controls key functions in many areas needs further consideration. Users also need to have more knowledge about risks and benefits from using a password management system. Current methods to reduce the risk or attack as described in the document are only temporary solutions. Users always expect the best security system. Thus, the next generation of password management systems needs to focus more to meet user needs.

4 ★ | 1 Vote

May be interested

  • Setting up Firefox 4 requires saving passwords for Paypal, Citybank ...Setting up Firefox 4 requires saving passwords for Paypal, Citybank ...
    if you are still using the default password management function of firefox, when logging into sites like paypal, citybank ... the browser does not display a message asking to save the password. this is not a bug or any other strange behavior from the browser, simply because the autocomplete = 'off' section of the html page ...
  • The best password management software todayThe best password management software today
    password is an indispensable part of the online world. it is almost everywhere in the internet
  • 5 new tab management utilities for Chrome and Firefox5 new tab management utilities for Chrome and Firefox
    web browsing and tab management is a never-ending story and there is no one tool that can completely solve this problem.
  • What to do when Firefox crashes?What to do when Firefox crashes?
    like other browsers, sometimes you use firefox to surf the web and experience problems such as cracking your browser, or restarting, and can't open web pages even though the network connection is normal, ...
  • Retrieve saved passwords in Firefox and ChromeRetrieve saved passwords in Firefox and Chrome
    most browsers allow you to save the usernames and passwords that users use to log into certain websites. so, in case you own different username and password and forget the password for a certain website, you can completely get it back thanks to the browser password saving mechanism.
  • Top 4 best password management software to useTop 4 best password management software to use
    remembering passwords for many different accounts always gives you a headache, so to simplify and avoid losing passwords, you can use specialized password management applications and software. , helping you not have to try to take notes, or try to remember the password every time you need to use it. the top password management software below will help you easily remember different types of passwords.
  • The last 9 years Firefox has not protected user passwords carefullyThe last 9 years Firefox has not protected user passwords carefully
    a network security researcher recently discovered that during the past 9 years, firefox has stored user passwords with an outdated process.
  • How to use LastPass to manage passwords professionallyHow to use LastPass to manage passwords professionally
    lastpass is a professional password management software on computers for many different platforms.
  • Use Firefox's password managerUse Firefox's password manager
    password manager allows you to manage the passwords you use to log into websites without having to remember them.
  • Top 3 best password management software 2020Top 3 best password management software 2020
    top 3 best password management software 2020. many people use that method to set the same password for all accounts to be easy to remember, but this is quite dangerous because if revealing the password of an account then the other accounts are also at risk of being lost.