Friday, July 20, 2007
Why you want a master password in Firefox
Firefox offers to remember passwords for you. It's a handy feature, and makes it easier to manage having a lot of strong passwords.
Unless you set up a master password, it will automatically fill in a password when a login page asks for it.
You'll ask "what is a login page?" if you're a paranoid security person. For Firefox, it's anything under the same top level domain. For example, if Firefox has stored your password for myspace.com, it will fill it in for myspace.com/jenniferthecatlover. If Jennifer has uploaded something that looks like a login form to Firefox, Firefox will give Jennifer your password. Myspace prevents this now, but other services that allow users to upload content could have a problem.
The fix I recommend is to go into your Firefox preferences, click Security, and click the checkbox "Use a master password". That way, Firefox will ask for your master password before it gives away your site-specific passwords, and you can tell it not to if you know you've already logged in, or if you know that you're looking at a user's page and not at a real login page.
Heise security has technical details.
UPDATE 7/23:
I may have spoken too soon about Myspace, many people are reporting that it still allows people to upload active content.
There's another way to protect yourself, which is a Firefox extension called Secure Login. Instead of entering your password for you automatically, you have to click first, and it generally gives you more control about when your password goes out to web sites that ask for it.
|
Unless you set up a master password, it will automatically fill in a password when a login page asks for it.
You'll ask "what is a login page?" if you're a paranoid security person. For Firefox, it's anything under the same top level domain. For example, if Firefox has stored your password for myspace.com, it will fill it in for myspace.com/jenniferthecatlover. If Jennifer has uploaded something that looks like a login form to Firefox, Firefox will give Jennifer your password. Myspace prevents this now, but other services that allow users to upload content could have a problem.
The fix I recommend is to go into your Firefox preferences, click Security, and click the checkbox "Use a master password". That way, Firefox will ask for your master password before it gives away your site-specific passwords, and you can tell it not to if you know you've already logged in, or if you know that you're looking at a user's page and not at a real login page.
Heise security has technical details.
UPDATE 7/23:
I may have spoken too soon about Myspace, many people are reporting that it still allows people to upload active content.
There's another way to protect yourself, which is a Firefox extension called Secure Login. Instead of entering your password for you automatically, you have to click first, and it generally gives you more control about when your password goes out to web sites that ask for it.
# posted by Frederick @ 10:16 PM Email to a friend:
Haloscan: they provide trackback