Your IT Consultant

Don’t Store Passwords in a Browser

March 21, 2018

For many, many years browsers have offered to save your login credentials. The intent is to make subsequent visits to websites faster since you won't have to type in your credentials as they are automatically populated in the appropriate fields. I have NEVER recommended that users save their login credentials in a browser. The latest news form Bleeping Computer is another reason not to trust a browser with your user ID and password. Nine years ago, Firefox introduced an encryption mechanism for its "master password" feature. The "master password" is used to encrypt the saved passwords in a browser or the Thunderbird e-mail client. Unfortunately, the relatively weak SHA-1 hashing function is used as part of the encryption process. The SHA-1 function has an iteration count of 1 instead of the industry practice of at least 10,000. Research has shown that the Firefox implementation allows attackers to brute-force simplistic master passwords in under a minute.

Nine years later and the issue still exists. Yet again, another reason to use a password manager.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com