Web Browser Wednesday

I’m sure many of you look kindly upon the fact that your web browser stores your passwords for you. It is no doubt a wonderful time-saving feature, and surely beats having to retype your password every time that it needs to be entered. Have you ever stopped to ask yourself how safe your passwords really are in your browser?

If you’re using Internet Explorer, I hope you’ll change your mind about storing your passwords in it. IE doesn’t have any sort of management screen so that users can quickly remove a username/password stored in the browser, but it does let you clear all of your passwords. Just because it doesn’t come with a built-in management interface doesn’t mean you can’t retrieve your passwords…

There is a program called IE PassView (Download Mirror) that works with Internet Explorer 4.0 to 7.0, and it will let you view all usernames and passwords along with their associated URL’s. The software is not only free, but doesn’t even require installation which means someone could easily run it from their USB drive on any PC.

IE PassView

This software is that it lets you delete certain passwords that are currently stored in Internet Explorer. It also lets you export any usernames and passwords as an HTML file that can be viewed later on, which is convenient for backing up your passwords but that also makes it that much easier for someone else to grab your passwords and walk away.

Both Opera and Firefox are also susceptible to similar password attacks, unless you’re using a master password! The master password requires that a user enters in a password they setup before the browser will automatically fill in the passwords on websites. This is an optional feature that most users never take advantage of, but it prevents anyone from quickly jumping on your computer and gaining access to sites which you have stored your password for.

Firefox is actually setup to reveal your passwords in plaintext at the click of a button. If you don’t have a master password enabled anyone can view the passwords in just a few clicks by going to Tools > Options > Security > Show Passwords > Show Passwords:

Firefox Passwords

I tried two different applications, one for Firefox and one for Opera, to see how they would do if I was using a master password. The first application that I tried was called Firefox Password Recover Master ($19.95) and actually states that it “Decrypts passwords protected with the User Master Password”. However, when I tried using it on my account that had a master password all I got was an error (but it did work without a master password):

Firefox Recover

Then I tried another application called Mozilla Password Recovery ($27.00) which also uncovered my passwords correctly, unless there was a master password on the account:

Firefox Recover

That application was also supposed to “recover my master password” but it wasn’t able to do that either. Then again this application doesn’t officially support Firefox 2 yet which could be part of the problem.

I also tried the counterparts for both applications (here and here), which are advertised as being able to recover Opera passwords. The result was exactly the same, except with the second application I was able to kinda get the master password recovery tool to do something, but it would have taken way too long to complete unless you already have a pretty good idea of what the password is:

Opera Recover

There is an open source tool available for recovering your Firefox master password called Firekeeper, but that also uses brute force and dictionary attacks to try and figure it out. The problem is that it takes so long if you’re trying to do a brute force attack. Just look at this screenshot for an example, where I said the password was between 4 and 11 characters long and contains only lowercase characters as well as numbers:

Opera Recover

Yep, you’re eyes aren’t lying. It says that it will take 1,679 years for the brute force attack to complete. If I knew exactly how long the password was it would take a lot less time, but it still wouldn’t really be worth it.

There are actually three morals to this story:

  • Don’t store passwords in Internet Explorer!
  • Take advantage of the master password in your browser. It doesn’t make browsing the Web any more difficult and yet the protection it offers can be priceless.
  • Choose a good master password. That means one that isn’t in the dictionary and it is best if it is made up of both upper and lowercase characters, as well as numbers and symbols. The amount of time it would take someone to crack that type of password is pretty unreasonable.

Please share this information with others so that more people can keep their passwords safe. This is also a good selling point for getting people to switch away from Internet Explorer!

For more information on password security in Internet Explorer and Firefox go read this article by Security Focus: Part 1 and Part 2.