2006-12-11
Article continued from Page 1
6. False sense of security
Users are neither fully aware nor informed of the risks when they perhaps naively make use the password management systems of web browsers. The danger in this lies with carelessness in saving any username and password whether it is for accessing a simple news group or something more discrete and sensitive like financial information at an online brokerage. Users expect that the browser, possibly in conjunction with the operating system, will protect their information and abstract the security mechanism. In reality, the threat of complete compromise could be realized more easily than users perceive. Web browsers as applications are particularly dangerous in that they are installed in most computer systems, used by everyone, and store all usernames and passwords that the user enters. The confluence of these factors makes web browsers a particularly tempting target for unscrupulous malicious actors.
7. Usability
The usability features of password management of Internet Explorer and Firefox are outlined below in Table 2. Some key differences include the ability to see passwords in the clear in Firefox, but not Internet Explorer. This could be considered both as a security risk or a feature - it depends if the Master Password is set. Additionally Firefox has a very useful feature that allows usernames and passwords to be for specifically excluded for certain sites (e.g. highly sensitive credentials for certain sites that cannot tolerate high risk of exposure might be included). In AutoComplete this choice is only made once and cannot be easily changed unless going to the obscure registry keys. AutoComplete does however have an advantage on the Password Manager in that the user can choose whether to save URL, username or password, not mandating all three to be saved such as in Firefox.
| Feature | Internet Explorer 7 | Firefox 2.0 |
| Prompted for saving passwords | yes | yes |
| Ability to easily change per website preference "saved" vs. "not saved" | yes | |
| Ability to NOT save any information in forms | yes | yes |
| Ability to easily access passwords in plaintext | yes | |
| Ability to choose to save URL, usernames, or passwords | yes |
Table 2. Comparison of Usability Features (IE and Firefox).
8. Defense strategies
8.1 User based defenses
8.1.1 Avoidance
One method to prevent password compromise is to refrain from using either IE or the Firefox password manager. This however might tempt users to choose the same password for more sites, which is detrimental to security posture. Thus avoidance should be employed if there is alternative method to be substituted for it. There is also a chance a user might accidentally save passwords in the course of regular browsing.
8.1.2 Disable password manager
This would prevent the password manager from the ability to save usernames and passwords however might fall pray to similar issues as avoidance. This strategy is different from the web based approach that will be discussed in section 8.2.
8.1.3 Alternative "proven" password managers
One common way users store passwords is in a general application called Password Safe . [ref 31] Originally designed by Bruce Schneier [ref 32], the open-source windows utility is now a popular method of storing and accessing passwords. Passwords are encrypted with the Schneier's Blowfish block cipher and protected by a Safe Combination (master password).
Prudence and hesitation should be practiced before using any new program. However, a program whose sole intention is to store sensitive information has more narrow focus than any web browser with a password saving feature. The narrow focus of this open source password manager, and its design by a well-known cryptographer, are reasons to keep it as an option for further evaluation. The comparative disadvantage is that both AutoComplete and Password Manager provide convenience and simplicity to users; there is no need to switch applications to gain access to usernames and passwords.
8.1.4 Password Complexity
As noted in previous sections having a strong master password can go a long way in preventing some attacks.
As previously mentioned, Internet Explorer does not allow you to choose a master password for AutoComplete; the security of information stored with AutoCompete is tied directly to the Windows user account password. Choosing a stronger Windows password will provide some minimal additional protection. However, for those actors employing RainbowCrack, Windows passwords are compromised within minutes. Creating a stronger password in Password Manager for Firefox can significantly reduce the risk of compromise. A good password encompassing a length greater than eight, with random special characters, and a good mixture of alphanumeric characters can significantly add protection. Distributed password cracking attacks are possible on the Firefox Password Manager, but have not made it to the mainstream, and those employing greater prudence might escape victimization. In any case, users of Firefox gain an extra layer of protection by using a password as compared to their IE counterparts.
8.2 Web Developer based remediation
In the scope of web development, commerce sites and financial institutions can perform certain actions in protecting users from future password compromise. Both Internet Explorer and Firefox have the ability to prevent password saving if the attributes of the <INPUT> tag in HTML are properly set. [ref 33] For instance, the example below is adopted from the MSDN site and shows how easy it is to incorporate this change into any website. Using this method, institutions that are risk averse can prevent their visitors from saving their password in either IE or Firefox.
This text value will be SAVED:
- <INPUT TYPE="text" NAME="password"
AUTOCOMPLETE="ON">
This text value will NOT BE SAVED:
- <INPUT TYPE="text" NAME="password" AUTOCOMPLETE="OFF">
Banks that use this feature include Washington Mutual, Chase Manhattan as well as others including Fidelity, E*Trade, Vanguard, Schwab, and so on. Some organizations that do not use this feature include the PNC Bank Oppenheimer funds. If every website followed this practice, the result would cancel out any benefit from the use of password managers in browsers. Thus this method should be evaluated by each organization individually to determine if it is an appropriate solution. Using this method does not guarantee the client is safe, as pointed out in section 5.1. HTML and JavaScript can be modified at the client level, switching the "OFF" to "ON."
8.3 Windows enterprise security remediation
It is possible to disable Internet Explorer's AutoComplete feature for enterprise security. The use of Group Policy Objects (GPO) is an easy way to manage a large number of computer systems by controlling user and machine settings by editing a single policy. Using Windows Server 2003 in an Active Directory environment, it is possible to disable AutoComplete settings [ref 34] over an entire corporation or organization.
9. Conclusion
Risk of subversion and compromise to the password storage mechanisms of web browsers such as Internet Explorer and Firefox need further evaluation. Any system that controls the keys to the kingdom or many kingdoms should be further scrutinized. Users need to become more aware of the risks and benefits of using password management systems. Current methods of mitigation such as avoidance, immobilization, alternative storage, and password complexity are only temporary solutions. Users expect security to be transparent, usable, and secure. Thus the next generation of password management systems should take all those considerations into account for design decisions.10. Acknowledgments
Thanks to Sasha Romanosky, Adrian Perrig, Alessandro Acquisti, Timothy Summers, Eric Doversberger, and Michael Cole for their feedback in improving the article.
Complete references for part 2
[ref 22] "Firefox Password Manager Information Disclosure." http://secunia.com/advisories/23046
[ref 23] "CIS Finds Flaws in Firefox v2 Password Manager." http://www.info-svc.com/news/11-21-2006/
[ref24 ] AIEPR, http://www.elcomsoft.com
[ref 25] N. Sofer, "Protected Storage PassView," http://www.nirsoft.net/utils/pspv.html
[ref 26] N. Sofer, "IE PassView v.1.00," http://www.nirsoft.net/utils/internet_explorer_password.html
[ref 27] BackDoor-AXJ, McAfee, June 2004. http://vil.nai.com/vil/content/v_100488.htm
[ref 28] Srv.SSA-KeyLogger, Counter Spy Research Center, http://research.sunbelt-software.com/Advisory.cfm
[ref 29] N. Y. Talekar, Firemaster: firefox master password cracker, 2006. http://nagmatrix.50webs.com/article_firemaster.html
[ref 30] "Mozilla saved passwords recovery (export) utility," 2005, http://wejn.org/stuff/moz-export.html, (Accessed March 2006).
[ref 31] Password Safe. http://passwordsafe.sourceforge.net/
[ref 32] Bruce Schneier, Password Safe, http://www.schneier.com/passsafe.html
[ref 33] Mozilla Development Center, "How to Turn Off the Autocompletion Feature", 2002, developer.mozilla.org
[ref 34] TechNET, "Internet Explorer Maintenance Extension Technical Reference", technet.microsoft.com, (Accessed April 2006)
About the author
Mikhael Felker is a graduate student of Information Security Policy and Management at Carnegie Mellon University.
Reprints or translations
Reprint or translation requests require prior approval from SecurityFocus.© 2006 SecurityFocus
