Announcement

Collapse
No announcement yet.

passwords kept in browser

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    passwords kept in browser

    Ok.......this is NOT supposed to be "political".

    A "software security expert" was being interviewed about the "front end/sign up" on the ACA.

    He had been asked by a relative to help getting signed up.

    Basically they couldn't get very far but did "get somwhere".

    He then did the "view page source" a term we all know, (however he did not use that term).

    And found that "the password was being held in the browser".

    The above is the best transcription that I can make.

    A few sentences later he said....

    "However, I filed a bug and it is now fixed".

    Ok..................I knew about view page source years ago....

    I am sure that any hacker knows about it.

    And............yes........ what was left unsaid was that a "hacker" would have to go to break into your house, go to your computer open the browser and view source to get the password for ONLY your account...but...

    The question I have for the various security experts that visit the forum is:

    "Is this not something that ANY "programmer" who has a security expert working alongside would have taken care of first thing".

    Again, this is not supposed to be "political"..........

    It is just a question about the "expertise" of the people who were producing the website and also........the oversight by higher ups in the chain.

    Just a question, nothing more.

    woodsmoke

    #2
    There is this.. Apparently a universal problem in Google Chrome.
    http://www.theverge.com/2013/8/7/459...wser-passwords
    Last edited by richb; Oct 25, 2013, 07:31 PM.
    Linux because it works. No social or political motives in my decision to use it.
    Always consider Occam's Razor
    Rich

    Comment


      #3
      Lol
      Welll I got a call from my oldest boy who is a "top tier" programmer asking me to come up and visit.

      LOL

      He and I don't "talk programming" because he likes to talk about other stuff, he spends hours a day in front of the monitor so...

      But I asked him about it and he just laughed and "basically" said,

      Yeah, I would expect that from CGI.

      When you go to a conference there is always the joke about the Canadian Firearms Program because some unscrupulous programmer has sucked somebody with deep pockets into throwing money at a non-problem.

      A good example is them getting involved with McDonalds to track the number of burgers being bought in each store word wide real time.

      I know a bunch of programmers that could have sat down in their basement for a month or so, would have hired somebody to do the interface graphics and collected a hundred thousand dollars or so and been done with it.

      But McDonalds paid a couple of milion and it took I don't know how long.

      Get on the net and look up Canadian Firearms Program as you know I don't follow the news but what little I read on Google news page is about step for step what is happening with ACA.

      Other discussion.

      Their passwords were being stored in the broswser?

      Well, that is really OLD technology. I don't know of ANY new programming that stores a password in the browser.

      All you would have to do to get the browser is view source, copy the token and run it through a reader and you would have the password.

      Anybody with any sense would have set it up to have a token hand off between the parts of the site that had nothing to do with the password.

      They were having to RE-enter the password going from one part of the site to another?

      That is really ...old... nobody has done that for...decades....
      So, I got on the net and found these:

      The original announcement about CGI and Canadian Firearms Program:

      http://m.cgi.com/en/government-canad...-unit-contract

      Take a look at the bottom at conclusion and recommendation!

      http://www.oag-bvg.gc.ca/internet/En....html#ch10hd3d

      ANYhow...... I find this to be somewhat hilarious that.... when the computer geeks are sitting around sipping brewski that the Canadian Firearms Program is such a joke and example of companies soaking clueless corporations, and goverments for money. LOL

      HOWever................ if anyone has further commentary about the

      CODING of this feel free...

      Or....if you have a pertinent joke about CFP..........feel free because he didn't relate any of the jokes.

      woodsmoke

      Comment


        #4
        thank you Rich! good read and one more reason to not use Chrome, which I don't use anyway!

        woodsmoke

        Comment


          #5
          Originally posted by woodsmoke View Post
          He then did the "view page source" a term we all know, (however he did not use that term). And found that "the password was being held in the browser". The above is the best transcription that I can make.
          "View source" displays the HTML sent by the server to the browser via the GET instruction. Passwords are not delivered in this direction. Instead, they are returned by the browser to the server usually via the POST instruction or by HTML's basic-auth function, neither of which is visible through "view source."

          I would be interested in following up on this -- Woody, do you have some links to stories or reports anywhere?

          Comment


            #6
            One can use an extension like Lastpass to not keep passwords stored locally. However they are stored in a server encrypted. Your level of trust has to rise to that method. Lastpass does have a good reputation and your master password is not stored. Additionally it will generate a unique strong password for any site.
            Linux because it works. No social or political motives in my decision to use it.
            Always consider Occam's Razor
            Rich

            Comment


              #7
              I use Google Chrome, mainly because of its built in implementation of flash. I also use LastPass. The save passwords feature in Chrome is turned off, as is the the sync features. However that does not solve the problem of someone being able to access your stored passwords if they physically are at your computer unless you remember to log out of LastPass every time you leave your computer. If you are logged in to LastPass they can merely click on the icon and open your passwords vault.

              Comment


                #8
                Interesting stuff guys!
                thanks
                woodsmoke

                Comment


                  #9
                  There are extensions available that integrate the browser password saving with KWallet. Kwallet is encrypted and not hosted on any uncontrolled domain. I highly recommend this. There are ways of using Kwallet which make it more or less annoying depending on your desired security. Personally, I prefer to allow certain apps to have unrestricted access to Kwallet (well they are restricted in that they can only see the data they store) and other apps ask for permission on as needs basis. With the new GUI Kwallet is a lot more manageable.

                  Comment


                    #10
                    The Repubs have really "showed their a@@" with this in terms of "dancing around the words" about the stored passwords.

                    And it also belies the quality of eddication in the U.S. when we are CRAMMING..........."technology" down the students throats...

                    and people don't really recognize the basic idea that the problem with stored passwords is that a "hacker" would have to go to EACH AND EVERY HOUSE, either virtually or breaking into the window, to get at that particular stored password.

                    Both the lefties and the righties have both toiled mightly to create a sense of unknown....malaise and fear in the populace, each to somehow get people to vote for them...

                    The holy temples of the schools to create a situation that the populace believes that they must continually look to an authority figure at the front class room wearing academic garb to validate their knowledge...

                    And yes, the holy temples of the churches to create a situation that the populace believes that they must continually look to an authority figure wearing a sweaty white shirt or vestments at the front of the congregation to validate their knowledge...

                    Advertisements for big biddness very subtly do the same thing....there is an advert about a young couple going to a store to buy a product, the clueless yuppie woman has a HUGE, continually open set of white teeth and wide open eyes, and she continually nods through the wonderful locks of her hair to the sales woman, ...

                    And the sales woman..... who KNOWS THINGS.... keeps her teeth hidden, and has her hair cut short and keeps a straight back...

                    And the clueless husband just nods approvingly to what is goiing on between them.

                    And of course we have the even MORE clueless Peter Fonda saying that the ACA site was down because it was hacked by the Republicans

                    And the clueless media were playing it up to the Kool - Aid drinkers.

                    The lefties always point at Eisenhower warning about a "military industrial" complex.....

                    Well, here is a "San Francisco leftie" magazine warning about about a " education-foundation-political-industrial complex "

                    Microsoft is now on a new religious quest to get people to use passwords.... all the while creating their own "malware" to test their anti-malware software...

                    And all these groups ....crreating a sense of helplessness among the folk.

                    As evidenced over the hysteria over a browser kept password.

                    A POX ON ALL THEIR HOUSES!!!

                    woodsmoke

                    http://quartz.he.net/~beyondch/news/...p?itemid=10069
                    Last edited by woodsmoke; Nov 03, 2013, 07:42 PM.

                    Comment

                    Working...
                    X