Mozilla Pitches BrowserID to Solve Password Mess

Status
Not open for further replies.

Silmarunya

Distinguished
Nov 3, 2009
390
0
18,930
A relatively vague post. The way it is presented in this article makes it look absurdly insecure. However, I strongly believe there's more to it than is being said here. After all, even Mozilla isn't this stupid.

It looks like a great technology. If and only if they do better on the security front than is being said in this article, it will be one of the best browser innovations in years. And that from the company that's been copying Opera up to this day...
 

shiboe

Distinguished
Aug 12, 2010
4
0
18,510
Ya... And what's to stop anyone from forging a browser_ID that you now assume is absolutely the person in question.

There are existing measures strong enough for reasonable security, they just need to be used appropriately. In the end, the best security will require users to remember SOMETHING.
 

Lan

Distinguished
Mar 29, 2004
28
0
18,580
Not sure this is a good idea. It just makes for a single point of failure and yet another way for your identity to get stolen.

Multiple passwords are annoying, but the fact that there are multiple, instead of just one for everything, helps at least a little bit from a security perspective.
 

cadder

Distinguished
Nov 17, 2008
240
0
18,840
I think Mozilla could fix their own program before suggesting that we make things more complicated. I go to various forums, including Toms, and enter my passwords. The next day I have access to the forums, and the next day, and the next, but maybe the next week I find that Mozilla has forgotten my passwords and I don't have forum access any more. So I have to look up the passwords and enter them again. If FF would remember them as it is supposed to then that would be all that we need.

As often as we hear about servers being hacked and information stolen, I'm happy to use a different password for each and every site I visit.
 

aaron88_7

Distinguished
Oct 4, 2010
279
0
18,930
It shouldn't be just about using a different password for each account, but using passwords that are resistant to brute force attacks. As others have mentioned there may be more to this article, but the whole mentality of making security easy is just a completely flawed mentality that nobody should ever consider. That thinking in of itself is very insecure.

With that said, software to store your passwords can be more effective and safe if done properly. I use KeePass which, (depending on how you set it up), can allow you to use a password and also a key file stored on a password protected thumbdrive. This makes the chance of somebody accessing this single point of failure much less likely than being brute force attacked because now all of my passwords are generated with random keys as long or as short as I desire.

But at the end of the day security isn't about finding a solution because there never will be a solution for anything, instead it's about building layers of security to make unauthorized access less likely. Kind of like getting an alarm for a car....one small and very ineffective form of security, however, if you pair it up with GPS tracking and a cell phone that calls you when it goes off - still not perfect but much better than just having a club on your steering wheel lol
 

thaile4ever

Distinguished
Mar 16, 2011
25
0
18,580
[citation][nom]cadder[/nom]I think Mozilla could fix their own program before suggesting that we make things more complicated. I go to various forums, including Toms, and enter my passwords. The next day I have access to the forums, and the next day, and the next, but maybe the next week I find that Mozilla has forgotten my passwords and I don't have forum access any more. So I have to look up the passwords and enter them again. If FF would remember them as it is supposed to then that would be all that we need.[/citation]

Well Firefox works fine, in this case it's your fault for not understanding what's happening. First firefox does not automatically log you into a site. What does is a cookie that whatever forum you use creates and stores on your computer. This cookie expires after a certain amount of time decided by the forum/ site.

What Firefox will do is if you have the password saved in it's password list is automatically fill in the login fields for you. You probably have it turned off though.
 

koga73

Distinguished
Jan 23, 2008
183
0
18,630
I don't think its a good idea. I don't trust any of my passwords to anybody or any application. I enter each one of my passwords each time it is needed. This is one way I stay secure. On top of that I have separate passwords for everything. How do I remember them you ask? No I don't have a file called "passwords.txt"... I'll share my secret as it might help others.

I started with a strong "base" password that I could remember (resistant to brute force and dictionary attacks). Then I use this password for pretty much everything, and salt it with what I'm using it for... so for tomshardware I might have "T" + base pass + "E" (first and last letters from url). This way I can always remember, or at least figure out, what my pass is. Plus since each password is slightly different if one is compromised the others won't be!
 

eddieroolz

Distinguished
Moderator
Sep 6, 2008
3,485
0
20,730
This indeed did come out of nowhere. I'm sure all of us have faced such issues when using less-frequently visited sites, and this could help solve that issue. But I don't think a central ID would be desirable in many cases, with security being the biggest concern.
 

aaron88_7

Distinguished
Oct 4, 2010
279
0
18,930
[citation][nom]koga73[/nom]I don't think its a good idea. I don't trust any of my passwords to anybody or any application. I enter each one of my passwords each time it is needed. This is one way I stay secure. On top of that I have separate passwords for everything. How do I remember them you ask? No I don't have a file called "passwords.txt"... I'll share my secret as it might help others.I started with a strong "base" password that I could remember (resistant to brute force and dictionary attacks). Then I use this password for pretty much everything, and salt it with what I'm using it for... so for tomshardware I might have "T" + base pass + "E" (first and last letters from url). This way I can always remember, or at least figure out, what my pass is. Plus since each password is slightly different if one is compromised the others won't be![/citation]
In general this is the best advice considering most people use very, very weak passwords, but the problem with this method is that if a hacker is able to obtain one password it wouldn't be too difficult to get every other password you use. Even if simply guessing doesn't work, they could enter in the base password and should be able to get the rest of the password fairly easily.

Typing in your passwords also exposes your passwords if you have a virus/trojan with a key logger. With KeePass, (and I'm sure there are many similar applications just as good), I never type any passwords. You can either manually copy and paste it over, or just hit ctrl + V and it'll copy and paste over both your username and password.

Again, not saying that's a bad idea, definitely better than using weak passwords or writing them down or in a text file (lol I'm sure some are reading this thinking, oh crap), but KeePass is open source so if a flaw is found it should be corrected fairly quickly.

I think with the combination of requiring a strong password as well as a key file secured on a password protected (different password obviously) on a thumb drive this makes this much more secure than others. But of course, you never can be 100% sure.
 

aaron88_7

Distinguished
Oct 4, 2010
279
0
18,930
I have to correct my previous comment. The Auto-type feature in KeePass isn't completely resistant to key loggers as it simulates key presses which can be detected if a key logger is installed. However, auto-type often doesn't work for some websites anyway so you can just as easily copy and paste the entries over into the appropriate fields.

Also make sure you keep a well secured backup of the key file....if your thumb drive ever gets fried like mine did once you're going to have a bitch of a time changing all of your passwords again lol
 

koga73

Distinguished
Jan 23, 2008
183
0
18,630
Sure i am vulnerable to key loggers... but i keep my system pretty tight. Even have UAC turned up all the way to require authentication for any admin privileges. I suppose a hacker might be able to figure out my other passes from one... but only if they know how I construct the pass, which they don't. I try to not let any of my passwords get in the wrong hands.

On a side note... to all of the facebook lovers (not me) you should really think about the information you put on facebook as alot of it can be used to easily figure out security questions on a password reset form.
 

aaron88_7

Distinguished
Oct 4, 2010
279
0
18,930
And what if one of the websites you're signed up to is hacked and they didn't properly hash the passwords? Doesn't matter how tight your computer is, your password can be exposed in many other ways which is why every password should be completely different.

But again, your method is still by far better than the average person's password of using their name and numbers from their birthday....so I might just be splitting hairs here :)
 

koga73

Distinguished
Jan 23, 2008
183
0
18,630
Haha ya. Well if one of my passwords is compromised it just looks like a long string of random letters and numbers so my hope is the hacker wouldn't recognize how to reconstruct the pass for a different site, or at least not at first glance. Guess you never know tho and u can never be 100% secure.
 

K-zon

Distinguished
Apr 17, 2010
179
0
18,630
Would seem to make more sense at times, but still, of it, the fact of one username and password for many things. And of one thing to use and do, might as well, but in a spot most used maybe? Or least thought of, idk.

Signing in the browser is hard placed though. Especially when accessing other sites. But maybe not as well.
 
G

Guest

Guest
[citation][nom]koga73[/nom]On a side note... to all of the facebook lovers (not me) you should really think about the information you put on facebook as alot of it can be used to easily figure out security questions on a password reset form.[/citation]

Assuming you base your security questions on reality. I always recommend using a false set of biographical info for security questions. Basing it on someone well-known enough to be on the web (I use the bio of a rather mediocore goalkeeper who played for a local team) means you can always google for the info if you forget it.
 
Status
Not open for further replies.