Firefox and passwords

Topic

New Reply

On my new win7 sony vaio VPCEB1E0E it seems to be configured to favour Chrome. Example, Firefox does not offer to remember passwords despite being told to do so.

Reply | Quote

Replies

On my new win7 sony vaio VPCEB1E0E it seems to be configured to favour Chrome. Example, Firefox does not offer to remember passwords despite being told to do so.

The browser password managers are very unsafe. Do not rely on them. Use an encrypted password manager instead. I use Last Pass.It also includes a form fill option which works exceedingly well. Check it out.

I also do not understand being configured to favour Chrome. Does this just mean Chrome is installed along with IE. I know the Sony Win 7 upgrade disks did include Chrome pre-installed, but this did not mean they favored Chrome. I would assume some kind of financial arrangements were made between Google and Sony.

I have all 3 browsers on my Sony laptop. I have used all 3 at various times as the default browser, although at present I have IE set as default. I agree with some that FF is getting somewhat long in tooth. I do like the interface of Chrome, and the slightly faster speed, but there are some sites that will not open in Chrome, some that I use a lot, hence IE for now. I do have the latest versions of all 3 with all updates.

Reply | Quote

The browser password managers are very unsafe. Do not rely on them. …..

In what way are they unsafe? Is it the strength of their encryption, or something else?

Reply | Quote

In what way are they unsafe? Is it the strength of their encryption, or something else?

Browsers are not concidered a safe alternative for password protection. A simple Google searchshows many tests of these types of issues. Most “experts” agree to this from everything I’ve read. I have personally not done any testing myself, I rely on others that are far more knowledgable in these matters.

Reply | Quote

Browsers are not concidered a safe alternative for password protection. A simple Google searchshows many tests of these types of issues. Most “experts” agree to this from everything I’ve read. I have personally not done any testing myself, I rely on others that are far more knowledgable in these matters.

Sorry, still no getting the problem. If you use FF and a good master password, then I don’t see a problem with using it. If you back up the passwords, you don’t have to worry if your pc dies. If you use something like XMarks, you get encrypted off site storage and access to your passwords from any of your PCs. To me this seems way better than trying to remember to bring a usb fob with you everywhere (and keeping more than one drive in sync if you have multiple users of the same set of passwords).

If a bad guy gets access to your hardware, including your password keeper fob, all bets are off.

Java script cross site hacks can be mitigated by using something like NoScript.

So, where’s the problem using the built in keeper?

Reply | Quote

I don’t use that feature myself. Mozilla’s documentation starts here and there might be some relevant troubleshooting info: http://support.mozilla.com/en-US/kb/Remembering+passwords

Is there any other respect in which you think the laptop favours Google Chrome?

Reply | Quote

Thanks.

My reason for saying that the Sony favours Chrome is because it comes preloaded. Firefox does not give me the “remember password” option despite uninstalling and reinstalling the latest version.

As I have a dislike of I.E. it appears that Chrome it must be.

Once again thanks.

Reply | Quote

Firefox does not give me the “remember password” option despite uninstalling and reinstalling the latest version.

Generally speaking, Firefox preserves your profile folder containing your bookmarks and settings when you reinstall. Perhaps there is a problem with your profile that is blocking the normal functionality? If you don’t like Chrome, you could try this:

[*]First, make a backup of your computer for safekeeping. To back up Firefox, see Backing up your information].
[*]Next, create a new (blank) Firefox profile. For more information on how to use the Profile Manager, see: Managing profiles.
[*]Assuming that works as desired, you can move key settings like bookmarks from your dysfunctional profile to the new one. For more information, see: Recovering important data from an old profile.

Any luck?

Reply | Quote

Thanks again. Have installed a 3rd party encrypted password manager, per Silver Lounger, for the odd times I want to use Internet Download Manager (it won’t integrate with Chrome).

Least-ways if someone knows how to integrate IDM with Chrome please give me a shout.

Reply | Quote

FWIW, I use Firefox’s password feature for all except banking sites; I use a master password which no one could possibly guess and keep that in my head only. That said, Firefox does occasionally forget to keep a password, or even loses one after it’s kept. So, I have a third-party program, Password Safe, which has all the really important ones and is very secure.

Reply | Quote

James, have you set FF as attachment ?

I dont use ANY program or FF to remember my passwords, I do it manually by writing The Lounge user name + P/W using notepad, Save as….. The Lounge for example. Then burn to CD RW’s (2 copys) then keep in safe a place. Password encryption may look good but have to be accessed to use them.

Reply | Quote

I use Lastpass myself, and can recommend it without reservation. It is very useful, and is probably more secure than storing your user IDs and passwords locally. If you don’t have a problem with storing that information online, I would highly recommend checking it out. With Lastpass, you remember *one* password, and that’s the one to access your Lastpass account. Lastpass stores the rest, and is better at recognizing log-in prompts, etc., than any of the browser-supplied password managers. It will also generate secure passwords, if you want it to do so.

Your Lastpass data is stored, encypted, on the Lastpass servers. No one can access it but you, as far as I can tell. I use Lastpass for passwords and form-filling, and Xmarks for bookmark syncing. Both serve as a backup copy of my bookmarks and user IDs and passwords.

If you don’t have any problems with storing your ID and password information “in the cloud”, I highly recommend Lastpass. But, you have to decide if that method will work for you, and if you’re comfortable with it.

Reply | Quote

I use Lastpass myself, and can recommend it without reservation. It is very useful, and is probably more secure than storing your user IDs and passwords locally. If you don’t have a problem with storing that information online, I would highly recommend checking it out. With Lastpass, you remember *one* password, and that’s the one to access your Lastpass account. Lastpass stores the rest, and is better at recognizing log-in prompts, etc., than any of the browser-supplied password managers. It will also generate secure passwords, if you want it to do so.

I have used LastPass for some time, but with a couple of reservation.

Firstly, it is unable to cope with the sites most in need of protection – bank and on-line trading accounts – where one enters a username followed by the answer to one or questions set by the account holder. The questions asked by the site vary, but Lastpass is unable to recognise them and will always insert the correct answer to the question(s) requested when first registering the site with LastPass.

It is easy enough to enter the answers manually, but this negates the time saving aspect of just entering the Lastpass password.

Secondly, and potentially more serious, is the fact that if a hacker or keylogger learns your LastPass password he has access to all your usernames and passwords. This makes me very dubious about using it outside the home, and why I was so concerned recently when I suspected a rootkit was present on my PC.

Reply | Quote

I have used LastPass for some time, but with a couple of reservation.

Firstly, it is unable to cope with the sites most in need of protection – bank and on-line trading accounts – where one enters a username followed by the answer to one or questions set by the account holder. The questions asked by the site vary, but Lastpass is unable to recognise them and will always insert the correct answer to the question(s) requested when first registering the site with LastPass.

It is easy enough to enter the answers manually, but this negates the time saving aspect of just entering the Lastpass password.

I find Lastpass useful even in situations where the log in requires a captcha or variable type info that you refer to
In my case the Bank site requires a log in ID plus a password and a (seemingly random number) from a security token
Logging in the first time Lastpass remembered all 3 items but upon return the last variable item was of course wrong
By opening the saved info in my LP vault and deleting that entry I now have LP autofill the 2 non-variable items and wait for me to answer the last one

So you are right that it can’t log all the way in without some manual handling but it goes as close as possible and frankly that is exactly what my Bank and I want in this case
Your point about keeping the Master Password safe is very valid
But then any safe is only effective if you keep the key out of the wrong hands
I find remembering one password/keyphrase and keeping it safe is easier than hundreds

Overall Lastpass allows me to use a strong, random & totally different password on every site I use with a minimum of fuss
The security that affords me outweighs any downsides

Reply | Quote

By opening the saved info in my LP vault and deleting that entry I now have LP autofill the 2 non-variable items and wait for me to answer the last one

Hi Splash,

After reading your posting I had another look at Lastpass and thought I had found the answer to the problem in Edit Form Fields, but it does not work for me.

A trading site that I visit at least once each weekday refuses to behave as you say it should. After removing the third field it persists in answering one of the questions and putting it in the space for the password.

I can go to Edit Form Fields, change the 5 digit answer to the 8 digit password, click update, select Edit Form Fields again and the password is correct, but when I try to log in to the trading site, it fails every time. I can see there are only 5 asterisks instead of 8 in the password field, and something has been entered in the third field, so it looks as though Lastpass isn’t going to wait for me to fill the third field.

Firefox may be the problem, or Windows XP, but something is wrong. After several days of completely removing my broker from Lastpass and starting again from scratch the problem persists. I have tried setting it up with only the user name and password filled in, but Lastpass will not do anything until all fields have been completed.

Unfortunately, it’s not possible to make too many attempts each day, as after 3 failed log-on attempts the account is suspended and it takes about a week to reactivate it, as they insist on sending every by post.

There is a password manager that one pays for, does anyone know if I’m likely to have the same problem with that? In the meantime I just have to continue entering the details manually.

Reply | Quote

Firefox may be the problem, or Windows XP, but something is wrong. After several days of completely removing my broker from Lastpass and starting again from scratch the problem persists. I have tried setting it up with only the user name and password filled in, but Lastpass will not do anything until all fields have been completed.

Unfortunately, it’s not possible to make too many attempts each day, as after 3 failed log-on attempts the account is suspended and it takes about a week to reactivate it, as they insist on sending every by post.

There is a password manager that one pays for, does anyone know if I’m likely to have the same problem with that? In the meantime I just have to continue entering the details manually.

Maybe I can be a bit more specific
As per the suggestion you followed I went to edit form fields and cleared any answers to the variable questions
I just retained the non-variables
Then I unticked the “Auto Login” option
Doing that for me means my site will load and then auto-fill the non-variable items
I can then fill the one item that is variable and click log-in
I can’t see why you shouldn’t be able to accomplish the same but as they say YMMV

With regards your question re: a paid product – I was a long term paid user of Roboform but have since moved to Lastpass completely
I was happy with Roboform and still have the licence
They offer a free trial – give it a go
For me the online access via lastPass.com makes the difference
Good luck

Reply | Quote

I’ve used KeePass for several years. You can keep everything on a USB key (portable version) and I did this for awhile. I’ve been using their password generator for sites needing to be especially secure. The kicker, of course, is the master password. That needs to be very secure and easily remembered. I have not used the form filler (KeeForm) extension. I run KeePass on three different computers; I need to manually copy the database to other computers after each change because there is no synchronization (portable version does solve this). I imported my passwords from another password manager I no longer use.

Reply | Quote

I’ve used KeePass for several years. You can keep everything on a USB key (portable version) and I did this for awhile.

I run KeePass on three different computers; I need to manually copy the database to other computers after each change because there is no synchronization (portable version does solve this). I imported my passwords from another password manager I no longer use.

I know KeePass is highly recommended by many. I think Kim Komando recommends it on her web site. For those that don’t like the idea of storing their info online, KeePass is a good option. As I stated earlier, I’m ok with the way Lastpass works, and the combination of Lastpass and Xmarks works really well for me. I use them both as a sort of backup of my “online stuff”. That is, when I set up a new system, I install both add-ons to all the browsers I use, and keep things synchronized between all of them.

Reply | Quote

Interesting conversations. I agree that using the browser to store passwords is unsafe for a number of reasons (some cured by having a backup copy) and there are a number of password managers that can store locally or online (or both). I have used Roboform Pro for a number of years with a master password. It will generate hard passwords as well. One caveat I would offer to the use of portable USB device is to make certain that it is encrypted — I have lost a few over the years before they came with security, luckily with nothing of import on them, and now use one that has its own security system.

Reply | Quote

As stated several times in several different threads, I use Last Pass as well. Last Pass uses a strong encryption system and as stated only needs one master password to be remembered. Last Pass also includes a very nice form filler that I use a lot for contest entries, online orders and such. I can load Last Pass onto any PC I wish and access my account by entering my email and Master password. I believe you cannot go wrong.

Reply | Quote

Thanks to all. Last Pass does the trick for me.

Reply | Quote

There are several free software apps that can recover passwords stored by browsers, e.g., NirLauncher (http://launcher.nirsoft.net/). I have run that one on my own machines and it works, easily recovering passwords stored by browsers. That being the case, I can reasonably assume that passwords stored by a browser are not sufficiently secure and could possibly be retrieved remotely. And that is why I never use a browser to store passwords. That type of software cannot retrieve passwords encrypted in something like Password Safe.

Reply | Quote

There are several free software apps that can recover passwords stored by browsers, e.g., NirLauncher (http://launcher.nirsoft.net/). I have run that one on my own machines and it works, easily recovering passwords stored by browsers. That being the case, I can reasonably assume that passwords stored by a browser are not sufficiently secure and could possibly be retrieved remotely. And that is why I never use a browser to store passwords. That type of software cannot retrieve passwords encrypted in something like Password Safe.

I dl’d NirLauncher and ran the PasswordFox against my own Firefox, which has the master password set. PasswordFox listed information about what sites I had saved passwords for and the fields in which the login/passwords are saved for, but it listed none of the actual usernames or passwords. I also it with the administrator option, but it found none of my logins/passwords for firefox.

Reply | Quote

I dl’d NirLauncher and ran the PasswordFox against my own Firefox, which has the master password set. PasswordFox listed information about what sites I had saved passwords for and the fields in which the login/passwords are saved for, but it listed none of the actual usernames or passwords. I also it with the administrator option, but it found none of my logins/passwords for firefox.

Thanks for testing this. Did you get any alerts that NirLauncher contained any trojans or backdoors itself? I’m curious to try it to test my own system.

Thanks

Reply | Quote

Hi guy’s no one has mentioned the secure login add-on for firefox is this any safer than firefox itself?

Edit:

Link to it.

http://securelogin.mozdev.org/

Reply | Quote

Since my principal browser is FF I am considering using a FF plugin called: PasswordMaker.

It has a unique feature in that it does NOT store (encrypted) passwords on the user’s computer or on a remote server. For the first visit to a site, it generates a password using an algorithm based on the user’s master password, the URL of the site, and several other factors. On subsequent visits to the site, the algorithm again generates the password. Here is the maker’s site:

http://passwordmaker.org/

Has anyone any experience with this. It would seem to solve the issue of exposing passwords to malware. One just has to remember the master password.

bc

Reply | Quote

It would seem to solve the issue of exposing passwords to malware. One just has to remember the master password.

Well, malware that looks for password files would be thwarted, but malware that listens for keystrokes, clipboard pastes, or other real-time activity might capture your password(s).

This approach does sound really convenient, but it seems like a mistake to have a single password that can be used to compute the password for all of your online accounts. I wonder whether you can somehow configure the software to have at least a few different “master” passwords (e.g., work; banking; social and webmail; and everything else).

Reply | Quote

FF and Master Password work for me and I am a cautious guy. PC’s are becoming a commodity and the software also. I can’t take the time to fiddle with all the extra cost addins and the base suppliers seem to be giving me what I need these days.

Reply | Quote

Folk can have their notions about how and why the browser database of passwords is insecure, but I have used them for years without a breech. I onlu use them for passwords to forums and less sensitive sites; for banking and ordering sites I do not use them, instead I use Password Safe.

If I have physical control of your computer I can probably find out everything no matter what you do unless you use strong encryption..

You’d be risking your life to gain physical access to my computers. I have copies of my Password Safe database in a safe place off site and on a usb drive with my portable SeaMonkey and office apps. I use PGP encryption on my Windows computers. My Mac is only used as one of the components in my music system and for its own updates.; my Ubuntu is for special uses.

Reply | Quote

Hi Splash,

Thought your mention of unticking ‘Auto Logon’ might be the answer, but I find that it wasn’t ticked.

Then I had an idea. As LP keeps entering one of the question answers in the password field I deleted the site entirely, logged in again, then entered my password in both the password and question fields – didn’t think it would allow this, but it did – before deleting the third field again. But that did not work either.

So I shall give Roboform I try. Thanks for reminding me of the name.

Reply | Quote

Hi Splash,

Thought your mention of unticking ‘Auto Logon’ might be the answer, but I find that it wasn’t ticked.

Then I had an idea. As LP keeps entering one of the question answers in the password field I deleted the site entirely, logged in again, then entered my password in both the password and question fields – didn’t think it would allow this, but it did – before deleting the third field again. But that did not work either.

So I shall give Roboform I try. Thanks for reminding me of the name.

Sorry this isn’t working – I can’t see any difference in our approaches or why the entry can’t be found and deleted when you edit the LP entry
Maybe delete the site and then add again
Only fill the non-variable fields and then manually save site
Or else put a different entry in each field (you said you put the same in a couple) so you can identify the entry to delete
E.G. but DeleteMe1 DeleteMe2 or whatever in the variable fields
Then save then edit and delete the fields you don’t want
This sounds like what you are doing and this is what I did – but it may not be working for you
Of course it is also possible that the (Trading) site in question is designed to foil any automated login and only accept manual answers
I would think this should be able to be overcome for the non-variable entries – but maybe not
Hope it works out for you

Reply | Quote

Hi, me again. Actually using Last Pass now. Thanks.

Reply | Quote

I have used Roboform Pro for years and have seen nothing better suited to my needs. Not only is it secure but it saves me huge amounts of time in keeping up with more than 100 passwords. That said I still do use the “Remember my password” feature in Fire Fox for websites I visit that require passwords but contain no critical personal information about me.

Reply | Quote

I’ve used PassPack for a few years now. Not quite as convenient if you have one computer/one browser, but a lot more secure. And since most of us now use multiple computers and browsers, PassPack is great for this. It encrypts your password collection into a pack on your local machine, then uploads it to their server. They can’t decrypt it on the server. You go to another machine and login, it downloads and decrypts your pack there. Plaintext passwords are never stored in permanent storage unless you export them. It has too many convenience and security features for me to list here–check it out. Works well now on the smart phones too (iPhone, Android, and I think Blackberry).

Reply | Quote

Any password cracker or similar program that accesses data in certain registry locations is going to cause a good AV application to throw up warnings. Same is true of just about any network sniffer programs. Don’t be alarmed, everything is simply operating as designed.

Reply | Quote

What happens with LastPass if you lose (or are without) an internet connection?

Reply | Quote

What happens with LastPass if you lose (or are without) an internet connection?

Hi Richard – Logging in to LP can be done on the local machine with or without net connection
Access to saved passwords and form info is achieved by log-in
I find that generally LP is focussed on web usage so it is not particularly useful if you aren’t on the net
From memory Roboform can be run external of browsers and can therefore be used to fill other forms – e.g. Acrobat docs
Roboform is superior in this regard – but I would never use that functionality
So for me the price (free), no limitations and the online accessibility of LP data wins out for me
YMMV of course 🙂

Reply | Quote

When using Firefox to remember website passwords, I find that Firefox will not give the option to remember the password if the website is using https (secure) communication.

Reply | Quote

To Richard N. – Adding to Splash’s comments, if internet connectivity is lost, a local encrypted copy is kept on your machine providing access once the Master Password is provided.

Reply | Quote

I moved to Lastpass about a year ago (recommended in a Windows Secrets newsletter). Having access to your passwords in the cloud is the answer to my using various computers and devices. I don’t need to carry anything and just remember one password. In a similar way, I also use Dropbox to store files that I need to access from other computers, plus it synchronizes them. (I was going to try putting Firefox bookmarks there..) I’ve even closed mail accounts that didn’t offer IMAP mail servers so I can read my mail on any computer and keep everything in sync. My phone can alert me to new mail and I can read it using a laptop logging on with Lastpass. Sound complicated but it actually quite simple.

Reply | Quote