Welcome to P2PNET.net - The original daily p2p and digital news site. Always First!
Register | Login
RIAA News
Cool Stuff
MPAA News
Games / Consoles
News
Music
Movies
TV
Open Source
Mobiles
Advertising
Product News
P2P
Off Topic
Freedom
Politics
Interviews
Security
DRM
Links
p2pnet Digests
Search: 
Search
 
Web P2PNET   
   Search: 
Search
Torrent Site Tracker
MP3Rocket
Add real-time p2pnet headlines to YOUR site ! Click here to download our newsfeed code
p2pnet - rss feed: http://p2pnet.net/p2p.rss | p2pnet celebrities: http://p2pnet.net/celeb.rss | Mobile? http://p2pnet.net/index-wml.php

Major password managers unsecure: tests

p2pnet news view | Security:- Robert Chapin says he’s gone off Firefox.

Right off.

The owner of Chapin Information Services, he says after testing six of the most popular brands of common password management software, five were found to fail even the most basic security requirements —- with undesirable consequences.

“Internet password managers need to know two things to be secure,” he says. “Which website is requesting a password? And, to which website is a password being delivered?”

He goes on »»»

Internet Explorer keeps track of the first question, but it will freely submit passwords to the wrong website.

Firefox can keep track of the second question, but it doesn’t know the difference between administrative credentials and a guest book login at the same .com domain.

RoboForm and Sticky Password don’t seem to know either one, leaving a user helpless when they decide to submit a password.

Clipperz, which creates a one-click sign in using the form details from a user’s screen, leaves the user wondering where it might deliver that password when used.

The Opera browser, though, prompts to save each password with an option to restrict where it may be used, says Chapin.

“The built-in password manager also prevents saved passwords from going to the wrong website, and it passes as many additional tests as Firefox and Internet Explorer combined,” he states, adding:

“All six password managers failed to warn if a new password was being directed to a different website from the one displayed on screen.

“Also, all six failed to check which address ‘path’ should be used to deliver passwords, and failed to prevent passwords from being added to the address bar itself, which is displayed on-screen.

Interestingly, Firefox 3.0 was found to be the only password manager that always obeys the ‘Autocomplete” feature that many websites use to forbid password management. Even the former Firefox 2.0 is unable to pass this test. And ironically, Firefox 3.0 does not obey the password field name feature, specified as an ‘Autocomplete alternative’ on the Firefox website.

.Add to Technorati Favorites .Stumble It!

Chapin Information Services - Major Brands Fail Password Manager Testing, July 24, 2008

Use free p2pnet newsfeeds for your site. It’s really easy!

Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile - http://p2pnet.net/index-wml.php

Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details. Download here.

This entry was posted on Thursday, July 24th, 2008 at 8:28 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1281 times

« previous CAIP on Bell Canada traffic throttling: final
Seven things IT should be doing … next »

Leave a Reply
    Advertisments
Blubster
MP3Rocket