I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice.
It's possible (and far more common) to gain access to someone's computer without actually knowing their login information. Locally: someone gets up to go the bathroom and doesn't lock their screen. Remotely: entice someone to open an email attachment or go to a malicious website.
It's possible (and far more common) to gain access to someone's computer without actually knowing their login information. Locally: someone gets up to go the bathroom and doesn't lock their screen. Remotely: entice someone to open an email attachment or go to a malicious website.
Good point. That google developer seems to think that users should lock their account when they step away from the computer and that it's the users' problem if they don't and something happens as a result.
Great comment. I never use password store feature either. What's our brain for?
If you are using a Mac however, the keychain stores all kinds of certificates and passwords and every time I've ever looked at it on someone's computer, it generally has saved passwords in it that the user is unaware are even there. All it takes is one errant click one day when you are busy and you've saved a password.
Granted, Apple's keychain is highly secure and (rightly) requires your password to reveal what it contains, but another really common mistake of the average mac user is not to have a password on their user account in the first place. So that leaves a lot of people in the exact same spot as the Chrome flaw we are talking about does. People are generally idiots when it comes to this stuff.
There is no need to use a third party password saver, Safari and the keychain do an excellent job of it, they are free, and they are probably more secure than anything else also, but absolutely huge numbers of people don't even use the user account password, which in this case is the "master" password that controls everything.
It's possible (and far more common) to gain access to someone's computer without actually knowing their login information. Locally: someone gets up to go the bathroom and doesn't lock their screen. Remotely: entice someone to open an email attachment or go to a malicious website.
I would argue that in the first example (leaving your computer logged on and unattended), the person deserves whatever they get, but in the second example, it actually doesn't happen as often as you might think. I work with hundreds of people who know nothing about computers or viruses and many of them aren't that smart, but only once or twice a year (if that), does anyone get tricked into putting their personal credentials into a web site or email scam.
I think the chrome team may be missing the point. It doesn't take a hacker to exploit this feature. Anyone in the world can be a hacker with this in place. Many people leave their computer for a minute at work, now instead of posting a silly message on their Facebook wall, somebody can find all of their sensitive data in a minute, and bring that knowledge onto their own computer. At least make it take longer than 45 seconds to compromise all passwords to sensitive websites.
I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice. Safari would be more secure if it instead required a separate password distinct from the user's login password.
Which it does, it is just set to the user account password by default. I think the default setting is also for the keychain to stay unlogged (while a user is logged in).
But you can easily give the keychain a separate password which means when you want to use it for filling in a password you have to enter that password (either once per login or every time, as you wish).
I would argue that in the first example (leaving your computer logged on and unattended), the person deserves whatever they get.
I had left my computer unattended and remained logged in because my computer was in my locked house. But then somebody broke into my house and took the computer with him. Fortunately that person wasn't too bright and I was very lucky because three days later the thief was caught while breaking into another house and I got my computer back.
A very smart thief might have just installed spy software on my Mac. A merely smart one would have changed the password for my email accounts and then used the email accounts to reset most of my other passwords (I spend a few hours resetting most of my passwords the moment I noticed the theft, which was only about three hours later). My thief instead googled for 'Windows password recovery' (I saw this from his browsing history).
Nevertheless, I did restore from a backup prior to the theft just to be sure in case somebody had tampered with my computer. And I now have my computer lock after a few minutes and use full disk encryption.
Good point. That google developer seems to think that users should lock their account when they step away from the computer and that it's the users' problem if they don't and something happens as a result.
Whoever believes there should only be one security level ever is very optimistic or rather very naive.
So... let me get this straight... they compare someone... maybe a roommate... or a coworker... etc... with a couple minutes and the tech savy of going to the control panel for a looksie to someone who is going to "dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software."
That's like not locking your door because someone could throw a brick through the window if they really wanted in.
Translation: "If we fix this gaping security hole, then we'll feel pressure to fix all of the other security holes we so carefully crafted. This isn't good for our business or the NSA's."
Reminds me of Microsoft and Windows, where the security holes were features.
The timing is nearly perfect considering that Apple has become a leader in information security in the past few years and may soon become the leader in information security.
If Apple releases biometric security measures in conjunction with iCloud Keychain using 248 bit Triple DES encryption Apple will make Google look very amateurish.
Why do any of these browsers offer a way to view cached passwords? If none of them offered that, there'd be no need to debate the best way to protect access from unauthorized users
Why do any of these browsers offer a way to view cached passwords? If none of them offered that, there'd be no need to debate the best way to protect access from unauthorized users
In case you forget your password when you have to change it.
In many cases, physical access means "game over" as far as security is concerned.
Exactly, once you have the users admins password it's all over. Apple is especially vulnerable to this as you can change the password with just an OSX boot drive. Yes you can turn this off but I have yet to meet someone who has done it. Even if it's turned off I can still slave a Macbook or iMac with a Firewire and grab all information off of the hardrive, unless it's encrypted of course. Anyway, once the password is changed, login with new password and type, "security find-generic-password -l AppleID -w"in the terminal to see all of the passwords stored in the Keychain.
When storing web passwords I recommend using Norton's Secure Web, there is plugins for all of the major browsers.
In many cases, physical access means "game over" as far as security is concerned.
Exactly, once you have the users admins password it's all over. Apple is especially vulnerable to this as you can change the password with just an OSX boot drive. Yes you can turn this off but I have yet to meet someone who has done it. Even if it's turned off I can still slave a Macbook or iMac with a Firewire and grab all information off of the hardrive, unless it's encrypted of course. Anyway, once the password is changed, login with new password and type, "security find-generic-password -l AppleID -w"in the terminal to see all of the passwords stored in the Keychain.
When storing web passwords I recommend using Norton's Secure Web, there is plugins for all of the major browsers.
Good point. Will this work:
Setup autolocking:
1. Launch "Keychain Access".
2. Right click on "login" keychain.
3. Click "Change Settings for Keychain 'login'".
4. Check the "Lock after:" box.
5. Change the minutes of activity to whatever you want.
You have the option of auto-locking after zero minutes of inactivity. You'll need to enter your master password every time Keychain needs to be accessed.
Comments
Quote:
Originally Posted by d4NjvRzf
I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice.
It's possible (and far more common) to gain access to someone's computer without actually knowing their login information. Locally: someone gets up to go the bathroom and doesn't lock their screen. Remotely: entice someone to open an email attachment or go to a malicious website.
Quote:
Originally Posted by auxio
It's possible (and far more common) to gain access to someone's computer without actually knowing their login information. Locally: someone gets up to go the bathroom and doesn't lock their screen. Remotely: entice someone to open an email attachment or go to a malicious website.
Good point. That google developer seems to think that users should lock their account when they step away from the computer and that it's the users' problem if they don't and something happens as a result.
Quote:
Originally Posted by ipen
Great comment. I never use password store feature either. What's our brain for?
If you are using a Mac however, the keychain stores all kinds of certificates and passwords and every time I've ever looked at it on someone's computer, it generally has saved passwords in it that the user is unaware are even there. All it takes is one errant click one day when you are busy and you've saved a password.
Granted, Apple's keychain is highly secure and (rightly) requires your password to reveal what it contains, but another really common mistake of the average mac user is not to have a password on their user account in the first place. So that leaves a lot of people in the exact same spot as the Chrome flaw we are talking about does. People are generally idiots when it comes to this stuff.
There is no need to use a third party password saver, Safari and the keychain do an excellent job of it, they are free, and they are probably more secure than anything else also, but absolutely huge numbers of people don't even use the user account password, which in this case is the "master" password that controls everything.
Quote:
Originally Posted by auxio
It's possible (and far more common) to gain access to someone's computer without actually knowing their login information. Locally: someone gets up to go the bathroom and doesn't lock their screen. Remotely: entice someone to open an email attachment or go to a malicious website.
I would argue that in the first example (leaving your computer logged on and unattended), the person deserves whatever they get, but in the second example, it actually doesn't happen as often as you might think. I work with hundreds of people who know nothing about computers or viruses and many of them aren't that smart, but only once or twice a year (if that), does anyone get tricked into putting their personal credentials into a web site or email scam.
,but... I still laugh at it.
In other news hermits say this is a non issue.
How many Google Engineers does it take to change a light Bulb?
None - Google Engineers just suck all the Light out of you they need.
Quote:
Originally Posted by d4NjvRzf
I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice. Safari would be more secure if it instead required a separate password distinct from the user's login password.
Which it does, it is just set to the user account password by default. I think the default setting is also for the keychain to stay unlogged (while a user is logged in).
But you can easily give the keychain a separate password which means when you want to use it for filling in a password you have to enter that password (either once per login or every time, as you wish).
Quote:
Originally Posted by Gazoobee
I would argue that in the first example (leaving your computer logged on and unattended), the person deserves whatever they get.
I had left my computer unattended and remained logged in because my computer was in my locked house. But then somebody broke into my house and took the computer with him. Fortunately that person wasn't too bright and I was very lucky because three days later the thief was caught while breaking into another house and I got my computer back.
A very smart thief might have just installed spy software on my Mac. A merely smart one would have changed the password for my email accounts and then used the email accounts to reset most of my other passwords (I spend a few hours resetting most of my passwords the moment I noticed the theft, which was only about three hours later). My thief instead googled for 'Windows password recovery' (I saw this from his browsing history).
Nevertheless, I did restore from a backup prior to the theft just to be sure in case somebody had tampered with my computer. And I now have my computer lock after a few minutes and use full disk encryption.
Quote:
Originally Posted by d4NjvRzf
Good point. That google developer seems to think that users should lock their account when they step away from the computer and that it's the users' problem if they don't and something happens as a result.
Whoever believes there should only be one security level ever is very optimistic or rather very naive.
Quote:
Originally Posted by ipen
(no culture, no products, no respect for privacy, no talent, mother of all dumbs) = failed company. Glad I didn't have GOOG.
(great culture, great products, great respect for privacy, great talent, mother of all talents) = successful company. Bought AAPL.
But wait, GOOG is up 26% YTD and AAPL is down 12% YTD?
But wait since 2009 GOOG is up 277% but AAPL is up 506% during the same period
Translation: "If we fix this gaping security hole, then we'll feel pressure to fix all of the other security holes we so carefully crafted. This isn't good for our business or the NSA's."
Reminds me of Microsoft and Windows, where the security holes were features.
If Apple releases biometric security measures in conjunction with iCloud Keychain using 248 bit Triple DES encryption Apple will make Google look very amateurish.
more like, who bothers putting locks on the closet doors?
In case you forget your password when you have to change it.
More like locking a safe than locks on a closet.
Exactly, once you have the users admins password it's all over. Apple is especially vulnerable to this as you can change the password with just an OSX boot drive. Yes you can turn this off but I have yet to meet someone who has done it. Even if it's turned off I can still slave a Macbook or iMac with a Firewire and grab all information off of the hardrive, unless it's encrypted of course. Anyway, once the password is changed, login with new password and type, "security find-generic-password -l AppleID -w"in the terminal to see all of the passwords stored in the Keychain.
When storing web passwords I recommend using Norton's Secure Web, there is plugins for all of the major browsers.
Good point. Will this work:
Setup autolocking:
1. Launch "Keychain Access".
2. Right click on "login" keychain.
3. Click "Change Settings for Keychain 'login'".
4. Check the "Lock after:" box.
5. Change the minutes of activity to whatever you want.
You have the option of auto-locking after zero minutes of inactivity. You'll need to enter your master password every time Keychain needs to be accessed.