I certainly wouldn’t say incredibly stupid at all. But it’s definitely an additional risk, and one that needs to be understood.
But you’re correct in considering physical security first. The problem is that people often assume they have more physical security than they actually do.
And master passwords? Well, they’re nice, but they too have their limitations.
Remembered passwords in Firefox
If you’re at all wondering why this is even an issue; if you have Firefox remember passwords for you, do the following:
Yes, the Show Passwords button.
A few clicks and all your passwords are visible.
While I’ve obscured my own information, that dialog shows a list of URLs, Usernames and Passwords as remembered in my copy of Firefox. All we had to do was walk up to the computer and follow the simple instructions above to make all passwords clearly visible.
That should have you thinking very carefully about your security.
Anyone who can walk up to your computer can do that, and pretty darned quickly.
Mitigating the risk of remembered passwords
What can you do? There are several approaches.
- Do nothing but rely on physical security. Depending on your circumstances, this may be a viable approach. The key is that you must be certain about your physical security. That means you know that you machine cannot be easily stolen, and that no one can simply walk up to it and access Firefox’s remembered password list.
- Clear the list and stop remembering passwords. This is actually what I recommend. As an alternative, I use LastPass, which allows me to store my password database where I choose, and keeps it securely encrypted as well.
- Use a master password. Firefox allows you to select a master password which is used to encrypt the stored passwords. In theory, without knowing the master password, you cannot access the stored passwords.
Here’s the problem I have with master passwords and remembered passwords: traditionally browsers have been built for browsing first, and on-machine security second. I was able to find at least one password-cracking tool aimed specifically at the Firefox master password. If someone with malicious intent can steal your computer, or Firefox’s encrypted files, they still have a reasonable chance of breaking through this security and gaining access to your remembered passwords.
Aside from that, and as with any password, one key is to make it as strong as possible. My take is simply this: it’s like a padlock. It’ll keep most people out. However, if someone who knows what they’re doing comes along with a large enough crowbar or a bolt cutter, it’s possible that they could get in.
My rules are very simple:
- Never use the browser to remember passwords on a computer you don’t control completely. Period.
- Never use the browser to remember passwords on a portable computer, even if it’s yours. If it’s stolen the thief can take all the time he needs to crack it.
- In fact, never use the browser to remember passwords. Instead, use tools specifically written for the task like LastPass, Roboform or others. On top of that, use a good, strong master password, and set options such that the master password is required after the machine’s been idle for a while.