The debate is ever-lasting – and the war never-ending! We are talking about the Internet browser wars here. A lot has been discussed about them recently. Some say Google Chrome is the fastest of ’em all. Others prefer Mozilla Firefox, some swear by Internet Explorer, and some very few by opera or Safari. However, when it comes to being the most secure browser, Internet Explorer wins hands down. Here is another example of it.
I tried experimenting a bit about how safe the browsers are when it comes to saving and displaying passwords and this experiment led me to dump Firefox forever and maybe will dump Chrome too in the near future.
I run Internet Explorer, Mozilla Firefox, and Google Chrome on my laptop. On a fresh Windows Ultimate OS install with no third-party ‘password’ software installed, I logged on to Twitter and allowed all the three browsers to save my password. And this is how they reacted respectively.
Firefox:
Firefox saving password
Firefox shows the password in plain text
After Firefox saved my password, the security options offer to show passwords. Upon selecting the respective website for whom you want to see the saved password (Twitter in this case), Firefox shows the password in plain text as shown above!
Chrome
Under the Personal settings, you find an option to Manage saved passwords. Upon selecting the respective website and clicking show, Google Chrome also shows the saved password in plain text! Moreover, unlike Firefox, Chrome does not even let you set a Master Password to protect these passwords!
What if somebody borrows my laptop for a minute and tries messing up with the saved passwords option? I lose my privacy and they get to know my password immediately, maybe without my knowledge too. This cannot be considered as a secure process by any means.
Internet Explorer
Though I allowed Internet Explorer to save my password, there just isn’t an option in the browser settings to view saved passwords in plain text. This definitely raises the security level and anyone who wants to view our saved password on Internet Explorer 9, would need to run third-party software, maybe IE PassView in order to view the saved passwords.
Internet Explorer prevents others from gaining access to the saved password log because it doesn’t have any viewing option in there.
Third-party software apart, the only browser that protects your saved passwords from being visible in plain text is Internet Explorer 9, while Google Chrome and Mozilla Firefox openly display the passwords to anyone.
Verdict:
Chrome, Firefox expose passwords in plain text, Internet Explorer does not.
Stay Safe!
I think that this is a good thing it as it shows users that their password aren’t really secure. You forgot to mention the fact that the password won’t be shown if the user has a master password in which case Firefox will “encrypt” them using that password. If user doesn’t know enough that they write their password under their keyboard or store it on plain text on the computer in a text file, they will never be secure. Now regarding the fact that giving someone your laptop to someone for 2 minutes, if the password is stored, they could access their account anyways and if they have access to the stored e-mail password they could even reset the password using an e-mail then change the e-mail address. You article seems very biased to Microsoft.
In practical application:
Firefox encrypts against a master PW when present.
Both IE and Chrome encrypt against the Windows profile/login password.
The argument that because IE doesn’t offer a native password manager it is more secure is a stretch at best.
The reason people save passwords is to prevent them from recollecting/remembering passwords from time to time. Add that to the woes of remembering a master password in Firefox.
Having been used Chrome more than Internet Explorer , I dont feel this is a biased take favoring Microsoft. It shows how a common user who is not any Web developer/geek can interact with a respective internet browser w.r.t saved passwords.
It really depends on your perspective, I suppose. I only allow browsers to save my passwords on computers I trust to be secure (currently only my desktop at home). Any other computer I wouldn’t let it save my password anyway, so this isn’t a security issue to me.
After reading through, I felt this article is just way too biased and shows total lack of analysis. In my opinion its more like IE’s lack of feature. you cant just say IE9 not revealing passwords “is a safety” feature simply like that. It sounds biased. Considering just few points,
1. Both Chrome & Firefox offers easy access to passwords in-case if you forget the password. most users need this, as they set “remember passwords” and forget it forever. and this feature also lets you protect it by a MASTER KEY again.
2. Both browsers offers security in master level. A Master password in firefox and User profile login in Google Chrome. So its user’s flexibility how much security he needs, he can lock it at level 1, 2 or 3.. or even leave it completely insecure if he believes he will be the sole user of that PC Account.
3. Windows User account password is another level of security. and you dont go around letting people use your personal computer’s user account unless you are not trusting that person. Like in real life, we dont let robbers sleepover at our own house. people who wants your password will definitely try to get them anyways, nevertheless.
4. Any given Windows user account has complete logical access to the password database, of any given browser by any number of ways, directly or indirectly. Therefore, if an unauthorized user has logical access to the computer, and the account is logged in or it is not password protected, the attacker can abuse account privileges, and illegitimately use passwords. Logical access can be obtained by having physical presence (walking up to the computer) or by using remote access client (VNC, Remote Desktop, etc.)
5. And for geeks and paranoid security freaks, you can always go a further step ahead in firefox, You can make the stored password encryption FIPS 140-1 compliant by using an alternate security module. “Tools > Options > Advanced > Encryption > Security Devices > Enable FIPS”. This improves the encryption strength and makes it more difficult for guessing programs to open the encrypted passwords database. (Federal Information Processing Standards Publications (FIPS PUBS) 140-1 and 140-2 are US government standards for implementations of cryptographic modules—that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations.)
Considering all this, This article shows complete lack of analysis, and judging “security” based on a bird’s eye view isnt cool.
totally agree with Corey. thats exactly what I felt too.
OK – So now what it means that to protect my passwords in Firefox and Chrome, I need to create another (Master) password! Simply Not Done!
You are a person with high self-esteem.
A good password manager will disable the PM the browsers build in. Never tried Firefox’s Master Password because I use Lastpass cross-browser password manager. Internet Explorer 9 is more secure but Firefox is the worlds best browser.
The saved passwords are secure, when Master password is set….but somehow i always forget passwords, so it was helpful to me to check it out….but again, i have set master password on my browser…anyone trying to view saved password should know my master password…..so to my point, they are totally secure!!!
I really wish this particular writer would focus more on facts rather that constantly trying (and failing) to prove IEs superiority as a browser.
First off, when the master password feature is used in Firefox, the passwords are not displayed in plain text, but are available to the owner if needed. Kind of a handy feature if you purchase a new computer and need access to the passwords stored in your old computer.
Another advantage is that you only need to remember a single password to access all of your favorite websites…and all those stored passwords.
Secondly, when the master password is used in Firefox, programs like WebBrowserPassView from nirsoft.net will not successfully display the password stored in the browser. The same cannot be said about IE because such password programs have no trouble at all displaying the passwords stored in IE…and there is no option to prevent it.
So in reality, and despite what this extremely IE biased article suggest, when Firefox is set up properly it is much more secure (and convenient) than IE in terms of passwords.
I Love Firefox and Im used to it since then ;)
but I dont use save passwords in firefox, instead I use cookies :D
That’s why we have Lastpass. But its also why I love Firefox, i always can easily find out my friends’ passwords. And I have a password on my account.
This article is misleading at best… the author should have done a little more research!
I totally agree with William. You should save passwords only on computers which you trust. BTW, both Firefox and Chrome options of saving passwords have their advantage when we forget passwords and frequently use some forums or websites. On the other side, IE offers a complete security from the start which is good. Finally, it depends on how you use your computer and what your needs are.
In IE, you can go to the website of which you’d want the password, and when the password is filled in type into the address bar
alert(document.getElementsByName(“password”)[0].value);
which will give you a nice popup box showing the filled password. Storing passwords is never safe. If that doesn’t work, check the name of the password field and use that instead of ‘password’
Conclusion: if you don’t want others to get your passwords, only store them on a pc you trust.
bad review, just sore a master password in firefox, and will need password to get into passwords