Microsoft Edge imports other browsers’ passwords

Topic

New Reply

ISSUE 18.26 • 2021-07-12 PUBLIC DEFENDER By Brian Livingston When some readers installed the new Microsoft Edge browser — which replaces the old “lega
[See the full post at: Microsoft Edge imports other browsers’ passwords]

4 users thanked author for this post.

J9438, oldfry, WSdatabaseben, abbodi86

Reply | Quote

Replies

I would never, and did never, entrust my passwords to any of my browsers, to be harvested by Microsoft Edge.

Could someone just reassure me that the passwords stored in my password manager of choice, RoboForm, are not being harvested in a like manner?

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

Reply | Quote

There should be question raised, when installing Edge/Opening for the forst time – what do you want to import? Ive seen that, but I dont know the last version of Edge.
If passwords are imported without user consent, that would be really bad. And dangerous at the same time, if general password propmt does not pop up. But Windows itself does know your password, right? When exporting passwords from chrome (for example), you are asked for the Windows password.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Hello Brian

May I ask you a question. I have a Desktop PC, and since the news came out about Windows 11, i have been checking things relating to latest version requirements.

My Motherboard is an Asus H310M-K R2.0, which shows up on the Web as having the TPM installed, but it needs to be enabled. I have the latest Windows 10, Updates.

I have searched on the Web to find out how to enter the BIOS to enable the TPM. I have tried a number of suggestions. I have entered the BIOS without any problems. but I have been unable to find the part needed for the TPM to be enabled. I would appreciate if you could recommend step by step instructions on this Asus MB.

Kind Regards

Alfred Jones

Moderator edit: Removed email address

Reply | Quote

There may or may not be a setting to enable TPM or even show it in your BIOS.  It should be in a Security or similar section.  You can look in Control Panel>Device Manager> Security Devices to see if it’s installed, then enable/disable there.

Control Panel’s in Start Menu>All Programs>Windows System.  Right click, make a shortcut and drag to desktop.  All the good stuff’s in Control Panel.

Reply | Quote

See [Motherboard] Which ASUS models support Windows 11 and how to setup?

Windows 11 Pro version 22H2 build 22621.2359 + Microsoft 365 + Edge

Reply | Quote

This sub-thread seems a bit off-topic for this article, but here’s my advice:

Your motherboard and its support or lack thereof for TPM 2.0 is only one factor (OK, maybe several of the 11 readiness points) in determining hardware readiness for Windows 11.

We would also need to know which processor you have installed. Windows 11 requires as of this posting, at least an 8th Gen Intel chip, or an AMD chip from Microsoft’s announced list of compatible AMD processors:

https://docs.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-amd-processors

There are in total 11 requirements at this time for Windows 11 compatibility. Without full specs of what’s installed on your Motherboard, we cannot advise on how to achieve (probable) Windows 11 compatibility on your hardware platform.

Enabling TPM 2.0 (if it exists) on your Motherboard is only one of eleven or more requirements for Windows 11.

A recent article (paid version of AskWoody Plus Newsletter) suggests checking using a detailed third party Windows 11 readiness assessment tool like these:

ReadySunValley

https://github.com/builtbybel/ReadySunValley

WhyNotWin11

https://github.com/rcmaehl/WhyNotWin11

Microsoft has removed its own Windows 11 PC Health Check utility. No one yet knows exactly why. Suffice it to say these requirements are a moving target.

Until the official Windows 11 RTM version comes out, I don’t think anyone will know for sure what the final Windows 11 hardware requirements will be. Nor what will happen if you try to install and run Windows 11 on hardware not officially supported, but with hacks which are coming out every week.

-- rc primak

Reply | Quote

I checked edge, and it looks like I got lucky and had my settings set right so it didn’t do a hoover.

“user friendly” is “nice”, but this is a security nightmare. Someone in the gov’t should be hammering MS over the head with a large bat / lawsuit for this insecure action. MS knows better.

Why would they not provide a master password feature in 2021? Dumb, lazy programming!

At the very least they should be clearly asking separately for permission to import passwords from each browser it finds installed.

I’ve read through the article and either I missed it, or you don’t tell us how to flush passwords from any browser.

Hint: that would be a really good followup article …

Reply | Quote

And passwords are not the only things automatically imported in the new Edge. It also imports avatars of profile pictures created in Chrome, perhaps even the profile pictures themselves. This all gives greater credence to my belief that Microsoft and Google have some unannounced agreement to share information between these two mega-corporations without telling anyone, possibly as a result of Google sharing the software associated with its Chrome browser with Microsoft so as to use it in the construction of the Chrome-based version of Edge. This kind of collaboration between two giant international corporations is possibly illegal as it may be an antitrust laws violation; and if I were Mozilla or Apple I would be taking a very hard look at this.

 

Reply | Quote

Both New Edge and Google Chrome are based on Google’s Chromium browser engine. They share a lot of code and features. Probably this behavior we are discussing is a result of the shared features, not some imaginary Google-Microsoft hegemony.

The Chromium browser engine is open source, and is trusted by the Linux developer community. That’s not what would happen if this alleged hegemony were real.

-- rc primak

1 user thanked author for this post.

doriel

Reply | Quote

I got one better that that.  I recently purchased a new computer, so I logged on to my Microsoft account and low and behold, Edge had all my shortcuts and passwords from my older PC transferred to my new.  At first I thought, where the heck is my passwords being stored, but then, the convenience was, well, amazing.   lol

 

🙂

Reply | Quote

This is what you get with google account too. You sync yor passwords through all your devices. This should be handled carefully and be aware, where you log to your account 🙂 This is meant to be that way.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

Sueska

Reply | Quote

Thank you for clarifying doreil. I can verify that if you never use sync on MS Edge you cannot get your settings back unless you made a backup. I recently accidently deleted my MS Edge profile and lost all of my settings, extensions, and favorites. Online help states this is no problem. To get your profile back, all you have to do is select sync and log into your MS account. Well not if you never sync’d in the 1st place. Luckily I had a recent manual backup.

Reply | Quote

We cannot always blame opportunists for stealing cars when the driver leaves the car running and doors unlocked while getting coffee at the local quickee mart.

So accusing Edge of this and that, per se, when it comes to aggregating information from FireFox is not the issue.

The issue at hand is FireFox for having allowed the door to be opened to begin with and this permitted other browsers to violate our privacy.

In this case cited by this article, our logins and passwords were covertly aggregated from FireFox.  But are we not led to believe that the  sole purpose of FireFox’s existence is to protect our privacy?  If its not, then why not use the other browsers?  Based on a number of posts by unhappy FireFox consumers that have experienced the new versions of FireFox as proverbial train-wrecks and demand to rollback to a functional version of FireFox or they will switch browsers; they are told in so-many words “You can take it or leave it for the other browsers”

I suppose the subsequent question is, what else had been / is being ascertained by other methodologies while using FireFox?   I would bet there is a lot more than what we think.

Imo, this is one example where Mozilla is talking the talk, but not doing the walk.

1 user thanked author for this post.

doriel

Reply | Quote

Look into what happens when FF or anything else is allowed to sync.  Additionally, the OS can take whatever it wants from anything installed and do whatever it wants with it.  New Edge is Chrome in a wrapper, the most invasive piece of user data collection software in existence.  FF OOB isn’t any more private than any other browser.  It’s when you modify settings and about:config that it can be made much more private than any other browser.

All browsers talk about privacy and security, even Chrome.  It’s close to meaningless, more experience channel curate gibberish.

Up to users to determine what to do with all this, unfortunately.  User data collection is central to today’s online business models.  That needs fixed badly!

Reply | Quote

Firefox has a master password option, and with that set, it would not be possible to have the passwords imported automatically. When a master password is used, the password store on the disk is encrypted using a salted, hashed version of the master password. Without a master password, the passwords are easily readable by any process on the same user account.

It is no secret that having a no master password setup leaves it wide open… this is not something that Mozilla can change, other than forcing people to use a master password (and thankfully they do not do that). The more secure option is yours to use, but it is not anyone’s job to try to force you to use it.

Any other browser without a master password would be the same, and I am not sure if this is still the case, but a while ago Google was very adamant in their refusal to implement a master password in Chrome. People had been asking for one like Firefox has, but Google essentially told them to stop asking, because they had already said ‘no,’ and they were tiring of having to say it again.

Firefox’s business model has nothing to do with trafficking in user data, and it only syncs if you log in with a Firefox account (which is totally optional) and tell it to begin syncing things. If you don’t like that, don’t create an account, or just don’t log in with it. It’s there if you want to use it, but it won’t happen without you knowing.

I have a lot of issues with the way Mozilla has been behaving for the past decade plus, but that’s not one of them.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

5 users thanked author for this post.

Vincenzo, AlexEiffel, oldfry, SB9K, Sueska

Reply | Quote

If master password is set to FF, is it possible for ChrEdge to snoop our passwords and history without asking user to do so? Im asking, cause I dont use FF. If the answer is yes, Im starting to believe, that big brother can be watching.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

That is the (insert monetary value here)-dollar question at this point. Has Edge scraped the data, or has a user left something in all-defaults?

Firefox of all browsers, seems highly unlikely to have left import-export so out in the open, especially with regard to stored passwords. That said, without a Master Password, this feature in Firefox is a security risk, as it would be with a similar setup in any browser or application.

-- rc primak

Reply | Quote

Firefox encrypts the password store on the disk if the master password is set, so it could not be read by any process that did not have the encryption key (which is derived from the master password). Without the master password, the password store is in plain text, since there would be nothing from which to derive the encryption key.

“Serious” password managers that Brian Livingston recommends differ from most browser password saving features by virtue of requiring a master password. They’re always encrypted, and like Firefox with a master password, have settings where you can tell them how long to leave the password store unlocked after you enter the master password.

Even with the store unlocked, the file on disk containing the password is unreadable without the encryption key, which other processes will not have. Malware could attempt to hijack the browser or password program that knows the master password, or to use some kind of exploit to try to read the encryption key directly from RAM allocated to the browser, or to use a keylogger to grab the password as it is entered into the password manager, but these are harder to accomplish than simply reading a plaintext file stored in a known location on the hard drive or SSD.

Firefox does have a “Lockwise” password app for Android that works independently of Firefox, and from within Firefox, if you set the master password, it should be equivalent to a “serious” password manager as far as protecting the contents from potential malware.

That said, I like Bitwarden. It has extensions for Chrome and Firefox, and there is a version of the Android app that has no telemetry (the version on F-Droid).

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

2 users thanked author for this post.

AlexEiffel, oldfry

Reply | Quote

Indeed!  I have been observing how they have been behaving as well.  And i think its time for a financial and morality audit of the Mozilla None Profit and the Mozilla For-Profit entities.

Bottom line is that Mozilla promotes it’s product as a superior app for protecting our privacy. But clearly, it was disproven by the author of this article.

Rhetorically speaking / asking:  Why was our privacy not protected from the other apps installed on the machine by Mozilla?  Why did Mozilla turn a blind eye at the back door in its browser?  And how exactly is Mozilla using our personal information to further their undisclosed agenda and the marketing of their browser ?   And where is the revenue coming from (and used) for the operations of the Mozilla For-Profit entity?

It would not be unreasonable to believe that the founding principles of Mozilla do not produce revenue.  Therefore, the principles are not invoked.  And its open-source browser is little by little being privatized.

Reply | Quote

WSdatabaseben wrote:

Bottom line is that Mozilla promotes it’s product as a superior app for protecting our privacy. But clearly, it was disproven by the author of this article.

That is incorrect. What you are describing is a security issue, not a privacy issue. They’re not the same thing. Firefox is superior to Chrome in privacy, and unless Google changed their edict about Chrome not having a master password, it’s superior in security on this one issue too.

WSdatabaseben wrote:

Rhetorically speaking / asking: Why was our privacy not protected from the other apps installed on the machine by Mozilla?

Privacy protection on a browser is about keeping your info from being slurped by web sites. Other programs the PC user has chosen to run are not under that umbrella.

Mozilla gives you the means to protect yourself with the options built into Firefox, unlike pretty much all the other browsers out there (excluding Mac– I have no idea whether or not Safari has that feature). They’re not going to force you to use the security features if you don’t want to. It’s not their job to force people to protect themselves or to make sure that everyone is doing things the way the security experts would have them do. It’s up to the user to make use of the tools provided in the manner he sees fit, and to bear the responsibility of those choices.

If the other apps installed on the machine are not trustworthy, they are malware, and you should get rid of them. They can cause all sorts of problems for you even if you had the master password set in Firefox. That’s why it is important not to run just any old program from anywhere out there on the web… if it is programmed to do nasty things, letting in past the perimeter is going to be trouble.

What Edge did is presumptuous and in poor form, but it didn’t take people’s passwords and send them to hackers somewhere. The blame is on Microsoft for doing what it did without permission, not on Mozilla for not forcing people to protect themselves (which comes with a certain level of inconvenience and annoyance).

WSdatabaseben wrote:

Why did Mozilla turn a blind eye at the back door in its browser?

There isn’t one (as far as anyone knows), and they didn’t. They’ve been the only browser in town that gives users the means to protect their passwords for years. If people chose not to, it’s on them, not Mozilla. Firefox is quite literally the best in class for this very thing you’re criticizing it for. None do it better, most do it worse.

WSdatabaseben wrote:

And how exactly is Mozilla using our personal information to further their undisclosed agenda and the marketing of their browser ?

They use the information to see what features are used and which are not, but the information is not used to personalize ads or for any other purpose that requires a persistent ID. They don’t sell ads, and they don’t collect or sell personal data. There’s big money in that stuff, and they wouldn’t be dependent on the biggest villain on the internet (Google) if they had their own significant source of money.

WSdatabaseben wrote:

And where is the revenue coming from (and used) for the operations of the Mozilla For-Profit entity?

I believe all of this information is a matter of public record.

The “for-profit” bit of Mozilla is a tax classification. There are things that non-profits cannot do under US law (where Mozilla is incorporated), and to do these things without running afoul of tax law, they must have a for-profit bit. Not that there’s anything at all wrong with profit, of course. I wish Mozilla made more profit on its own so it wouldn’t have to be dependent on Google.

WSdatabaseben wrote:

Therefore, the principles are not invoked. And its open-source browser is little by little being privatized.

The development of Chromium is completely controlled by Google. The only concern Google has for the development of Chromium is how it benefits Google’s downstream product, Chrome. Things that don’t benefit Google don’t make it into Chromium. It is not developed by or for “the community.” It’s developed by paid Google developers for the purpose of making Google money. Even so, it’s still open source, fully and completely, and because of that, it forms the basis of browsers like Brave, which are all about being private. That’s what “free open source software” means. It means you can take the code, read it, modify it, and use it as you see fit. It has nothing to do with it being developed as some part of a public service.

Firefox is licensed under GNU, so it is impossible for it to become closed source. Anyone can modify the code as they see fit, but the GNU license requires that all such modifications be released under GNU licensing also.

Chromium has component bits that are licensed differently, but the majority of it is Apache/MIT licensing, so it would be within the terms of the license for someone to take that code and make a derivative product and not make the code for the derivative product available. That was how Apple used a MIT-licensed flavor of UNIX to create the closed-source OSX. The MIT license is more free than GNU, but that means any derivative product could be made closed source. Firefox’s license does not permit that. It can’t be made closed source, and no product that uses Firefox code can be made closed source.

That influx of corporate cash has kept Mozilla alive, and has brought great benefit to the Linux world. There is a great deal of corporate money pouring into Linux, and I am really glad it is, because it’s made Linux far better than it would be otherwise. Linux, like Mozilla, is licensed under the GPL, so any product that is developed from it must also be open source, no matter how much for-profit corporate money is invested in its development.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

2 users thanked author for this post.

Vincenzo, SB9K

Reply | Quote

There is a saying, “you cant see the forest through the trees”

When a company, any company, promotes / markets a product, the consumer has expectations.  If those expectations are not realized, then there is a problem with the product and likely also with its manufacturer.

So people can split hairs all they like.  But security and privacy are syn·on·y·mous to the consumer.

Any claims that a certain browser is protecting one’s privacy but the app itself is not secure, then the claims are are nothing more than smoke and mirrors, ie marketing mumbo-jumbo.

What we need to see is what is behind the smoke. We need to see  is the real image and not the one conveyed in the mirror.

For now, this is not about Google or Microsoft.  They are 100% profit motivated.  They do not claim to be otherwise.  And for this, we consumers can 100% trust them to do what they do – regardless if we like it or not.

Instead this is about trust and integrity by an organization that  uses a set of principles to market its purpose to civilian donors and the world.

This is about a none-profit that also receives federal funding, and not just from private donors.

This is about a none-profit that allowed the creation of a for-profit entity that generates revenue via other for-profit business’s.  So we can rest assured that Google is not the only one on the list that provides revenue.

In simple terms, this is about two hands.

One of the hands is about the principles.  And for the other hand, it is about the principals.   Principal vs Principle.  Money vs Morality.  Its that simple.

While at this time, we are not entitled to see the financial books of the for-profit side of Mozilla, I do believe in what I have read about  one of the expenses:

Apparently, there is a yearly expense that equates to 3 million dollars.   I 100% believe this  expense is not justified. Subsequently, there are likely other expenditures that would raise our eyebrows because this is America and not the Vatican.

Bottom line is, When it comes to protecting the consumer, this isnt  limited to a product, ie tree.  Instead it is about the forest.

Thanks Ascaris for your lengthy reply.  You made some great points that further add to the questions that are lacking answers at this time.

I will bow out of this discussion and hope to see more ground breaking articles on this subject that seem to be long overdue.

~dbben  🙂

 

Reply | Quote

It is, or at least should be, considered very bad form to do something like this without asking the user for permission *first*.

 

That being said, we are talking about a vendor that does whatever it wants to do and then either tells us that it was for our own good, or that they’re sorry and won’t do it again, until the next time they need to elevate one of their products over competitors in the market via shady tactics. Never facing any meaningful consequences for crossing lines of acceptable behavior is also another aspect in their favor.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Microsoft Edge importing other browser’s passwords.

Company-wide we are heavily integrated with the Google environment, so this is not a choice. But I like to keep some work/life separation so I use Firefox for all my personal and family matters.

Edge took bookmarks and passwords from BOTH and jumbled them together.  What a Mess!

I just deleted everything from Edge.  But is there a trigger that will import them all again?  Next update?

Is there a registry hack or group policy setting to disable this?

 

Reply | Quote

Chredge, the term I believe Susan coined is essentially Chrome and so, can be removed.  It can also be blocked in the firewall.  Do some searching online.  Chredge is not on any of our computers and they’re up to date.

Using FF on a work computer for personal things is, kindly, self delusion.  Your IT dep’t has access to everything you do and history of all activities.  A phone using data, not wireless would be much better.

Generally, unless you’re not responsible for them, don’t store ANY private data in a browser.  Browsers are mini-OS’s, impossible to know all the secondary, tertiary, etc connections they make.

Reply | Quote

If you don’t trust the browser, not storing anything within it won’t help you much, as it could be doing all of that on its own, without telling you.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

2 users thanked author for this post.

AlexEiffel, rc primak

Reply | Quote

B. Livingston wrote:

The security group also lists numerous exploits that hack into the old Windows Credential Manager and even some password managers, such as KeePass.

… also including credential files for your real, serious password manager top-choice recommendation, 1password?

Windows 11 Pro version 22H2 build 22621.2359 + Microsoft 365 + Edge

1 user thanked author for this post.

rc primak

Reply | Quote

See the original report from ISE:

However, we found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state.

https://www.ise.io/casestudies/password-manager-hacking/index.html

This was in 2019. All the major Password Managers have taken steps since that time to mitigate the memory persistence issue. None that I know of has as yet completely eliminated the possibility of an attacker with local access to the computer, extracting persistent data including unencrypted passwords from RAM. Even with the Password Manager in a closed and locked state.

Memory protection is an ongoing problem in computer security. No Password Manager, not even a paid one, has a “lock” on overcoming this class of threats.

I do question whether there’s some hidden financial motive in knocking an open source password manager and recommending a commercial product?

-- rc primak

2 users thanked author for this post.

oldfry, SB9K

Reply | Quote

Not being totally sarcastic here, but isn’t software that harvests your passwords without your consent or knowledge, then leaves them even more vulnerable to theft (more than being in another browser to start with), pretty much one functional definition of malware?

I mean, I joke about some MS stuff being malware (like what they did to Skype) , but this is actual, dangerous, malware.

Paul Childs

Reply | Quote

Not necessarily.

As I posted, New Edge and Google Chrome share a lot of code and many features. There does not have to be any cross-application spying to result in some stored data being shared between browser elements which are nearly identical between Edge and Chrome. Both are Chromium under the hood, and can exchange data (even unintentionally) between (or through) their shared elements.

In this reported scenario, it appears that the behavior is more like two instances of Chrome syncing automatically by default than Edge scraping data from Chrome without user consent.

The Firefox issue if it is real, is much more troubling. I can’t imagine that Firefox and Edge share common elements or code.  But their password storing may have cross-application “leaks” by default. Even this seems to me to be unlikely,  given  Mozilla’s contentious relationship with Microsoft.

Sharing of passwords between Firefox and Edge without a user opt-in dialog would seem to run contrary to Mozilla’s stated concerns for user safety and security. Setting such sharing as the default would seem even more out of keeping with Mozilla’s stated security and privacy models.  But one never knows…

-- rc primak

Reply | Quote

Based on my first hand experience with Mozilla people on their Chats and Forum sites, the current agenda(s) of Mozilla is/are in conflict with the founding principles of Mozilla.

Reply | Quote

I’ll throw in here that, for maybe a quarter of the web sites that require me to supply a username and password, I don’t particularly care if they are hacked or not. And for those sites, Firefox’s offer to save the name and password is a definite and appreciated convenience. The password used has probably been hacked and sold. So what.

A lot of the sites requiring a password do so because it’s routine now to create an account with a username and password, or because it inflates their self-importance. Fine–but that does not mean that the password matters much.

Reply | Quote

A lot of the sites requiring a password do so because it’s routine now to create an account with a username and password, or because it inflates their self-importance. Fine–but that does not mean that the password matters much.

I’m not sure I would want someone posting a review on a shopping site under my account which slanders the product, or endorses a product I don’t like.

I also wouldn’t want someone to go onto some random tech site, using my Disqus credentials, and posting some insane ravings about something I don’t agree with. Or getting the account banned altogether for violating the Community Guidelines.

There is no such thing as a “throwaway site” these days.

-- rc primak

Reply | Quote

You’re positing a seldom-seen scenario: a site that requires a username but not a password.

I’m not sure what a throwaway site is; I didn’t use the term.  I do think that consideration should be given to what level of security each site truly requires.  Some merchants still allow transactions to take place without an account (i.e., as a “Guest”), while others don’t, and the reasons for the difference are not clear.

 

 

 

Reply | Quote

I never mentioned any site which requires a login but does not ask to set up a password. I don’t know of nor use any such sites.

A “throwaway site” means one where I don’t care if someone knows my password. Because I am assuming no harm can be done by someone using my account on that site. So I can use a password someone can crack, guess, or I use it at a dozen other “throwaway sites”. I am arguing that I don’t know of any site where someone impersonating me can never do any harm whatsoever.

-- rc primak

Reply | Quote

I’d recommend not to allow passwords to be saved or stored in an internet facing program. Keepass and others are far better dedicated programs for this with encryption. Browsers are trying to be everything these days, which is not good for security no matter what anyone claims. It’s at your own risk to trust them.

2 users thanked author for this post.

oldfry, rc primak

Reply | Quote

Even offline password managers are vulnerable to RAM scraping. All of them.

-- rc primak

3 users thanked author for this post.

oldfry, wdburt1, doriel

Reply | Quote

Its hard to decide today. There are tens, hundreds of sites and software, that require passwords. If you coose to store the password somewhere, its obvious, that its less safe.

Really sad fact is, that we are even often forced to periodically change those passwords, thats why I understand, that someone chooses some password manager.

But this security issue is also part of the operating system – we all know those silly proclamations like “Wellcome to the world of Windows 10, the safest and greatest system ever, bla bla..” Then their official browser literally steals your passwords from another browser. This is not easy discussion.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

wdburt1

Reply | Quote

Not sure if this helps, but I run my local only offline Password Manager just to extract the account logon information and once logged on, I re-lock and terminate the Password Manager.  It makes me nervous to leave a Password Manager unlocked or running in the tray.

I also recommend all Password Managers (and encrypted disks) be configured to automatically re-lock based on timeout or system lock, in case the user forgets.

Hopefully the developer of the Password Manager does the extra coding to clear memory of secrets to the maximum extent possible. I wonder if TPM 2.0 has support to solve this RAM scraping problem.

And if the account is critical, a secure 2FA method should be in use as well.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

oldfry wrote:

Hopefully the developer of the Password Manager does the extra coding to clear memory of secrets to the maximum extent possible. I wonder if TPM 2.0 has support to solve this RAM scraping problem.

It doesn’t. The TPM is a secure storage place for things like encryption keys (that could be used to secure a password store), but the system has to pull the key out of the TPM and place it in memory in order to use it. Once it’s in RAM, it is vulnerable to any malware that might seek to read such things right from memory.

That’s not to say that it is simple for a malware process to just start going through the memory and look for anything interesting. There are a bunch of protections in place to prevent this kind of thing, but it’s a broad attack surface, and exploits are always possible. It’s also possible that side channel exploits (like Spectre) can be used to bypass the protection mechanisms that prevent an arbitrary process from sifting through the RAM (that has not been allocated to that process) and looking for something to steal.

This whole thing is something of a tempest in a teapot, though. If you don’t have to enter a password to access any kind of sensitive information, of course it is vulnerable to being read by other processes, even if it is on an encrypted volume (which protects against offline attacks, but once it’s unlocked, as it is while the system is in use, it’s vulnerable).

This isn’t unique to browsers or password managers, and it’s why you don’t want malware running on the system at all (rather than thinking it is possible to lock everything down enough to prevent malware from being able to do any harm at all). Invariably, the more locked down the system is against these kinds of threats, the more that legitimate uses are blocked or made much less convenient.

The bit about Edge importing things without being asked is about the audacity of MS in just having it do that. It’s not remarkable, surprising, or scandalous in any way that it was able to import passwords from an unsecured password store. This is the expected situation, and it’s why Mozilla gives you the option of using a master password.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

2 users thanked author for this post.

oldfry, doriel

Reply | Quote

Well, I must have got lucky. Edge on my P.C. (recently updated) is completely gormless when it comes to passwords. I’ll try and keep it innocent like that.

Reply | Quote

We can all look forward to the day passwords go the way of the Command Line (still useful, especially in Linux, but largely deprecated). The all we will have to worry about is the security and whereabouts of a dongle or a passkey. And the security of the passkey finder app on our phones. And the security of the phone finder app on our Smart TV remote.

Isn’t there a children’s song about something like that? (Something about an old lady who swallowed a fly.)

Well, you can’t lose a biometric, can you?

-- rc primak

Reply | Quote

rc primak wrote:

Well, you can’t lose a biometric, can you?

Yes. A fingerprint can become useless if there is a cut on the pertinent part of the finger, for example, or (heaven forbid) the finger is lost somehow. And if the biometric data or their analog precursors, like an actual fingerprint on an object, are harvested by an attacker who has a method of turning them into a useful exploit (like the one where security researchers were able to use gummy bears to fool a fingerprint sensor), you can’t just change your fingerprint the way you could change a password.

Biometrics are best used as a security enhancement to an existing conventional (password and user ID) login, not instead of one. Many of the things that make password managers vulnerable apply to biometrics too. The encryption key in RAM is no less vulnerable on a system with biometrics than one without, or from one that uses two factor authentication.

I would not want passwords to go away. The replacements have invariably been less secure and with greater attack surface. These replacements are not necessarily meant to be more secure (though they would be if they were used with a password and not instead of one), but rather more convenient, which can have the effect of increasing security if the inconvenience of the old method caused the user to not have a password or to use one like ‘123456’ or ‘password’.

It’s something of a paradox that security can sometimes be increased by decreasing security, or its inverse:  Sometimes making something a little bit more secure (and a little less convenient) results in less security, as people quit using the security feature that has become too much of a pain in the rump for them to tolerate.

This is a personal choice that every person has to make. How much inconvenience are you willing to tolerate for the purpose of security?

 

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

3 users thanked author for this post.

oldfry, rc primak, Cybertooth

Reply | Quote

I just wanted to give a special thanks to Brian for this article that solved a problem I have had for decades. I never knew where that irritating popup, “Save password?”, came from. I thought it was from Windows but could not find how to turn it off as I never save passwords in some unknown place in my PC. After reading Brian’s article I saw his reference to Browser/settings/password and there it was, a button to turn off, “Offer to save passwords?”.

Many thanks, Brian!!!!

Reply | Quote

I thought it was from Windows but could not find how to turn it off as I never save passwords in some unknown place in my PC.

It depends, what bowser you are using.
Native Windows browsers (eg Internet Explorer or Edge) do store your passwords in the Old Control panels >> Credential manager. Thats the unknown place, where your stored passwords can be seen, modified or deleted.
Firefox or chrome do use their own storage inside the program itself.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

4 users thanked author for this post.

oldfry, Vincenzo, Cee Arr, Cybertooth

Reply | Quote

doriel wrote:

Native Windows browsers (eg Internet Explorer or Edge) do store your passwords in the Old Control panels >> Credential manager.

Legacy Edge only. Is anyone still using that?

Windows 11 Pro version 22H2 build 22621.2359 + Microsoft 365 + Edge

1 user thanked author for this post.

doriel

Reply | Quote

Legacy Edge only.

You are correct, now I tried ChrEdge (91.0.864.70) and it does not store passwords in the old control panels anymore. It offers exactly same options as Chrome does. The menu looks the same. Whats the purpose of this copied browser, maybe promote MSN and Bing?
Interesting is the option to check, if my password leaked on the internet. Dunno how it performs the check, but still it offers the option. It definatelly recognizes Admin-Admin credentials comvination and immediatelly it tells me, that this combination is not secure and password “leaked to the internet”. Same as Chrome.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

If you don’t understand the logic of having a master password on your browser password stores, then you deserve all that comes to you due to that choice.

Reply | Quote

After reading this thread, I am thinking now about further expanding my use of 2FA with an authentication app.

With the sites that I use it on now, I have enabled the feature to always allow this browser without the need for authentication. Are there any security risks using the 2FA authentication like that?

Thanks

Reply | Quote

Not sure if I understood the question correctly.

With the sites that I use it on now, I have enabled the feature to always allow this browser without the need for authentication. Are there any security risks using the 2FA authentication like that?

Where is the 2FA, if you log “without the need for authentication“?

2FA means, that even if you log with your password, you still need the second authentication step. If you choose to save the first step password, you are going to be asked for the second step anyway.

Second step is always dynamic. Its never the same twice in a row. Second step is token, code, or other passphrase sent to you mobile phone or email. It was generated by a server and its valid only for a limited ammount of time.

This is the downside (although very improbable):
So if someone steals your password, he will need the second one too. Beware, that if your password is SMS, SMS is most likely to be displayed on the mobile phone in the locked state. So if the attacker steals your password and your mobile phone, he is able to hack your account even without unlocking code for your mobile phone.
You can disable displaying SMS on the lock screen, same with email, if your second factor is sent by email. SMS and email can be read on the locked screen of your mobile phone.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

I am not using SMS for the 2FA code, I am using an app, Microsoft Authenticator.

When you log in to a website that you have enabled 2FA on, after you enter the code from the authenticator app, you are asked if you want to “allow”this browser for 30 days, not needing the 2FA code for that period of time.
Obviously a malicious someone sitting in front of your computer would still get in too, but this thread has been discussing the threats from malware that is operating in the user account, and it is that aspect of security that I am asking about.

Reply | Quote