W3C home > Mailing lists > Public > www-archive@w3.org > August 2013

Re: Tweet about Passwords

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 16 Aug 2013 03:54:43 +0000 (UTC)
To: Tim Berners-Lee <timbl@w3.org>
cc: www-archive@w3.org
Message-ID: <alpine.DEB.2.00.1308160343220.5474@ps20323.dreamhostps.com>
On Thu, 15 Aug 2013, Tim Berners-Lee wrote:
> Only Chrome, AFAIK.  FF, Safari both ask for a password.

Firefox doesn't ask for a password for >90% of users.
Chrome, IE, and Safari all use the OS system password service.

I don't understand what you think is the difference between the browsers 

> The attack is by colleauges, members of family, etc, not by hardened black hats.

In all cases, if you have access to the machine, all it takes is trivial 
software that's widely available to snoop on anyone else using the 
machine. Or, even without such software, you can just go to the relevant 
site, have the browser automatically log you in, and you don't even need 
the password (and you can grab the password using a trivial bookmarklet or 
using the browser's built-in tools).

Fundamentally, if you have physical access to the machine, asking for an 
additional password doesn't do anything to stop you. In all cases, the 
passwords are available unprotected if you are logged in. (Indeed, with 
Firefox, which doesn't use the system password service as I understand it, 
the passwords aren't even encrypted.) If you don't trust your colleagues
or family members to not snoop on you, you _really_ shouldn't be giving 
them access to your computer.

It doesn't take a "hardened black hat". The software you need to do this 
kind of thing is widely available online, and one's sister would have no 
trouble finding it.

Pretending that you have protected the system by asking for an unnecessary 
password doesn't improve security, it's just security theatre. Indeed, it 
is probably counter-productive: it makes the user think it's safer to hand 
the machine to someone else than it actually is.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 16 August 2013 03:55:05 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:44:22 UTC