W3C home > Mailing lists > Public > www-archive@w3.org > August 2013

Showing stored passwords Re: Tweet about Passwords

From: Tim Berners-Lee <timbl@w3.org>
Date: Thu, 22 Aug 2013 21:29:06 -0400
Cc: www-archive <www-archive@w3.org>, TAG List <www-tag@w3.org>, Daniel Weitzner <djweitzner@csail.mit.edu>
Message-Id: <ADC711D2-320B-4604-9345-D503E0079D4E@w3.org>
To: Ian Hickson <ian@hixie.ch>

On 2013-08 -15, at 23:54, Ian Hickson wrote:

> On Thu, 15 Aug 2013, Tim Berners-Lee wrote:
>> 
>> Only Chrome, AFAIK.  FF, Safari both ask for a password.
> 
> Firefox doesn't ask for a password for >90% of users.

Fair point.

> Chrome, IE, and Safari all use the OS system password service.
> 
> I don't understand what you think is the difference between the browsers 
> here.

Only Chrome allows a passer-by to see the passwords in the clear
without any challenge. 

> 
>> The attack is by colleauges, members of family, etc, not by hardened black hats.
> 
> In all cases, if you have access to the machine, all it takes is trivial 
> software that's widely available to snoop on anyone else using the 
> machine.

(see below)

> Or, even without such software, you can just go to the relevant 
> site, have the browser automatically log you in,

Well,  in a lot of places with say teenager culture or 
work groups, if you leave your computer open you know
people will read your facebook and may even send messages as you largely for fun.

It is a different damage level of security failure for someone to get hold of
the password and be able to log in and stalk them at any time in the future.  

> and you don't even need 
> the password (and you can grab the password using a trivial bookmarklet or 
> using the browser's built-in tools).

There are two levels of social impediment here.
One, even a trivial bookmarklet or software out there on the net a huge proportion 
of computer users won't know or care about and wouldn't think of using.
It may be simple but it is not "trivial" in the sense of "effectively zero"  to load a bookmarklet.  

The second level is social.  If a person have borrowed a colleagues computer
and looked at passwords using the feature for that purpose they may
feel that they were not doing anything very seriously wrong,
as the user didn't really have any expectation of privacy in that case,
as the password was not hidden.

If a person uses any tool at all, including debugger tools, to access password
of a borrowed computer, there may be a social sense that they would
be subject to more serious criticism if they were discovered.

There is sense in locking a door, even if the lock is simple to pick.
It is a message that by entering is "breaking and entering" as supposed
to coming across something by chance.  In the example of the physical 
door, the legal penalty in some places if much higher if the 
door was locked that is it wasn't.  And insurance companies may not
cover a theft from an unlocked building.   So the lock there serves
a social purpose.  So does the password test before showing a stored password.

As Danny Weitzner sometimes points out, most crime is not avoided because it is made
impossible.  Cars are not built (yet) to it impossible to exceed the speed limit,
but there are (a) clear signs as to what is and (b) social and legal penalties if
you are caught.  


> Fundamentally, if you have physical access to the machine, asking for an 
> additional password doesn't do anything to stop you.

That's not quite accurate.
It clearly does do *something* to stop you.
We are talking a question of degree.
It asks for an additional password.
That is an impediment.



> In all cases, the 
> passwords are available unprotected if you are logged in. (Indeed, with 
> Firefox, which doesn't use the system password service as I understand it, 
> the passwords aren't even encrypted.)

I haven't tried to use Firefox without a master password.
I haven't tested whether they are stored encrypted on the disk.
I know that using the basic UI in my case Firefox prompts me
for a master password at the start of  a session for using them,
and once every time  before revealing them. Which is what I want.


> If you don't trust your colleagues
> or family members to not snoop on you, you _really_ shouldn't be giving 
> them access to your computer.

That sort of statement is emotional and not practical.
What do you mean by "trust", what to you mean by "access", which do you mean by
"colleagues"?    These things are matters of degree.
It is an integral of risk level and damage level over all combinations of people and situations .


> It doesn't take a "hardened black hat". The software you need to do this 
> kind of thing is widely available online, and one's sister would have no 
> trouble finding it.

The fact that it is available to anyone online is true.
An arbitrary user taken off the street would probably not dream of downloading and using it.

Of course , if you say Google has done the studies and got the data
and most users stopped in the street and asked about his would say 
"Sure, I'd just grab a keystroke recorder or grab  a bookmarklet to look at the DOM  a-- i know how to find it seconds", Sure but I'd like to see the study.
But maybe it turns out that the majority of users haven't the faintest idea what a bookmarklet is
and tilt their head on one side when you start talking about settings menus.


> Pretending that you have protected the system by asking for an unnecessary 
> password doesn't improve security, it's just security theatre. Indeed, it 
> is probably counter-productive: it makes the user think it's safer to hand 
> the machine to someone else than it actually is.

And the users who have never yet gone to the Chrome password settings, they 
have used Safari for most of their lives to date?  You have made their machine without letting them know.

Tim

 

> 
> -- 
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
> 
Received on Friday, 23 August 2013 01:50:08 UTC

This archive was generated by hypermail 2.3.1 : Friday, 23 August 2013 01:50:08 UTC