Re: Tweet about Passwords from Ian Hickson on 2013-08-22 (www-archive@w3.org from August 2013)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 22 Aug 2013 20:02:38 +0000 (UTC)
To: Tim Berners-Lee <timbl@w3.org>
cc: www-archive@w3.org
Message-ID: <alpine.DEB.2.00.1308222002290.5474@ps20323.dreamhostps.com>

Ping?

On Fri, 16 Aug 2013, Ian Hickson wrote:
>
> On Thu, 15 Aug 2013, Tim Berners-Lee wrote:
> >
> > Only Chrome, AFAIK.  FF, Safari both ask for a password.
> 
> Firefox doesn't ask for a password for >90% of users.
> Chrome, IE, and Safari all use the OS system password service.
> 
> I don't understand what you think is the difference between the browsers 
> here.
> 
> 
> > The attack is by colleauges, members of family, etc, not by hardened black hats.
> 
> In all cases, if you have access to the machine, all it takes is trivial 
> software that's widely available to snoop on anyone else using the 
> machine. Or, even without such software, you can just go to the relevant 
> site, have the browser automatically log you in, and you don't even need 
> the password (and you can grab the password using a trivial bookmarklet or 
> using the browser's built-in tools).
> 
> Fundamentally, if you have physical access to the machine, asking for an 
> additional password doesn't do anything to stop you. In all cases, the 
> passwords are available unprotected if you are logged in. (Indeed, with 
> Firefox, which doesn't use the system password service as I understand it, 
> the passwords aren't even encrypted.) If you don't trust your colleagues
> or family members to not snoop on you, you _really_ shouldn't be giving 
> them access to your computer.
> 
> It doesn't take a "hardened black hat". The software you need to do this 
> kind of thing is widely available online, and one's sister would have no 
> trouble finding it.
> 
> Pretending that you have protected the system by asking for an unnecessary 
> password doesn't improve security, it's just security theatre. Indeed, it 
> is probably counter-productive: it makes the user think it's safer to hand 
> the machine to someone else than it actually is.
> 
> 

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 22 August 2013 20:03:01 UTC