Author Topic: Safe for Firefox extensions?  (Read 13432 times)

Offline BHiko

  • Jr. Member
  • **
  • Posts: 11
Safe for Firefox extensions?
« on: January 28, 2006, 11:15:40 AM »
How safe is the Passwordmaker for Firefox from attacks by other extensions?

An extension would have no difficulty in reading the contents of the passwordmaker.rdf file, it then only needs the master password.

Can an extension access Passwordmaker memory to obtain the master password?

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Safe for Firefox extensions?
« Reply #1 on: January 28, 2006, 03:25:31 PM »
Excellent question, and one that I hadn't specifically thought of.

There is a Feature Request for this here, so please feel free to vote for it. Actually you have 5 votes, so please by all means peruse the many Feature Requests and vote for the ones that you'd most like to see added.

Shall I add one of your votes for this Feature?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Safe for Firefox extensions?
« Reply #2 on: January 28, 2006, 05:00:35 PM »
Hi BHiko,

We should probably move this post to the Help and Support forum (it's not exactly a Tip/Trick).

Quote
How safe is the Passwordmaker for Firefox from attacks by other extensions?
No extension is safe from another extension. They all run in "privileged" mode.

Quote
Can an extension access Passwordmaker memory to obtain the master password?
The master password is stored encrypted in memory, so this is unlikely but not impossible.

You should always be careful of the extensions you install. It is no different than installing an executable on your machine. The source must be trusted. Never install an extension from anywhere other than http://addons.mozilla.org. Mozilla screens extensions to make sure they aren't malicious.

-Eric

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Safe for Firefox extensions?
« Reply #3 on: January 28, 2006, 05:13:47 PM »
p.s. this is one reason why I always say the best security (but most inconvenient) is Store Master Password - Not At All. The master password cannot be stolen in this case because it is never stored. After the user types it, the mpw is set in local variables only, and those variables are deleted and nulled before the functions which define them return.
« Last Edit: January 28, 2006, 05:14:22 PM by Eric H. Jung »

Offline BHiko

  • Jr. Member
  • **
  • Posts: 11
Safe for Firefox extensions?
« Reply #4 on: January 28, 2006, 06:12:38 PM »
A secure scheme might be to:
  • use Store Master Password - Not At All
  • use the built in Firefox autocomplete and/or cookies for non-critical sites
  • use PasswordMaker each time for sites with a financial risk (where a login can yield a payment), do not have Firefox remember the password in this case.
This way,
  • you don't have to fill in the Master Password too often: only for generation and for financial sites
  • you keep it as secure as possible
« Last Edit: January 28, 2006, 06:13:04 PM by BHiko »

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Safe for Firefox extensions?
« Reply #5 on: January 29, 2006, 12:36:01 AM »
I like the 'Store in Memory' option - it is the best of both worlds imnsho...

As Eric said, it is stored encrypted in memory, so it is secure... and this way you only have to enter it occasionally.

I still like the idea of encrypting the rdf file though...
« Last Edit: January 29, 2006, 12:36:37 AM by tanstaafl »

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Safe for Firefox extensions?
« Reply #6 on: January 29, 2006, 10:13:11 PM »
Quote
I like the 'Store in Memory' option - it is the best of both worlds imnsho...As Eric said, it is stored encrypted in memory, so it is secure
Yes, it is stored encrypted in memory, but a diligent hacker can reverse-engineer the PasswordMaker source to find how to decrypt it: remember, PasswordMaker itself needs the ability to decrypt it on-the-fly so the decryption logic does exist in the source. Once again, I emphasize the use of Store Master Password - Not At All for total security.
« Last Edit: January 29, 2006, 10:14:14 PM by Eric H. Jung »

Guest

  • Guest
Safe for Firefox extensions?
« Reply #7 on: May 04, 2006, 05:50:33 AM »
Hi,
Being skeptical of a 3rd party downloads all the time, is there a way to verify that this extension does not in anyway transmit the master password to anywhere else whenever we are online.  It is by no means to disgrace Eric but I just want to be sure..

Offline morguns

  • Full Member
  • ***
  • Posts: 145
Safe for Firefox extensions?
« Reply #8 on: May 05, 2006, 02:34:22 AM »
Quote
Being skeptical of a 3rd party downloads all the time, is there a way to verify that this extension does not in anyway transmit the master password to anywhere else whenever we are online.  It is by no means to disgrace Eric but I just want to be sure..
absolutely! the code is completely open source :)

Offline yyhhcc

  • Normal Members
  • *
  • Posts: 7
Safe for Firefox extensions?
« Reply #9 on: May 05, 2006, 06:19:14 AM »
Ok..Thanks.. Just realised the benefits of being 'open source' after some ''googling''..  I'm using it now with my IE..
~ Visit My e-Investment BLOG ~

Offline yyhhcc

  • Normal Members
  • *
  • Posts: 7
Safe for Firefox extensions?
« Reply #10 on: August 14, 2006, 11:49:39 AM »
After weeks of smooth usage, I am hit with this error now after running a batch of Windows Updates..

Line 200
Char 3
Error : Permission Denied
Code 0

Is there anything that I can do to recover the tool?
~ Visit My e-Investment BLOG ~

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Safe for Firefox extensions?
« Reply #11 on: August 15, 2006, 02:45:55 AM »
Which edition are you using? IE? Firefox? Something else?

Offline yyhhcc

  • Normal Members
  • *
  • Posts: 7
Safe for Firefox extensions?
« Reply #12 on: September 19, 2006, 05:50:22 AM »
Hi Eric, is IE.

I could open the 'Open Passwordmaker' option but not the 'Populate with Passwordmaker' option.  The late gives the error described above.
~ Visit My e-Investment BLOG ~

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Safe for Firefox extensions?
« Reply #13 on: September 19, 2006, 12:11:39 PM »
Please switch to the Firefox edition? You haven't posted in a month so it sounds like you don't really use PasswordMaker frequently.

Offline yyhhcc

  • Normal Members
  • *
  • Posts: 7
Safe for Firefox extensions?
« Reply #14 on: September 22, 2006, 05:30:09 AM »
Hi Eric,
No, not really.  I am using your IE version of the passwordmaker everyday as I have plenty of online programmes/forums to visit daily.  Reason why I responded late is mainly becoz I make use of the 'Open PasswordMaker' option since then albeit a little inconvenient (have to manually cut and paste the password back into the website that I intend to login).

I've been using IE since years back and hopefully you would be kind enough to provide a patch for the IE version of your wonderful tool.  I seriously hope that I don't have to switch to firefox..

Thanks.
~ Visit My e-Investment BLOG ~

PasswordMaker Forums

Safe for Firefox extensions?
« Reply #14 on: September 22, 2006, 05:30:09 AM »