Posted on 07/01/2010 2:02:19 PM PDT by Gomez
A Russian software company today released a password cracking tool that instantly reveals cached passwords to Web sites in Microsoft Internet Explorer, mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail and Windows Live Mail.
Moscow based ElcomSoft, developer of the new password recovery tool, “Elcomsoft Internet Password Breaker,” says the product designed as tool to provide forensics, criminal investigators, security officers and government authorities with the ability to retrieve a variety of passwords stored on a PC.
With a price tag of just $49, it doesn’t seem as though investigators and government authorities are the real target market. These types of programs are by no means new, but this latest commercial software offering shows just how easily it is to gain access to such tools, even for non-technical users.
The password breaker gives users the ability to instantly retrieve the login and password information to a variety of resources such as those routinely cached by Web browsers. The tool can quickly recover cached logins and passwords to Web sites, including pre-filled forms and auto-complete information stored in the Internet Explorer cache. In addition, the tool makes it possible to instantly replace or reset IE Content Advisor passwords.
New features in Internet Explorer 7 and 8 include enhanced security for storing cached password information. The browsers encrypt the information with the URL of a Web site, making it impossible to access stored information without knowing the exact Web address of a resource. Elcomsoft Internet Password Breaker claims to work around this new security model by analyzing cached URL history and identifying Web sites last visited in order to retrieve login and password information stored for those Web sites.
The password cracking tool reveals passwords protecting access to email accounts, identities and Microsoft Outlook PST files. Supporting all versions of Microsoft Outlook, Outlook Express, Windows Mail and Windows Live Mail, Elcomsoft Internet Password Breaker can retrieve the original plain-text passwords protecting access to mail accounts, POP3, IMAP, SMTP and NNTP news passwords. In addition, Elcomsoft Internet Password Breaker reveals Microsoft Passport passwords stored by Windows Live Mail, user identity passwords, and passwords protecting PST files created by Microsoft Outlook up to version 2010.
Elcomsoft Internet Password Breaker automatically identifies all supported products and user identities, locates all available accounts and PST files, and reveals stored password information.
With tools like these available to the masses, individuals and enterprises need to further consider full disk encryption solutions and additional security measures.
That was only the second link that comes up on a google for “firefox master password”, I’m sure there are more “elegant” ones out there too.
It’s not FUD, it’s just pointing out a little reality.
Don't buy the FUD. Use the tools Firefox provides to protect your information. If you leave all your stuff in clear text without password protection, of course someone can see your stuff when they are on your computer. Personally, I think having a master password should be the default behavior, but the option is still there even if they don't force you to use it.
Use a good master password, and you'll be safe from all but the most determined adversaries.
And yet your bank still stores all your info on internet-connected computers.
If someone gets physical access to your computer, I still think you're pretty much hosed. This has become more of an issue as computing has gone from desktop to mobile computing, as people are more likely to accidentally leave a laptop or a smart phone somewhere.
On the Firefox password, permissions, etc., the remote risk to me seems to be that options like remote desktop expose your hard drive. I also am not sure how secure the Firefox profile areas are. They're obviously exposed to the browser, which interfaces with the web. Firefox provides this information to different web sites. With physical access, it's pretty easy to get these passwords without doing anything sophisticated. Just crank up the browser and use either the bookmarks or the browsing history to surf to the site, and bammo, Firefox provides the login and password. Google chrome is also very loose in remembering and supplying passwords. Don't know about IE, cause I never use it. While these functions can be changed in preferences, most people want it convenient.
I've lost track of the number of laptops lost by company and government employees. These laptops will have unencrypted databases with tons of personal information on them. Even if you keep your information secure, Mr. Social Security, your insurance agent, your retirement account administrator, or the state agency that maintains driver's license information has all this information aggregated. It's not just hacking your computer that's a risk. Also, many of the cc company identity thefts are inside jobs, and a lot of IT work is outsourced. I strongly suspect a lot of back doors have been built into secure programming code.
Keep in mind in the Windows world c$ is automatically shared, anybody that can get to your network can get to your drive without having to access your computer, from there it’s just a matter of navigation and copying. With that it all winds up depending on how secure the network is, and a lot of people home network these days, with surprisingly little security.
In the end computer security is like physical security, mostly you’re just trying to erect enough barriers that they decide somebody else is easier. Criminals are after all lazy people.
And yeah, then there’s all the other ways you’re at risk that you have no control over. It’s a wild and woolie world. Probably the best security is to stay so broke nobody actually benefits from stealing your stuff ;)
That's why I always recommend a really strong password for your master password. It's the same concept used in PGP/GPG, and keepass/passwordsafe for that matter. Since you're using one secret to protect many secrets, you should make that one secret appropriately strong.
And I’m betting you don’t even need the whole folder, I grabbed it because I wanted my bookmarks, extensions, and settings, I got my passwords for free. Now the real question comes in is if you grab just the files with the login/password info (no idea which those are) and drop them in a new profile will they still be “protected” by the master password.
You don't need the whole directory. There are 3 files associated with your password, the cert8.db, key3.db, and secmod.db files. I'm pretty sure that if you move them from one computer to another, you'll have your passwords. Of course that doesn't help you if you want bookmarks and other preferences. I actually consider the fact that all you need is the directory to transfer your FF environment to another to be a feature - one I've used before and will probably use again when migrating computers.
One thing I don't particularly like about FF is that since (I think) the 2.0 series, bookmarks are stored in a sqllite database. I always liked the fact that bookmarks.html was all you needed to move bookmarks from one computer to another. My bookmark file is over 10 years old (probably closer to 15). It has moved from one computer to another over the years. Fortunately FF still provides a way to export your bookmarks to a single file. I do this occasionally, because I use my bookmark file as my 'homepage' to speed up startup times.
People don’t think through the consequences of what they do on the internet these days, there was just a thread earlier this week about divorce lawyers trolling Facebook because people post statuses they don’t think through. Well here’s something else to think through, if your credit card info is in your Firefox at work you better hope your IT department are on the level.
Absolutely agree with that. I've been beating the crypro drum since PGP was nothing but a command-line DOS program. People don't understand how computers work, much less how to make them work well and securely. (which is why I said that I think master password use should be the default in a previous post). If educated people can be somewhat safer, but for a lot of people, finding things on their computer is incredibly confusing and difficult. They don't realise how easy it is for some of us. That's why I recommend programs like password safe and keepass. When I do, I always stress to make the passphrase meaningfully difficult to crack. You'd be amazed at how long a passphrase you can type in 2-3 seconds after you enter it enough times. :-)
Like I said to somebody else features that make life easier for the legit users make life easier for the bad guys. For my personal use I thought it was pretty handy that I got everything across because I was kind of dreading having to get all my passwords in again (first you’ve got to remember them all, or look them up, then there’s all that logging in). But the implications of that feature, especially on a machine you don’t have sole access to in a c$ world are pretty far reaching. It’s a good reason to use that master password and make it tough, but even then everything is breakable so it’s a good thing for people to think through.
I never want to be the boy who cried wolf, but I also believe forewarned is forearmed.
bump
YEA! For Firefox!
There are ways around that, if you know to do it.
Agreed. Security is tougher than most people think. Fortunately, I don't have to keep anything important on ms-windows boxes.
http://www.gtopala.com/siw-download.html
Yep.
Toy operating systems. Sheesh... :)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.