The security balance is always user convenience vs. absolute security. You want security? Disconnect your computer from the internet. Don't save your passwords. Use multi-factor authentication. But that's not reasonable.
- Browsers let you save the contents of Forms that you fill out, including passwords.
- Some browsers sync those settings/histories/passwords to other computers with that browser running, if you are signed into a service with a master password.
- Those passwords need to be stored somewhere locally, and they need to be retrieved by the browser (who is not running as administrator) so that the browser can fill our your form for you.
- Someone writes code to retrieve those passwords.
- If you, running as you, the user, can access those passwords, than other code running as you, the user, can also access them.
If you don't like this, don't save your passwords.
I think the concern (I know I was concerned) about the recent hubbub about browser security is the feeling of casual disclosure. It is uncomfortable when it seems easy to get your passwords. But they are still there.
Remember the 10 Immutable Laws of Security, specifically #3.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Every password vault has this behavior. If your passwords are stored locally, they may be encrypted but they are stored with reversal encryption.
Is this a security problem/bug/flaw? No. You saved your passwords as the user and they can be retrieved by code running as the user.
Here's some just a few lines of code to retrieve and dump your Windows Password Vault on Windows 8.
using System;
namespace DumpCredentials {
class Program {
static void DumpCredentials(Windows.Security.Credentials.PasswordCredential cred) {
Console.WriteLine("Resource: {0}", cred.Resource);
Console.WriteLine("UserName: {0}", cred.UserName);
Console.WriteLine("Password: {0}", cred.Password);
}
static void Main(string[] args) {
Windows.Security.Credentials.PasswordVault vault = new Windows.Security.Credentials.PasswordVault();
Console.WriteLine("{0}", vault.GetType());
foreach (var cred in vault.RetrieveAll()) {
cred.RetrievePassword();
DumpCredentials(cred);
}
}
}
}
Feel free to change your browser settings if you like to not save your passwords, or consider other password vaults like LastPass, KeyPass, or 1Password.
Chrome
...and also...
Internet Explorer
FireFox
The code to dump Windows 8 Paswords is here. It will compile with VS2012 on Win 8. If you just want the EXE to run, download it here.
© 2013 Scott Hanselman. All rights reserved.
