Browsers fail password tests…

December 24, 2008

A security research firm* posted the results of their recent browser password tests about a week ago.  I have to admit that I am susceptible to the risks they’ve uncovered… and I am genuinely concerned!  I use Firefox on both my Mac and my PC and Firefox fared better than most other browsers.  Here is a summary of the risk; most users increasingly surf the web and regularly visit sites that require passwords.  Every time I type a password in to a web page, Firefox pops up and asks me if I want Firefox to remember the password for next time, and for about 90% of the sites I click “yes.”  The recent security research found that most browsers failed security tests related to protecting the stored passwords.

Fortunately, for years we’ve been preaching a security practice that greatly reduces the risk.  We recommend users reuse the same passwords for systems of similar security requirements.  For example, my work password is unique and is not used by me for any other purpose.  I never tell Firefox to remember my work password.  Similarly, my online banking accounts (4 financial institutions) all have the same password, and again, I never tell Firefox to remember this password.  (Ideally each online banking account would have a unique password, but in practice this is too difficult to manage.)  My third password is used at “trusted sites” such as Amazon, Alaska Airlines, Costco and other large organizations who I believe have dedicated security teams.  My fourth and final password is a sacrificial lamb.  I use it at every site I do not trust.  This includes my local newspaper, yahoo, forums, dominos pizza, etc…

At the end of the day I need to remember four passwords.  Any other passwords that I need/use I keep stored in a password protected file on my computer.

I urge organizations to require by policy that employees use a unique password at work and never script (click “remember”) that password.  I further encourage organizations to be “reasonable” about their password expectations.  A “reasonable” example is letting employees use the same strong password on multiple work systems.  I further recommend passwords be changed every 30 to 60 days.

We certainly hope this post helps!

– TrustCC

* Chaplin Information Services


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: