I’m not a fan of password managers in browsers; it makes me feel even worse about how OS-like the browsers are getting (and how far from Firefox’s “we’re secure because we’re simple” roots they’ve strayed), but I’ll have to remember this Firemaster tool (article by Lifehacker) if I ever find a need to break into a Firefox password manager store. (via h-i-r.net)
In-browser password management is something people looking for efficiency and shortcuts want to use. In my opinion, most of those people are probably the same people who re-use passwords and use simple passwords. I would suspect most people choose simpler passwords for their in-browser management tool, making Firemaster a risk. (Of course, you’ll never learn what your passwords are if something always puts them in for you!)
Then again, one should always expect some method of cracking or brute-forcing passwords, and thus always choose reasonably complex ones.
cracking the firefox master password isn’t the only risk of using it’s built-in password management. there have been cases where specially crafted pages have spoofed other pages in such a way that firefox thinks it’s that other page and dutifully enters your credentials for that other page for you. (nevermind the fact that you can use firefox’ password management without a master password in the first place)
this is why i never use a password manager that can respond to web content. password safe or bust for me.
Absolutely! I’ve been paranoid about such browser-addins for a long time. I can only guess what web pages can do to interact with them or grab out of them.
I also cling to my PasswordSafe and use it exclusively (ok, unless you count a small notebook I keep tucked away as an analog backup, so to speak).