About passwords: what browsers are doing wrong (except Safari) [Opinion]

Lockwise and password backup in Firefox

Yes. Browsers are mismanaging passwords. As this is an opinion article and so it is indicated even in the headline, I will say very bad. Fatal. And this is something that I personally had not appreciated until the launch of Firefox 79, now on the channel Nightly by Mozilla. The version that will be released in August will come with a new feature: the possibility to export all our credentials to a CSV file. In the case of Linux, at the moment it does not even ask for a password for it.

Although I have started talking about Firefox, this is something that also happens in chrome, including the possibility of exporting our passwords to the CSV file that has been available for a long time in Google's proposal, which are two of the most used browsers in the world and is also the case in many others that manage passwords. What is the problem from my point of view? Actually, two: the ease of doing things and the absence of a warning that, if we don't add a master password, all of our passwords will be snooped in a matter of seconds. It has a solution? Yes, and from my point of view, there is a very simple one that we have learned from Apple.

Apple taught us how browsers should manage passwords

Comparisons are hateful, especially on a blog like this where it is expected that only Linux will be discussed, but sometimes it is necessary to cover a little more. With that explained, let's talk a bit about the apple company. Apple has never invented any wheel, that's how it is. The only thing that the company that Tim Cook runs does is take ideas that others have had, sometimes improve them and then sell them like nobody else. Something that they have improved is the management of passwords, and now I explain why.

Although the computers I have used the most have always had Linux, I also have an old iMac and a Windows laptop. I had my iMac without a password for years, until Apple released iCloud Keychain and told me that if I wanted to use that feature, I had to password the device. I put it on. Now, if I want to see some of my passwords in Safari, I have to put the password of my user (of the operating system). If I don't put it on, I won't see ANYTHING. Neither I nor anyone else can access my credentials. This is the correct thing, without a doubt. There is no master password in the browser and the operating system was in charge of letting me know that if I wanted to have my passwords on it, I had to set a password for the login.

How Firefox and Chrome mishandle passwords

Although I had never considered it, and as I explained above I did it with the launch of Firefox 79 and its new function, neither Firefox nor Chrome ask me for anything when I want to see my passwords. The browsers assume, wrong assumption, that the user who has accessed the browser is the owner of the computer or someone registered on it. Therefore, in Firefox we can go to about: logins, access to Lockwise and see all our users, the passwords being hidden. But, what good is it that they are hidden if we can copy them to the clipboard? Of little. And the thing is not different in Chrome: we go to Preferences / Autocomplete and there they are. If we tap on the eye icon, they will be displayed. What can go wrong?

This makes us think of any case in which we leave our computer to a friend or relative. I don't know, so you can see a video of kittens on YouTube while we shower, for example, for the dinner we have arranged for that day. We did not know that this friend is not a good friend or for whatever reason wants to get our Facebook password. All you have to do is go to the passwords section, see our username, copy the password and paste it into a text document. That friend already has access to our Facebook. That easy.

This will not be the case in Firefox 79 for Windows, which will ask us for the password (of the session user) to export the passwords to the CSV file or copy them from Lockwise, but in the current Firefox 77 it allows us to copy them without entering anything. Firefox 79 for Linux continues to allow anyone to walk through our password file like Pedro at home, even if the user is not exactly the famous Pedro.

Possible solutions that they should implement now

In a query that I made to Firefox via Twitter about the Linux version, I was told that I have to set a master password to avoid that problem. What about this? That I already know, but others don't. The solution is not to guess what might happen; the solution must be offered to us by the companies. Whenever possible, I would not allow access to Lockwise without entering the user password (of the system) and I would forget the master password. If the above is not possible, and in Windows it is, browsers should notify us of this as Apple does with a message such as "either you put a master password or you will not be able to use the keychains." What I think is not an option is what exists today: if we do not take it into account and another does, we are exposed.

So now you know. Things could improve, and at least the Windows version of Firefox will, but these days all browsers, at least on Linux, mismanage passwords. Since they do not warn of what can happen if we do not configure a master password, I do it in this article, we do not have to forget that it is opinion.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

16 comments, leave yours

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Largemouth said

    Very true, I use Firefox and did not know that I could add a master password to my credentials. If not for this article I would not have found out. The developers do not report at the time we start using Lockwise. It is a nuisance.
    I was already starting to use Bitwarden because I thought my passwords were insecure, do you trust Bitwarden or do you think I should find another manager?

  2.   user12 said

    Well, if I understood the writer correctly, the browsers are to blame for the fact that users do not know their benefits (in this case, the existence of the master password -a characteristic that has been in Firefox since the Lower Palaeolithic-).

    From what the columnist says, the solution to this "failure" of the browsers would be that the password to access the saved accounts was not something optional for the user, but something mandatory and predetermined by the browser. Leaving aside that I prefer the freedom of choice of each user to adjust the browser to their liking based on their preferences and circumstances. The Firefox master password has a small bug: If you register according to which websites, you will get, every time you visit, a warning for you to insert the master password (even if you do not want to log in at that time)

    1.    pablinux said

      No. You have not understood well. I speak of options. The solution that I would give would be like in Safari. It's the safest. Otherwise, as in Windows, where you do not need a master password and you can neither export the file nor copy the passwords (Firefox).

      At the very least, on Linux they should warn of this. It would be a poka-yoke (search the wiki) and I do believe that the fault lies with the developer. On Windows, Firefox won't leave us exposed. In Linux, said by them, you will have to put a master password. And if so, they should advise. Apple does it. I'm not saying compel, but what's wrong with reporting?

      In any case, this article is also to let people know the danger of having passwords in a browser.

  3.   Dani said

    1. I had no idea that all my passwords were so easy to access.
    2. Defining the master password has been extremely simple and efficient.

    Looking at 1 and 2, a simple warning about unprotecting saved passwords would be enough to avoid most problems.

    When the potential damage is so great, and the solution so simple, failure to warn of the risk becomes negligence.

    1.    One more said

      I understand that since the writer bought that iMac, until he wanted to use iCloud Keychain, it was not a problem that no one asked him for credentials to use or access the saved passwords.

      He had the possibility to put password to his user in the machine since always.
      I assume that Apple informed you that if you did not do so, your passwords would be unprotected.
      That must be why there is no analogy with the Firefox master password that, as they have already said around here, has existed almost since the beginning of time.

      1.    pablinux said

        Hello. It has been a series of events. Many times, you don't think about things like this. I thought about it because Firefox 79 comes with that function (export to CSV). Seeing that it does not ask me for a password, I have analyzed everything else and remembered the past. The passwords should not be visible, it is my opinion and so I indicate it even in the headline.

        A greeting.

  4.   Mark said

    Well, in the case of Opera, every time I want to see my passwords, the browser asks me to enter the user password of the operating system. I have not seen what happens if my username does not have a password.

    1.    pablinux said

      Hi marcos. So it should be. I don't use Opera, but what you say is on Linux?

      A greeting.

      I edit the message: in Ubuntu 20.04, I have installed Opera, I have saved a password and it allows me to view them without entering any password. In what system do you say it does that?

  5.   Gabriel said

    My humble opinion in defense of large browsers is that it does not store the credentials by default, it is the user who authorizes to save them. When you enter a site X, you are asked if you want to save the passwords. Why attribute user responsibility to web developers? If you saved it of your own free will and either lend it or they own the PC, dear, fuck yourself for naughty. You were warned before.

    1.    pablinux said

      Hello Gabriel. As you understand, I do not agree. If you read this wiki link you will understand why https://es.wikipedia.org/wiki/Poka-yoke

      Have you ever seen an industrial machine in the last, I don't know, 30 years? They have security systems that are proof of negligence or human failure. In fact, if you don't "hack" them (like bridging a sensor), you can't open the shields without it stopping. What I am asking here is something similar: that companies develop considering possibilities and protecting users.

      And about what it asks you whether to save it or not, yes, of course, it asks you, but it does not tell you anything that once saved, anyone will be able to see them in 10 seconds. If you told me to put a long warning text like the terms of use that we all accept without looking, okay, they would have warned and we passed. But is not the case.

      A greeting.

      1.    Miguel said

        For those new to Firefox (including those who for years have used the Mozilla browser, largely unaware of its functions), if they want to improve the browser's features but do not have the knowledge or the time to make the contribution personally, there is a feature called «Submit Opinion », They can access it through:

        Menu button> Help> Submit Feedback

        A tab will open in which you are asked if you are satisfied with Firefox or not, if you answer it will not ask you to briefly write why, this helps as feedback for Mozilla to focus on improving the service of the Firefox browser, this is how it has been pressed with the issue of privacy, the incorporation of elements that before you could only have through plugins, a decent incorporation of HTML5 features ... If the editors of this and other communities of various languages ​​in the world were organized to correct this problem en masse, Mozilla could take it seriously into consideration for the next installment of the Firefox browser.

        Formerly, I used to use this service a lot to see improvements incorporated into the browser without having to use a plugin or to run HTML5 decently, but the most important thing is that previously when sending the answer they offered you the Link so that you could follow up on your suggestions, does the problem ?, that you could snoop in the suggestions of others worldwide and collaborate to see added these features or to correct any error, that no longer happens, nor do I see where to follow up now, however, in Mozilla support They continue to recommend using Firefox Opinion to provide feedback on bugs, crashes, crashes, gaps and report improvements for the browser.

        1.    pablinux said

          Hello. I already have, but my comment is just one that you may not address. Although this blog does not have the circulation that other larger ones can have, in part I also hope that they will read it. I also mentioned it to him on Twitter. In addition, it has been here, at the suggestion of Firefox and Twitter.

          A greeting.

      2.    Miguel said

        What I do not agree with your suggestion of "either you put a master password or you will not be able to use the keychains", is that you demand that the company force the user yes or yes to apply the master password to access the use of lockwise, That is, this even implies modifying the way Firefox Sync works, because if you have not set a master password, Firefox Sync cannot download or update passwords, the management of passwords or their complexity is not the direct responsibility of a company, but of the end user who is the one who demands and consumes the product, what can be done is for Mozilla to emphasize the importance after the first execution of Firefox and subsequently in the use of Firefox Sync, to make use of the master password for security additional passwords in conditions to which the company for any carelessness of the user can no longer take over the company. It is understood?.

        1.    pablinux said

          In Windows it is implemented from Firefox 79 without having to use the master password (it asks for the user's one). Thus, I have doubts if they can not do it in Linux, but they do not ask for passwords or Chrome, Firefox or Opera, they have told me, I have tried it and they can be seen the same.

          Forcing the password is the most drastic measure, and honestly, I would take it to protect users. But I don't work at Mozilla, or Google, or any other company that develops browsers. At the very least, they should be reporting in some way.

          But summing up, I don't think it's good that anyone who has physical access to a computer can recover all the passwords that are saved in their browser. I comment my opinion and how things are so that everyone can decide what to do, and among this is the possibility of using other password managers.

  6.   Gaston said

    Hi, thanks for the post.
    I tell you more, in linux at least, put that they allow you to use a machine because you need to connect to the internet and open the chrome, you log in to your google account and inadvertently put account synchronization ... Uff error all passwords are downloaded to that machine.
    Until there everything more or less ok. You go, you log out, you also remove the synchronization account, you open-close Chrome and Zaz, all your passwords and bookmarks etc. are still in that session of the machine.
    Ok, you go to chrome, advanced, reset chrome to factory and Zas, they follow all your information there.
    Well, uninstall and install Chrome again ... Ufff all your passwords and other information are still there.

    The only way I had to get my information from that linux session was to manually enter the Home of that Linux session and delete each of the chrome files.
    Terrible!!!

  7.   atreyu94 said

    Very good article, but in Firefox the problem is even more serious. If you have a master password and your friend wants to watch videos of kittens, he will not be able to without the master password, as he asks you again and again to navigate as usual. An obvious solution would be that by not entering the master password, a "guest" session starts, for example, where you cannot access the settings or the logins. In other words, the master password continues to be useful only for the owner of the computer where Firefox is running. This issue is really serious, not only on a personal computer, it is also especially serious on institutional computers. Greetings…