[Mailman-Users] Firefox password issue (was Re: Hijacking threads and netiquette)

[David Dyer-Bennet]

On 9/5/06, Dragon <dragon at crimson-dragon.com> wrote:
> David Dyer-Bennet sent the message below at 09:55 9/5/2006:
>
> >Why doesn't Firefox (or other browsers, I think I've seen the same
> >behavior in Opera) offer me the chance to remember the Administrative
> >password for my site?
> ---------------- End original message. ---------------------
>
> It is very simple. It is because these browsers that do this sort of
> thing are looking for an HTML input field named "password" (and maybe
> a few other similar names). If they do not find one with the name
> they expect, they do not save the password.
>
> The field on the login page is named "adminpw" and is thus not
> recognized. What these browsers SHOULD be looking for is the TYPE of
> the input and not the name. But then again, I think this feature of
> some browsers is a security breach waiting to happen.

Mostly the browsers are looking for username / password pairs, and
need to capture both; and there's no unique input field type for the
username part; so I see how they've ended up where they are, though it
does seem to make sense  for them to capture bare passwords as well
based on input field type.

> If you look at the source for the login page you will see something like this:
>
> <INPUT TYPE="password" NAME="adminpw" SIZE="30">
>
> You could modify your copy of mailman to change the name of that
> field if you wanted, I am not sure exactly how much of a change it
> would be and exactly which files are involved but I can't imagine it
> would take more than a handful of lines.

Unfortunately I don't control the copy I have to interact with.

> However, I personally see
> nothing wrong with the way it is done now, in fact, I think it is a
> good practice. The reason I say this is that I believe saving
> passwords on your computer is generally a bad idea as it is a risky
> practice. All computers connected to the Internet and not physically
> secured from unauthorized access are vulnerable to attack.

And the passwords saved in my browser are encrypted under a master
passphrase.  The other reasonable choice I have for saving passwords
is Passwordsafe, where -- they're encrypted under a master passphrase.

I currently have 266 password (nearly all 8-12 character random
strings) in my Passwordsafe database.   I have about 10 passwords I
carry in my memory, including the passphrases mentioned above plus a
couple of key work- and server-related passwords.  For me, keeping
them all in my memory is not an option.  (And the number is much
smaller than it might be; for example at a number of retailers where I
have the option I don't establish an account or store any data there,
and hence don't have a password to remember.)

Certainly there's some risk to ever writing them down or putting them
on a computer; but I believe storing them the way they do is a
reasonable balance between risk from the password being compromised,
and risk from forgetting it when I need it.  Security is all about
tradeoffs; my computer would be more secure powered down, disconnected
from the net, and locked in a vault, but it would also be far less
useful.

And of course giving the adminpw form field the name "password" would
not force anybody to keep the passwords in their browser; that
functionality can be disabled, and if enabled it still asks before
remembering a password, so it's hard to do accidentally.
-- 
David Dyer-Bennet, <mailto:dd-b at dd-b.net>, <http://www.dd-b.net/dd-b/>
RKBA: <http://www.dd-b.net/carry/>
Pics: <http://www.dd-b.net/dd-b/SnapshotAlbum/>
Dragaera/Steven Brust: <http://dragaera.info/>