back to article Browsers fail password protection tests

A beta version of Google Chrome has tied with Safari for last place in tests of how the browsers dealt with password security. The tests - put together by security consultancy Chapin Information Services - ran the most popular browsers against a set of 21 checks. None performed particularly well. Opera 9.62 passed only seven …


This topic is closed for new posts.
  1. Anonymous Coward

    Like to see....................

    The tests repeated for Firefox using noscript activated.

  2. Ash
    Thumb Up

    Never store passwords in the browser

    Your favourite motorcycle owners forum or online bank account, they all contain personal information.

    If you need to remember a lot of passwords, grab KeePass (Free as in Beer and Speech) and store them all in that. Hell, it'll generate secure passwords for you and let you copy and paste them without ever having to see what they are.

    It will run from a memory stick, so no installation required on work / home PCs, and is completely portable.


  3. Anonymous Coward
    Black Helicopters

    I'm going to make a browser that passes all categories.

    And I shall call it; "Nagfox".

  4. Mo

    Is that Safari on the Mac, or on Windows?

    ’cos on the Mac, passwords are stored on the Keychain, and if you don't unlock your Keychain in the first place, Safari can't decrypt squat.

    The default configuration is for your Keychain to be unlocked when you log in, but you can change that easily enough, and set it to to auto-lock under various circumstances, which means you'll be prompted for your Keychain password whenever Safari wants to auto-fill a login form. Hit Cancel and it won't auto-fill a thing.

    If memory serves, other auto-fill data is stored in the same way.

  5. David Gosnell

    Common ancestry

    Given Safari and Google Chrome's common ancestry, it would have been interesting to see how true geeks' beloved Konqueror fared.

  6. Anton Channing


    " is tempting to think that users would be well advised never to save passwords for sensitive websites."

    People do that?

  7. TeeCee Gold badge

    Is it me?

    "...... form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity,"

    For some reason I can only read that as if it were spoken by Gus Hedges from "Drop the Dead Donkey".

  8. Ken Hagan Gold badge

    Embarrassingly bad

    "Chapin's tests set a high standard ..."

    Not on the evidence of this article they don't. How can completing a form when auto-complete is set to "off" be anything other than "go to fail, go directly to fail"? (Apologies to all, myself included, who regard "fail" as the clear sign of an illiterate fool. It just happened to fit on this occasion.)

    "...but looking at the results it is tempting to think that users would be well advised never to save passwords for sensitive websites."

    You mean there are people who do? Crikey! That's even *more* embarrasing.

  9. Anonymous Coward


    @Mo: Who knows what they tested it on or how? I'm a professional tester and looking at their list of tests tells me that they didn't lock the keychain before performing these tests. It's possible that they don't know how!

    It would very be interesting to know which platform(s) these tests were run on (Mac/PC/Linux/all). I believe that they were all run on PC, otherwise the results may have been different (as Mo said, they could lock the keychain).

    Suffice to say, there's nothing preventing anyone from coming up with "tests" that prove exactly what they want to prove. If they don't (or won't) tell you how the test was run then the results are meaningless.

    My guess is that either this company will soon be selling some kind of "solution" to the problems they've just highlighted OR they only did it for the publicity (Looking at their webpage tells me that they're probably a one or two-man company who need all the publicity they can get).

  10. Nic Brough
    Black Helicopters


    Pleasantly surprised - IE7 scored 5, which is 2 less than Opera and Firefox, 3 more than Safari and Chrome and 8 or 9 more than I was expecting...

    I'd be very interested in the results if some of the browsers had some of the regularly used options enabled - "privacy" modes and Firefox+NoScript for example.

  11. Sceptical Bastard
    Paris Hilton

    Asking for it / @TeeCee

    Quote: "Chapin's tests set a high standard but looking at the results it is tempting to think that users would be well advised never to save passwords for sensitive websites."

    'Tempting'? 'Advised'? 'Sensitive websites'?

    Jeeze! Anyone who stores *any* password in a browser's password manager needs their head examining! In fact, cautious users never store passwords in cleartext anywhere on a computer.

    Paris, cos she's stupid too (allegedly)

    @TeeCee. Well remembered! You're right, it's pure Gus-speak :)

  12. Anonymous Coward
    Anonymous Coward

    Saw that one coming ...

    Which is why, over all these years, I've never once saved a password for use in a browser.

    Maybe, one day, there'll be a browser password-saving system that meets *my* stringent requirements.

  13. Dan Silver badge
    Thumb Up

    @Embarrassingly bad

    "How can completing a form when auto-complete is set to "off" be anything other than "go to fail, go directly to fail"?"

    Because there's a difference between not saving it when autocomplete is off and not completing it when autocomplete is off.

    As an example, Firefox doesn't save the password if autocomplete is off, so it'll never get filled in later. But if I go to the effort of modifying the DOM so that it will get saved (e.g. using the Enable Password Manager bookmarklet) then it's obvious that I do want it autocompleted later. Even then, Firefox doesn't autocomplete it automatically, I have to go to the field, hit the down cursor to select the user, and then hit return.

    And I'm quite happy with that because I want to decide which passwords I save instead of some arbitrary decision by the website owner. And, in the event of having a keylogger installed, it's probably more secure.

  14. Anonymous Coward

    Lock the keychain?

    Shoot, no normal user will do that. It's like... like... like not working as root! Not done. Too much work.

    But seriously, security != ease of use. Locking the keychain might well be a theoretical solution, but anything that fails to take human nature into account is not security, just mildly entertaining. Or maybe a CMA. Litigation FTW...

  15. Gav


    "it is tempting to think that users would be well advised never to save passwords for sensitive websites."

    Well, duh.

    Do you write your pin number on your bank card? So why save your online bank password on your browser?

  16. Matt

    This sort of test

    Is only really valid in a default state. So if Keychain is unlocked by default then that's the most appropriate state to test. Same with NoScript on Firefox. All this assuming that the average Joe is dumb (and let's face it, he is).

    However, the tests would have been more credible if they had then tested them with the other options that are easily available to the default install.

    Just for a flash from the past though, Windows XP was horribly insecure in all tests/attacks largely because its firewall was off by default and that wasn't changed until SP2. XP was appropriatley lambasted for that very reason, so I don't see why other software manufacturer's who have insecure defaults shouldn't be subjected to some derision.

  17. Stef

    Man + dog report

    Makes me want to knock up some report to generate some publicity.

  18. Steven Knox
    IT Angle


    Is Firefox's PM dependent on Javascript or something else disabled by NoScript*? 'Cos the test was on the security of the PASSWORD MANAGERS, nothing else. So unless the answer to the question is "yes" -- which would raise even more questions about the security of Firefox's PM -- then the NoScript plugin should have no effect on the tests whatsoever. And if the answer is "yes", then the tests with NoScript enabled would be irrelevant (as the PM wouldn't work), wouldn't they?

    * No, I really don't know -- because I don't use PMs, and I rarely use Firefox.

  19. Paul

    Try it Yourself

    You can put your browser through their tests yourself on their website. I just put FF2 (with NoScript though as Steven Knox said, shouldn't matter) through and still passed 7 though the results were slightly different from FF3's. It passed "Random Name Attr. Prevents Form Fills" but failed "Multi. Schemes Per User Per Authority".

  20. Kevin Eastman

    Firefox 3.04 and NoScript

    I tried it with Firefox 3.04 with NoScript, and did not allow the site in NoScript. I was unable to get past the 4 step (out of 32).

    After allowing the site, I was able to complete the test, and passed on 8 of the 32 tests.

  21. Lindsay Silver badge

    Saving passwords?

    "...users would be stupid to save passwords for any websites."

    I fixed it for you.

  22. Tony Paulazzo

    This title is password protected

    >>>Chrome fails to check the location of password requests or the destination to which they are dispatched<<<

    What about Firefox? Since anti phishing I would've thought the above requirement would be built, by default, into all browsers. Also, doesn't the master password protect your password list, if not, what's its point?

    Admittedly, I don't save passwords to financial or important sites, mainly forums and places like this, and I would never save passwords in IE whatever version, but I thought Firefox's big sell was online security. Is it worth sending a ms to the Firefox team? - they never respond when reporting the crash on exit bug.

  23. deadfamous

    Remember my password for me?

    Remember the Butlerian Jihad?

    When the browser asks to save your password, just say no.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021