0

Doing a little bit of research on security and it strikes me how very insecure many of the browsers are. For example passwords are stored in plaintext if 'Remember Password' is selected on a website login, and are easily revealed if the machine is unlocked or insecure.

I was wondering for example once the session has been logged in, where is the password stored then? I realize if the connection has SSL/TLS enabled any content to and from the server is encrypted, but what about at the local computer. Is the password still kept in plaintext somewhere within the browser or does it immediately become encrypted when you login?

Daniel Nitschke
  • 101
  • 1
  • 3
  • 13
  • This is especially relevant in websites that constantly require a password check each refresh/navigation. – Daniel Nitschke May 02 '16 at 09:45
  • Commonly, when you log in to a website that requires you to enter the password, the password is sent to the server once and after that it is not present on the client. – 1615903 May 02 '16 at 10:01
  • I can see how that would be logical, but it doesn't quite sound right. Many websites require you to revalidate the password every refresh/navigation (Facebook for example checks your password before it makes any action further). So is it right to assume the password is still somewhere in plaintext? – Daniel Nitschke May 02 '16 at 10:02
  • I don't understand what you mean - Facebook does not ask you to re-enter your password when you refresh the page. – 1615903 May 02 '16 at 10:03
  • No it doesn't, but it checks in the background. It checks that the session password is the same as the password still on the server. It validates it every action. – Daniel Nitschke May 02 '16 at 10:08
  • "I was wondering for example once the session has been logged in, where is the password stored then?" — That's an implementation detail of the individual website. There is no generic answer. – Quentin May 02 '16 at 10:10
  • So it can be assumed that some websites would infact keep the password locally such as in a cookie or such? – Daniel Nitschke May 02 '16 at 10:13

2 Answers2

1

Websites are not that unsafe. You are confused because you are mixing 2 different things:

  1. Your browser can save passwords of website you log in if you ask it to do so. Here is. for instance, how you can enable this feature on Firefox by checking Remember passwords for sites option:

enter image description here

If you are worried about the security issues of your passwords you use to log into your favorite websites (you should), then you can use a password manager which stores your passwords encrypted on your machine.

  1. What I mentioned above is not to mix, and has nothing to do, with the autoLogin (Remember Me) feature which could, however, have security failures depending on how it is implemented (mainly if your website's developers are enough bad to code cookies that contain your credentials).
Community
  • 1
  • 1
Billal Begueradj
  • 20,717
  • 43
  • 112
  • 130
  • 1
    It's also worth noting that if you choose to use a master password in firefox, the saved passwords will be encrypted. – 1615903 May 03 '16 at 07:53
  • Hey there. Thanks for your reply. No I understand this function, but this is if you choose to save passwords. Say for example you login to Facebook on a machine you have never used before and chose not to save your password to the database. You're logged in, but does your password still exist somewhere? // cookies, in the browser somewhere? For websites that check your password each time you navigate once you're logged in this would make sense. – Daniel Nitschke May 04 '16 at 11:45
  • No, Facebook can not be that successful if they store passwords in the machine you connect with. Have you heard about cookies? you may also read the post I linked to. @DanielNitschke – Billal Begueradj May 04 '16 at 12:58
-1

Edit: As long as the website doesn't explicit tell the browser to save it in the cookies, it is not saved anywhere, because the browser only sends cookies to the server once you logged in. (Yes, i know there's also background information like agent etc., but that's not the topic here!)

Another exception would be a webpage that is using $_SESSION Cookies - then the browser must send it in every new session of course! But that's a completly new LogIn-Session with new Cookies every time.

OLD: Are you talking about where you can find the password like

about:preferences#security in Firefox, where it is possible to show the password in completly plain text, or the actual physical location on the drive?

sorry for posting question in answer btw - I was not allowed to comment your question :/

Nerevar
  • 11
  • 7
  • Nope. I understand each browser has a SQLite (or similar) database for if you chose to save passwords. But what happens when you login without saving anything? Where does the password go. You've authenticated with the server but it's very likely that the password is still sitting somewhere in plain text within the browser in case of the need to re validate the session? Cookies perhaps? – Daniel Nitschke May 02 '16 at 10:01