Hacker News new | ask | show | jobs
by Someone1234 3817 days ago
> Chrome and firefox both store saved passwords in plain-text in easily accessible local databases.

All password managers store plain text passwords. That's literally a requirement for them to work at all.

Chrome encrypts the password in the SQLite database[0] using Windows' CryptProtectData() API, and Firefox encrypts the passwords either using your master password, or if none is set then it encrypts but stores the encryption key in the key3.db.

> Don't rely on them to keep passwords safe.

You've presented no justification for that. If you're using a root compromised machine then no password manager is safe. If your machine is secure then your passwords are secure in both Chrome and Firefox, but more secure in Chrome.

[0] http://www.howtogeek.com/70146/how-secure-are-your-saved-chr...
2 comments
tptacek 3817 days ago
All password managers store plain text passwords. That's literally a requirement for them to work at all.

I'm not sure this is what you mean to say, because, obviously, good password managers don't store passwords in cleartext.

link
Someone1234 3817 days ago
You cannot hash passwords in a password manager. It has to be reversibly encrypted and turned back into plain text before utilisation.

So when people complain about password managers storing plain text (as opposed to hashing) they're barking up the wrong tree, it is a necessary evil.

You just want to see them encrypt those plain text passwords so that offline recovery is harder. That's what both Firefox's master password, CryptProtectData() for Chrome/IE, and the key-chain in OS X provide.

link
tptacek 3817 days ago
I think you're trying to say something akin to but not quite "plaintext equivalent", and your terminology is mangling your argument.
link
Johnny_Brahms 3816 days ago
Ah come on, you obviously understand what he is trying to say. You don't always have to interpret every comment online as if the person writing them is stupid.
link
ssalazar 3817 days ago
> All password managers store plain text passwords. That's literally a requirement for them to work at all.

> Chrome encrypts the password in the SQLite database[0] using Windows' CryptProtectData() API

If its encrypted, then its not plaintext. Its ciphertext. In infosec lingo plaintext specifically refers to the unencrypted and otherwise unaltered original information.

link
OJFord 3817 days ago
Seeing as the parent comment was in reply to an assertion that Chrome stores plaintext passwords, I think it was assumed that the assertion intended to mean "Chrome has access to your plaintext passwords", otherwise the reply would simply have been "No, you're wrong".
link