| >Do you think that it's impossible for malware to retrieve passwords from IE, Firefox, Safari and Opera? Just how is it possible to import the passwords from these applications, then? It actually is impossible for malware to instantly send off all of your saved passwords if you're using Firefox and have a (reasonably decent) master key set up. I assume Opera has a similar master key option. The keyword however is "instantly." Now, the malware can and will still of course modify HTML on the fly and steal your passwords immediately after you login to websites, but it would probably take quite a bit of time for it to collect nearly as many passwords as there are stored in your browser's password vault, especially if you use websites that don't require you to re-login very often. And the longer that time window is, the higher the chance the malware will be detected either by odd computer behavior, or an AV detection. They can also set up a keylogger and wait for you to input your master password at some point. It can sometimes be hard to determine what logged text is actually the master pass, due to how many keyloggers work, but this is of course a viable option. All-in-all, master passwords do in fact hinder attackers. The first thing many malware spreaders do is dump browser and other saved credentials (often FTP, sometimes IM accounts so they can spam malicious links to contact lists); it's often a quick "in-and-out" dumping process. It's not uncommon for malware to successfully execute and exfiltrate some data as soon as it's loaded, but later as it infects other files or drops additional payloads, AV will fire and the user will try to clean up the machine. And then there are the very simple cases of "friend/acquaintance uses computer, looks at your passwords really quickly, memorizes a few, goes home and screws with your accounts at a later time." Master passwords make that sort of situation fairly impossible. I really do not personally see why Chrome doesn't allow master passwords as an option. It would not be a security silver bullet, but it does help. |