is it a good Way to Manage the Passwords in cookies?
well for some sensible accounts i have made up my mind and created some very very difficult passwds
in the past i stored some of these critical passwds in cookies
so that i did not need to retype this.
BUT wait: is this a secure way to do so?`
note: i run opensuse-linux but i think that this is no guarantee that all is safe.
so what do you suggest:
a. create a passwd that i can remember and do not need to story in the cookie
b. create a very very hard passwd that i cannot remmeber at any time and store it in the coookie.
Assume you mean having the browser manage the password. This is not really a cookie. The passwords are usually encrypted. ( check your browser settings). So it is relatively safe. But it always depend on how much interest and resources someone has to break the encryptions and exactly how much resources and time you have to stop them.
Your passwords in any case are much more likley to be expossed from a break in at the other end. Remember your password is stored in two places . On your machine and also on the server you connect to.
On Sun, 14 Jun 2015 19:06:01 +0000, dilbertone wrote:
> hello dear linux-experts
>
> is it a good Way to Manage the Passwords in cookies?
It depends. Are you encrypting the cookies somehow?
> well for some sensible accounts i have made up my mind and created some
> very very difficult passwds
>
> in the past i stored some of these critical passwds in cookies so that
> i did not need to retype this.
>
> BUT wait: is this a secure way to do so?`
>
> note: i run opensuse-linux but i think that this is no guarantee that
> all is safe.
>
> so what do you suggest:
>
> a. create a passwd that i can remember and do not need to story in the
> cookie b. create a very very hard passwd that i cannot remmeber at any
> time and store it in the coookie.
>
> love to hear from you
In either case, there’s a key used to decrypt the password for use, so
the strength of the password is generally not an issue (other than for
the site it is actually for), but the strength of the key used becomes
critical.
many many thanks for the answers. Great to hear from you!
Well both of you are very right - the firefox stores the passwd in a cookie - it only manages it.
well i will try to not Firefox for storing any part of my authentification: i will try to avoid to use it myself as even though they are stored in an encrypted format in Firefox, doing so could give someone access to my accounts if they got hold of my computer.
**besides fireFox.
**
i want to learn something new: what about keepassx. I ve heard about this technique.
I try to store my passwords using keepassx as my password manager and log in / out as needed. we can use keeppassx in different modes: The way I want to set up keepassx requires a key file and a master password to be allowed in. I keep the key on a USB key and backed up on another one. An auto-generated keepassx (160 bit) password looks like this gJLMsn+~>1Vepl0/3!'K/hk/jolly_|
Well googlathorp and Jim, how do you like this? So they passwd created with keepassx seem to be very, very strong.
So strong that at least i would feel safe with it and the best thing of all:
With keeppassx you don’t have to type it, just use the copy password menu item and paste it in the appropriate field.
Technically speaking,
No one should ever store sensitive personal and security data in a cookie.
That’s very well known and any Dev that comes up with that idea should be spanked out of the project.
And, it’s because ordinary cookie storage is considered open and accessible to everyone/everything… And that’s why it’s so nice for use by Advertisers to track your Internet behavior, they can search for cookies dropped by various sites on your machine.
Flash cookies is a specific type of cookie that’s handled differently than regular cookies but has become the poster child for abuse but not typically because it’s used intentionally to pass passwords.
There is one exception I’ve run across… Python websites like Django use a special cookie but it’s not stored in the same place with other cookies, it’s encrypted and the people who designed its use seem to be fully aware of the drawbacks of normal cookies so have done everything they can to address those issues. I don’t like the idea of using these Python cookies, but today it’s more my own personal attitude rather than any compromising reason.
There is a proper way to use cookies, which generally is to store a random identifier so the Server can “remember” the client, and sometimes some non-sensitive information can be stored (like what those Advertisers do). But, that is just temporary data, usually related to sessions and <not> real security credentials which have permanence.
So,
If you’re attracted to the idea of using cookies to pass anything like passwords, DON’T. EVER. NEVER. Or, you may be written up one day as “the” guy who either didn’t know what he was doing or knew and did it anyway and wrecked his Users.
On Mon, 15 Jun 2015 15:26:01 +0000, dilbertone wrote:
> i want to learn something new: what about keepassx. I ve heard about
> this technique.
Doesn’t matter if it’s Firefox, Keepassx, or any other ‘vault’ - if you
don’t use a secure password to secure the vault, you will have the same
potential for compromise of all saved passwords.
A vault is only as good as the combination that protects the contents.
I don’t think that’s right. At one time a particular website password was stored in a cookie. But that was the decision of the website, not of firefox. That site has since tightened up its security.
I allow firefox to remember passwords. I do set a master password, so that they are encrypted on disk.
Firefox does not store that password in a cookie. However, websites where I login do set a cookie that allows them to remember that I have authenticated. But the password is not in that cookie. Usually there is some sort of token which presumably is used to look up data in the website database.
Just a FYI
Off the top of my head some ways to handle client authentication… And you’d probably get a full list with a Google search…
Use client certificates instead of passwords. Certificate usage still has to be done correctly and might not make any diff for many machine hacking, but it’ll generally block human hacking. Certificates are generally issued and used as 2 main types, machine and user. On personal devices like mobile devices, “machine” and “personal” are practically synonomously, but on potentially shared devices they are more likely different. Oftentimes certificates are stored securely by default.
If you must use a password, then apps like keepass or lastpass can be used. Oftentimes if the User is logged into network security (like a business use of LDAP or AD), then you can often store credentials in the user’s account.
If you are a Developer, you can embed various security methods into your app. Depending on the OS, username/password pairs can be stored in different places. On a Windows machine, they can be stored in the SAM. If you’re deploying a web farm, you’ll likely want to store credentials server-side.
Another common approach which shouldn’t ever be used is passing credentials in the URL. I think the company I worked for was one of the first to explore client authentication in an online pharmacy. Although Dev did everything they could to randomize identifiers for every transaction, they overlooked the Search Engines who capture URLs so guess what… the URLs which included authentication id’s were captured and re-published in their entirely which allowed anyone to replay a transaction. Dev did some crash emergency re-design to completely re-work authentication. So, passing id’s in URLs is like using cookies. Don’t.
you have Seahorse / ‘Passwords and Keys’ installed and use it (which usually means you are using GNOME)
you don’t trust Firefox on password security
(- you want an easier way to figure out your password if you have forgotten it and need to enter it on a different computer)
You can use the GNOME Keyring Integration extension to make Firefox save all passwords in the GNOME Keyring. This way they are secure, and you can still take a look at them when you need them. Do note that the GNOME Keyring is usually automatically unlocked when you log in, so when someone logs in to your computer and opens Seahorse, they will be able to see all your passwords. However, as long as you use a good password for your user account (which you should), this is never a problem. You can also just save any kind of password with Seahorse and it’ll be secure (again, only if you have a good user password, though). I think it’s possible to stop the keyring from automatically unlocking after logging in, but that sort of defeats the purpose of it, as you’d need to unlock it to use/save any passwords anyway. You can use a different keyring, though. One thing Seahorse does not have that KeePassX does, to my knowledge, is the key file, but I’ve always seen this as unnecessary as a good password (with a good encryption method/algorithm) already keeps everyone out, no exceptions.
> Do note that the GNOME Keyring is usually automatically unlocked
> when you log in,
which is protected by the user password, which is typically not very
strong. A password vault should have a separate and very strong
password, longer and more complex than the rest.
hello dear sdfghjk123 hello dear Carlos (aka robin listas), hello dear Jim and tsu 2 and Nrickert,
many many thanks for all your answers - food for thoughts. I have learned alot!
Doesn’t matter if it’s Firefox, Keepassx, or any other ‘vault’ - if you don’t use a secure password to secure the vault, you will have the same potential for compromise of all saved passwords. A vault is only as good as the combination that protects the contents.
well - if i think about the stronger password:
if i would go to store my passwords using keepassx as my password manager and log in / out as needed. The way I could set up keepassx requires a key file and a master password to be allowed in. I could keep the key on a USB key and backed up on another one.
An auto-generated keepassx (160 bit) password looks like gJLMsn+~>1Vepl0/3!'K/hk/| so they are very, very strong. We would not & don’t have to type it, just use the copy password menu item and paste it in the appropriate field.
But wait: can i do all that things too with the kde pgp-keyring too?!
Can i do all the wanted things that seems to be so powerful with keepassx - can i do all the things with either
a.** GNOME Keyring** Integration or even better
b. the kde pgp keyring
well - i have to mention that i allready use the kde pgp keyring on my opensuse system.
so if the a or b does exactly the same as keepassx will do - i do not need to install this system on my opensuse
