How safe is "Would you like to save this password?"

Discussion in 'Mac Basics and Help' started by Trentide, Apr 17, 2010.

  1. Trentide macrumors newbie

    Joined:
    Apr 17, 2010
    #1
    You know when you log into different sites with your passcode and the window pops up to read "Would you like to save this password? How safe it that? I always resist putting in the info for fear that one day it could be stolen. I guess the real test is it safe enough to put your banking, or credit card passcode?


    Thanks in advance,

    Jason
     
  2. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #2
    Stored passwords are usually stored in browser cookies. Obviously if other people have access to your machine, you shouldn't store passwords in that manner.
     
  3. thelosmos macrumors newbie

    thelosmos

    Joined:
    Jun 20, 2009
    #3
    If you are using Firefox, look for the lastpass extension. It has the ability to encrypt your passwords using AES encryption and then syncs them with the lastpass server. This allows your saved logins to be accessible from any of the machines you have lastpass installed. FYI: The passwords are encrypted using a unique key prior to being sent to the server so even lastpass is unable to decrypt them.
     
  4. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #4
    No, at most the web site would store a hashed version of the password in a cookie. Any decent bank web site won't offer the ability to stay logged in. The user is referring to the browser saving the password though, so cookies have nothing to do with it.

    The security of the browser's password storage depends on which browser you use and how you set it up, such as requiring a master password. Personally, I only use the feature for less sensitive web sites.
     
  5. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #5
    But several kinds of sites that store personal information do offer the ability to stay logged in. E-mail. Facebook. Amazon. All of which have some sort of session cookie that allows you to bypass the login screen.
     
  6. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #6
    And they will not store your password in plain text, they use hashes like MD5 so it protects the actual password.
     
  7. BlueRevolution macrumors 603

    BlueRevolution

    Joined:
    Jul 26, 2004
    Location:
    Montreal, QC
    #7
    Saved passwords are stored in your login keychain, which is encrypted with your account password. If an attacker can't log in to your account, they can't access your passwords either. For that reason, it's a good idea to disable automatic login on your computer.

    As for saving passwords, I would never, ever save my banking passwords, but I do have things like MacRumors and Twitter saved.
     
  8. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #8
    Right, but hashed passwords don't matter if someone sits down at your computer while you're away.

    ...I don't think we're necessarily disagreeing...?
     
  9. toolbox macrumors 68020

    toolbox

    Joined:
    Oct 6, 2007
    Location:
    Australia (WA)
    #9
    Mine is set to not automatically logon, the screen will lock after say 10 minutes of inactivity and also when the screen saver comes on.

    I don't store passwords in browsers there in one place - my brain
     
  10. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #10
    No, not disagreeing (though we may have confused each other as to our discussion topic), but the OP seems focused on the browser's storing of passwords rather than the site. Leaving a computer unattended leaves one open to all kinds of issues including a person being able to access to any unlocked keychains.
     
  11. Trentide thread starter macrumors newbie

    Joined:
    Apr 17, 2010
    #11
    Thanks for your responses! I think in my case, I'm not too concerned about someone sitting down at my computer and hacking into my accounts. I am, however, worried about someone, somehow, getting my passwords, virtually, by means of malware, or virus or something. Is that a possibility? After thinking about it further, there's a new issue. Someone could possibly steal my computer. If my password are all saved, this would enable them to have instant access to all my accounts. That's definitely in the realm of possibility!

    Thanks again for your help everyone! I look forward to more of your ideas,

    Jason
     
  12. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #12
    Malware can be designed to do many things so it's certainly in the realm of possibilities that it can steal your password, either by way of key logging or intercepting unencrypted internet traffic or if the password were stored in plain text locally. Getting infected by the malware would be the point to watch out for, and very little effects Macs currently. Just be cautious of what you download and don't blindly enter your account credentials just because a pop-up asks for it.

    In terms of protecting your info in the case of a stolen machine: Use a password on your computer account so they can't get into your account (though not full-proof). The main browsers offer a master password that you can setup, which requires you to enter that password when either starting the browser or when you go to use a web site that has the password stored within the browser.

    On web sites that keep you logged in, the good web sites (that are security-minded) will generally time out after about 2-weeks (like Google) and require re-login, or will log you out in minutes (often done for bank web sites). So that partially keeps you safe. I recommend always logging out of web sites when not in use (such as Facebook). This keeps you safer from XSRF- and XSS-based attacks that can take advantage of the fact that you're logged into a web site, even when you're not actively at the site.

    Social engineering is one of the bigger threats these days where the user falls for tricks on sites, either thinking they are entering their password on a different site, or forgetting there's no such thing as a free lunch. Facebook has been a very big target this year with about 100K users falling for the $1000 gift card scam this year alone, which is still circulating on Facebook. These scams often work because the link for the gift card comes from your "friend" who was a gullible fool and because it comes from a friend, the person thinks it's safe.
     
  13. BlueRevolution macrumors 603

    BlueRevolution

    Joined:
    Jul 26, 2004
    Location:
    Montreal, QC
    #13
    In other words, be particularly cautious of 90% of the posts on that site. :rolleyes:
     

Share This Page