I voiced this same question a few days back on HN. I presume this is just not an important enough area to bring all the big corps and orgs together to brainstorm a standard and then implement it across their devices and OS.
Truth is, most people are shockingly poor when it comes to security. I'd bet that 80% of computer users just store their password in the built-in browser password managers (without even a Master password set) and be done with it. Even worse, I've come across folks storing their passwords on a plain text file.
For the minority who do want secure password management, there are a plethora of solutions, but nothing is completely integrated and seamless. It's all a mish-mash of standalone desktop programs, browser plugins & extensions, web services, cloud storage and so on, all stitched together ad hoc.
This is doable for those who're familiar with security/encryption and can set it all up, maintain and update it, but utterly a non-starter for an average user or smartphone consumer.
Are there known exploits, or have there been major exploits, for remote access to browser credential stores on personal computers?
If not then it seems you need physical access, for most people once you access their home then you can access enough info to fraudulently use their identity. So being more secure makes little sense for them, which seems logical. Sure it's increasing the ways an intruder can attack, making a broader attack surface. Once someone had access to your home from a security perspective you'd need to consider all that info compromised, unless you carefully use a home safe, I guess.
I use a plaintext file for some credentials. It seems to me less likely to be recovered than using a widespread service. Would you seek out my house on the promise of pocket change (protected only by my doorlocks and one passphrase) or attack a bank?
Well, you don't need physical access if you can successfully get your malware installed on the target's computer. At that point a text file would be easier to scrape that a password protected file, but only a few more steps away, i.e., by logging keystrokes or impersonating a login prompt or whatever.
On the other hand, passwords stored in the browser are vulnerable to a compromise of the browser as well as a system compromise, so that is one additional weakness. I agree that a local system compromise is almost always game over. The same as physical access.
To answer your question, I'm not sure, but IIRC the Lastpass client was compromised more than once. There were also weaknesses in the way Chrome stored passwords, and of course the Firefox credentials file is easily readable without a Master password set.
>of course the Firefox credentials file is easily readable without a Master password set //
Is that true without local access, presumably Moz use a key of some sort to encrypt the passwords before uploading and distributing to your other browsers rather than doing all that in the clear?
>I'd bet that 80% of computer users just store their password in the built-in browser password managers (without even a Master password set) and be done with it.
The misconception here is that setting a master password provides any real security. It isn't much different if you use a master password or not, once you have autofill, you're already compromised in that threat model.
Huh? So, someone boots your computer, assuming no login password, then launch your browser to get your passwords but need a master password -- how is that not protection?
From the point of view of cracking the password file I'd assume that Mozilla use an encryption key for passing the password file around, just that the key is available to anyone who has access to any of your browsers?
Truth is, most people are shockingly poor when it comes to security. I'd bet that 80% of computer users just store their password in the built-in browser password managers (without even a Master password set) and be done with it. Even worse, I've come across folks storing their passwords on a plain text file.
For the minority who do want secure password management, there are a plethora of solutions, but nothing is completely integrated and seamless. It's all a mish-mash of standalone desktop programs, browser plugins & extensions, web services, cloud storage and so on, all stitched together ad hoc.
This is doable for those who're familiar with security/encryption and can set it all up, maintain and update it, but utterly a non-starter for an average user or smartphone consumer.