OddThinking

A blog for odd things and odd thoughts.

Browser Comparison: Password Management

Abstract

In the comments to my last post about web-page password management Casey and Alastair explained that their favourite browsers (Opera and Safari respectively) has cool web-page password management features.

I planned to send a comment back to them stating that all of the big browsers had identical functionality in this area, and there was nothing between them.

I tested the hypothesis first, and the results were more interesting than I thought. A quick comment turned into this article instead.

Hypothesis

That all of the big browsers have identical functionality for Password Management.

Method

I found a publicly-available free-to-register site that suffers from the “automatic-login-only-works-the-second-time dance” – and now you can see why I was keen to find a better name. Once we name a problem, it is easier to discuss its solutions. The site is the WordPress Support site.

I attempted to reproduce the problem in Opera, IE and Firefox. I am afraid I have no access to Safari, so I based it entirely on Alastair’s comment. I apologise for not going to original sources.

Results

Browser? Has Password Management? Supports Multiple Passwords for Each Username? Password Stored Per: Credential Editability? UI
Firefox 1.0.4 Yes No – re-using a username will automatically override existing stored password. Domain Deletion + Display of passwords in clear-text available. Click (pre-selected) username field to choose username. Tools | Options | Saved Passwords | View Saved Passwords to display or delete.
Internet Explorer 6.0 Yes No – re-using a username will prompt to override existing stored password. URL Deletion only. Click (pre-selected) username field to choose username. Delete key to delete one. Tools | Internet Options… | Content | AutoComplete | Clear Passwords to delete all.
Opera 8.02 Yes Yes URL or Domain – user-selectable Deletion only? [No option to edit. I couldn’t get add (New) to work.] CTRL+ENTER to choose username. Delete button to delete one. Tools | Advanced | Wand Passwords… to delete by site. No ability to delete all?
Safari Yes No Domain ??? ???

Discussion

So there are some visible differences between the systems.

Notably Firefox and Internet Explorer take different approaches to the scope of the password. Firefox appears to offer the same username/password combination to any site on the same domain. Internet Explorer insists that it be the same URL. Opera offers the choice to the user. If you store it per domain, the dance is resolved! All of the login points for the domain will be equivalent. However, you need to trust the domain not to allow XSS hacks.

There was a difference in usability too. In my opinion, Opera was the worst – requiring an unguessable CTRL+ENTER combination – I couldn’t find a menu item equivalent. Internet Explorer and Firefox were not much better. Clicking on the username field twice is more guessable, but still no other means to get there!

Opera’s ability to store multiple passwords for a single username seemed a misfeature to me. I can’t imagine why anyone would want to have this feature, and it made selecting the correct credentials difficult – you had to select the correct item from two choices that are indistinguishable. Internet Explorer’s prompt to warn you that you were choosing to override the password makes the most sense to me, and it has saved me a few times.

Firefox’s ability to display passwords in cleartext appears to be a terrible security hole. Don’t let me play on your computer for even two minutes if you use Firefox – I’ll have your passwords for all your favourite sites and, if you are like much of the world, you use the same password for your PayPal and eTrade accounts too.

I have largely ignored Safari – I don’t have enough information to really judge it.

Conclusion

My hypothesis was wrong. When I looked at the browsers with more care, I noticed key differences in their functionality.

None of the browsers I looked at passed with flying colours.

Internet Explorer is the most likely to suffer from the original problem. It has reasonable usability and security. It does require you to learn a couple of tricks, but they are useful throughout Windows (e.g. Windows explorer and Internet Eplorer’s address bars and also file-completion in the file-choosers)

Opera’s power is the greatest and its usability is the worst. If you stick to the default scope, it also lets you suffer the worst – typing in a correct password on the opening page doesn’t solve the problem.

Firefox is probably gets the most points for usability, and discards them again with its security.

Each of these browsers is evolving. Maybe they will all improve over time.


Comments

  1. A couple of comments on Opera… there is no menu entry that I know of, but the little wand icon (or key icon, depending on version/skin?) to the left of the address bar does the same as CTRL-ENTER. It also ‘lights up’ (un-grays) when there is password available. That said, I can’t figure our why there isn’t a default mouse gesture (one of the things I love about Opera) to do it.

    I do have some pages where I use the multiple passwords option. At least one server I use has two login options on the same pages (a secure (slow, https) and insecure (fast, http)); Opera stores both of them in the wand, and when I do CTRL-ENTER offers me both sets of credentials. Unfortunately, since it lists them by username (the same in both cases) I have to remember or guess which is which!

    One thing you don’t address – can you move your stored passwords from machine to machine? Opera – yes.

  2. Chris has already mentioned the toolbar Wand icon for Opera – I don’t have it on my toolbar, but I’m pretty sure it is there by default. As for Ctrl-Enter, it’s a shortcut that I find sensible and fast to use. It’s the “magic” version of hitting Enter! It is unguessable, true, but only because there’s no real precedent for the behaviour.

    In Opera 8.01 for Mac, I can access my Wand passwords by going to Tools > Advanced > Wand Passwords, where it displays them organised by domain. This reuses the cookie management interface, and shares some functionality. The only things that you can do to saved passwords is delete them; from a security perspective, this seems to be the safest?

    Passwords in both Safari and Opera migrate happily between versions (same PC, same location, etc). Safari stores its passwords using OS X’s Keychain, a centrally-managed password database: When the application is upgraded, it prompts you as to whether you would like the new version to have access to the old passwords.

    I have had a problem with one online banking system, which used in-page javascript to force you to enter your pin using a scrambled number pad. Opera still had the saved information, and would let you submit the form using the Wand, but it didn’t set some magic variable that said that you had used the number-pad to do so. No biggie, and not Opera-specific, but I was trying to think of something bad to say so that it didn’t sound like I was gushing…

  3. To expand on Casey’s comment: you can’t discuss Safari’s password management without discussing Keychain. Safari has UI for viewing the sites and usernames which have been remembered. You can also delete them individually or en masse.

    But these usernames/passwords are also visible in the Keychain Access application. You can use this to view/edit the passwords individually. This is also secured from casual prying by requiring the user to enter their password at appropriate times, encrypting the files on disk, etc.

    I’m at a loss to think how Safari could be improved in this area. I think they are making the right trade-off of security and usability here (barring implementation faults that is).

    As an aside, Camino (the Gecko-based Mac-only browser) also uses the Keychain to store usernames and passwords, so I expect it to work similarly, but I haven’t tested it.

  4. Not to turn this into some kind of Keychain gushing, but I think it’s a wonderful part of OS X. Other applications that keep passwords, such as the Fugu FTP client, and at least one of the VNC apps that I’ve used, also use Keychain. Looking through the passwords in Keychain Access, there’s even more! My instant messaging client, Adium, uses it too, as does the Wi-Fi tool for Apple, and Opera also. Comprehensive!

    If done right (and for some reason I trust Apple / Unixy thingos to do things “the right way” more than Microsoft), it means more security across many applications, with less developer cost. And Keychain does seem to have been done “right” (uninformed opinion only) – you can configure passwords to be shared between applications, or locked so that you need to enter your Keychain password in order for the application/internet password to be used.

  5. I’ll start with a correction: While writing this comment, I found that Firefox has the ability to set a “Master Password” to hide all your stored credentials. Every time you connect to a site, Firefox pops up the request for the master password before offering a list of credentials for filling in the web form automatically. Unfortunately, it is not the default behaviour. If you do set this, you can probably safely let me use your machine for two minutes – with careful supervision!

    From the sounds of it, Safari, Opera and Camino all benefit, when running on OS X, from the operating system support of Keychain. The open question I have is: Do Internet Explorer and Firefox, when running on OS X, also use it? Certainly, if they don’t work like Mac applications when running on a Mac, I will happily poo-poo them on general principles. When in Rome, look-and-feel like Romans do.

    Chris wrote:

    the little wand icon

    Oh, I see it now! That toolbar icon is a wand! I thought it was a pen. My guess would have been that clicking on it opened the HTML for editing.

    So, yes, there is a toolbar icon for Password Management in Opera. There’s another correction. I also should have mentioned the special border that is put around the username and password fields to highlight that the credentials are stored.

    That said, I still would prefer that all valid actions have some representation in the main menu structure, so I can find them eventually. Despite knowing exactly what operation I was after, I was unable to get it to happen in Opera until reading Casey’s comment on the earlier article. (In hindsight, it is interesting that I gave up prior to reading the on-line help.)

    Of course, between the advent of mouse gestures and the Imminent Death of the Main Menu Predicted, perhaps I am being old fashioned!

    At least one server I use has two login options on the same pages (a secure (slow, https) and insecure (fast, http))

    And the two authentication mechanisms at the same web page are against different user databases with the same username but different passwords? That is just weird! I don’t begrudge Internet Explorer and Firefox ignoring that scenario in return for a better usability in the typical case.

    can you move your stored passwords from machine to machine? Opera – yes.

    For the sounds of it – anything on OS X using Keychain, yes. Internet Explorer on Windows – yes, through the File And Settings Transfer Wizard, even if nothing else. Firefox on Windows – not sure – I couldn’t find anything in the menus, at least!

    Casey writes:

    there’s no real precedent for the behaviour.

    I would consider there has been many precedents – form-filling is a pretty old user-interface paradigm, and editable combo-boxes with a list of default usernames (overridable by simply typing) seem to be the exact same concept to me.

    In Opera 8.01 for Mac, I can access my Wand passwords by going to Tools > Advanced > Wand Passwords, where it displays them organised by domain. […] The only things that you can do to saved passwords is delete them; from a security perspective, this seems to be the safest?

    Yes, that is the way to see your password list, and, yes, I agree that is the safest. I was surprised that I couldn’t find a “Delete All” button. I was confused by the New button – and I couldn’t get the dialog box that pops up to do anything useful – not that I tried that hard

  6. The open question I have is: Do Internet Explorer and Firefox, when running on OS X, also use it?

    No, neither of them do. IE has the excuse that it is old and crufty (the about box is dated 2001) and may well predate the Keychain, I’m not sure. Firefox has no such excuse but after all it’s limitations like this that resulted in Camino.

    Interestingly, Jon Udell unearthed the Windows XP equivalent of Keychain, called the Credentials Manager. Finding it wasn’t as easy as Udell describes, I had to go: Control Panel > Change An Account > (me) > Manage My Network Passwords (in the related tasks pane). There doesn’t seem to be another way to get there, but maybe I’m missing something.

    It seems to me that if you are going to criticise Firefox for not using Keychain you should also criticise IE for not using Credentials Manager. (Or perhaps Windows for providing such a half-arsed implementation?)

    Also: I think you’re being a bit generous for crediting Microsoft with providing stored password portability through the F&S Wizard. Extending this argument to its logical (?) conclusion, you could say that all browsers provide stored password portability through disk imaging software!

    Lastly, Firefox passwords are stored in the “signons.txt” file inside the profile directory, and can be moved from profile to profile (even from one OS to another, an argument against using the OS-native facilities for password management).

  7. As for FF passwords and the master password. I believe either FF or mozilla had the master password set as a default (it actually asked me one update to set it, and even had it so you couldn’t have a null master password). Secure or whatever, it was annoying. I think it was the very next release they allowed you to not have a master password. I don’t think it should be set by default, since you shouldn’t be saving passwords on a machine you don’t trust.

    Secondly, it was not the case until recently that you could display the passwords in plain text (either that or it was done in a wierd way that I couldn’t do it, because I forgot a password and a site URL changed). Conclusion: Plain-text passwords = useful

    I move my entire profile between Windows and Linux (which was mostly for the bookmarks, but meh). I’ve even tarred it up at times and it saves everything, extensions, search-tools and all. I believe Galeon (gnome’s firefox) would use gnome’s keychain thingamabob. Incidently, Sunbird uses the same password manager as FF.

  8. While I set out to defend the non-Opera browsers, I have been forced to eat my words. So here is my response, as promised.

    Firefox does not support OS X’s keychain. I poo-poo Firefox on the Mac on general principles.

    IE does not support OS X’s keychain. I poo-poo IE on the Mac on general principles. I understand it is because they haven’t made a release for a while, and I tut-tut the decision not to keep updating IE on the Mac to keep track with the OS improvements.

    But, I don’t stop there, with my harsh, no-holds-barred criticism. I wag my finger and shake my head, at the Windows development team that hasn’t yet provided a general purpose Keychain-like solution – especially one that meets the needs of being portable across machines, as Alastair points out.

    Alastair also writes:

    I think you’re being a bit generous for crediting Microsoft with providing stored password portability through the F&S Wizard.

    The F&S Wizard offers the ability to (only) backup the IE security settings, which I assume (without testing) will copy these details. I concede that it is clumsy to use. I thought that there might also be a secret file somewhere like Firefox’s signons.txt – I haven’t found such a file to date, but my track record of reading the manual leaves something to be desired.

  9. Serious Mac Keychain shortcoming:

    Passwords are stored by domain. So, for Google, where I have adsense, adwords, and gmail accounts, the Mac totally screws up which password goes where. I have to choose one to store (the one I use most often) and hand-type in the others. Because this problem is based upon the keychain, this problem exists in OmniWeb (my preferred browser), Safaria, and Camino. There is definitely still room for improvement.

    The idea that there could only ever be one password per domain is… just shortsighted.

  10. Wand Passwords… to delete by site. No ability to delete all?

    Try:
    Delete private data-> advanced -> mark only “clear all wand passwords” -> press Delete

    … all “private data” clear-management in one single place … can it be any simpler than that?

  11. Niktu,

    Thanks for pointing that out. So there is a place to delete all passwords in Opera (under the Tools menu).

    can it be any simpler than that?

    Errr… Yes. It could also appear under the Password Management dialog that appears under Tools | Preferences | Wand Passwords and also under Tools | Delete Private Data... | Advanced >> | Manage Wand passwords...

  12. IE has no excuse for not supporting the Mac OS Keychain. Keychain was introduced with OS 8.6 in May of 1999. IE 4.5 for the Mac introduced form filling in January of 1999 (so of course, it couldn’t have Keychain support, but they had the concept working). The next release, IE 5 for Mac was introduced in January 2000. They simply chose not to use Keychain when they could have. Firefox has Keychain support slated for version 3.0 see http://wiki.mozilla.org/Firefox:3.0_Password_Manager

Leave a comment

You must be logged in to post a comment.

Web Mentions

  1. OddThinking » Happy Second Anniversary, OddThinking!