Tuesday, December 16, 2008

Firm tests browser password privacy

The next time Internet Explorer asks you if it should remember a password for you, think twice about your answer if you value the security of your data.

The Register reports on a suite of tests that has been carried out against a range of popular web browsers by security firm Chapin Information Services in order to test their adherence to good password security practice. The news, I'm sad to say, isn't particularly good.

The suite of twenty-one tests resulted in not a single pass from any of the browsers tested, with the joint winners being Opera 9.62 and Firefox 3.0.4 with a distinctly underwhelming 33 percent score.

The worst performers for password security were Google's freshly-released Chrome browser and Apple's Safari for Windows 3.2, both of which managed a mere 9 percent on the tests.

Three flaws in Chrome which have remained un-addressed since the first beta was launched are singled out by the company for special attention: a failure to check where exactly password requests are coming from; a further failure to validate where the password information is being submitted to; and, poorest of all, the ability of invisible form elements within web pages to trigger password management functions with no user interaction whatsoever. Company founder Richard Chapin described the three issues, along with seventeen others the company has spotted within the password management system, "form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity."

The full results of the tests can be found on the company's website, along with a brief description of each of the twenty-one test criteria.

Has the results of the company's testing convinced you to wipe your stored passwords, or is Chapin simply trying to drum up business with some old-fashioned scare tactics? Share your thoughts over in the forums.

0 comments: