|
|
 | | From: | Ivan Magerle | | Subject: | Found a wand password showing bookmarklet | | Date: | Sat, 15 Jan 2005 08:52:01 +0000 (UTC) |
|
|
 | Is the wand really safe?
1. open the site
2. use Wand
3. hit "Stop" before the page can start loading
4. enter this bookmarklet in addressbar (remove space in "java script"):
java script:(function(){var s,F,j,f,i; s = ""; F = document.forms;
for(j=0;j(f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if
(s)alert("Passwords in forms on this page:\n\n" + s); else alert("There
are no passwords in forms on this page.");})();
or it must be this way?
--
magi at dropbike.com
|
|
| | From: | FV | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Sat, 15 Jan 2005 11:38:03 +0100 |
|
|
| Ivan Magerle schreef:
> Is the wand really safe?
>
> 1. open the site
> 2. use Wand
> 3. hit "Stop" before the page can start loading
> 4. enter this bookmarklet in addressbar:
> <>
This technique has been discussed before. The answer is: no, the wand
isn't entirely safe. In fact, if you know how to bypass it, it isn't safer
than a plain text file with all your usernames and passwords in it. It's
just a bit easier to use.
From previous discussions, I don't get the feeling this is regarded a
security issue Opera intends to solve. Although a warning when first using
the wand would be in order.
This isn't at all a beta issue, by the way.
--
Fabian
|
|
| | From: | Steven V. Gunhouse | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Sat, 15 Jan 2005 13:39:36 GMT |
|
|
| On Sat, 15 Jan 2005 11:38:03 +0100, FV wrote:
> Ivan Magerle schreef:
>
>> Is the wand really safe?
>>
>> 1. open the site
>> 2. use Wand
>> 3. hit "Stop" before the page can start loading
>> 4. enter this bookmarklet in addressbar:
>> <>
>
> This technique has been discussed before. The answer is: no, the wand
> isn't entirely safe. In fact, if you know how to bypass it, it isn't
> safer than a plain text file with all your usernames and passwords in
> it. It's just a bit easier to use.
>
> From previous discussions, I don't get the feeling this is regarded a
> security issue Opera intends to solve. Although a warning when first
> using the wand would be in order.
>
> This isn't at all a beta issue, by the way.
>
In that sense, Opera wasn't really in favor of Wand to begin with. There
is no way to securely store passwords. But the public demanded it ...
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
|
|
| | From: | extrapolator | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Sat, 15 Jan 2005 11:49:16 -0500 |
|
|
| On Sat, 15 Jan 2005 13:39:36 GMT, Steven V. Gunhouse
wrote:
> On Sat, 15 Jan 2005 11:38:03 +0100, FV wrote:
>
>> Ivan Magerle schreef:
>>
>>> Is the wand really safe?
>>>
>>> 1. open the site
>>> 2. use Wand
>>> 3. hit "Stop" before the page can start loading
>>> 4. enter this bookmarklet in addressbar:
>>> <>
>>
>> This technique has been discussed before. The answer is: no, the wand
>> isn't entirely safe. In fact, if you know how to bypass it, it isn't
>> safer than a plain text file with all your usernames and passwords in
>> it. It's just a bit easier to use.
>>
>> From previous discussions, I don't get the feeling this is regarded a
>> security issue Opera intends to solve. Although a warning when first
>> using the wand would be in order.
>>
>> This isn't at all a beta issue, by the way.
>>
>
> In that sense, Opera wasn't really in favor of Wand to begin with. There
> is no way to securely store passwords. But the public demanded it ...
>
Password security begins with the user.
No software can protect a user if he or she leaves the system open to
other users while in the process of using a password protected site.
--
http://www.xenodochy.org/ralph.html
Using the Opera Mail 8:00 build 7401 email client under W2K Prof
|
|
| | From: | FV | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Sun, 16 Jan 2005 17:08:02 +0100 |
|
|
| extrapolator schreef:
> Password security begins with the user.
> No software can protect a user if he or she leaves the system open to
> other users while in the process of using a password protected site.
I think this is not an accurate description of the problem. The problem is
not so much that someone leaves his computer while logged in, but the fact
that anyone can use someone else's computer, start Opera and read out
passwords. Only a master password may help here.
I don't think having passwords stored encrypted on hard disk is the main
problem, rather the fairly easy retrieval procedure. Wouldn't it be
possible to make the Wand work without actually filling the password
fields, only sending a direct request to the server?
--
Fabian
|
|
| | From: | Paul McGarry | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Mon, 17 Jan 2005 08:37:40 +1100 |
|
|
| On Sun, 16 Jan 2005 17:08:02 +0100, FV wrote:
> I don't think having passwords stored encrypted on hard disk is the main
> problem, rather the fairly easy retrieval procedure. Wouldn't it be
> possible to make the Wand work without actually filling the password
> fields, only sending a direct request to the server?
That's not a bad idea, but could possibly fail in cases where a page does
some javascript on the form submit.
Paul
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
|
|
| | From: | exclipy | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Mon, 17 Jan 2005 13:16:55 +1000 |
|
|
| >> I don't think having passwords stored encrypted on hard disk is the
>> main problem, rather the fairly easy retrieval procedure. Wouldn't it
>> be possible to make the Wand work without actually filling the password
>> fields, only sending a direct request to the server?
>
> That's not a bad idea, but could possibly fail in cases where a page
> does some javascript on the form submit.
And that's why it doesn't work that way, according to Rijk (or Someone).
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
|
|
| | From: | extrapolator | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Sun, 16 Jan 2005 11:58:52 -0500 |
|
|
| On Sun, 16 Jan 2005 17:08:02 +0100, FV wrote:
> extrapolator schreef:
>
>> Password security begins with the user.
>> No software can protect a user if he or she leaves the system open to
>> other users while in the process of using a password protected site.
>
> I think this is not an accurate description of the problem. The problem
> is not so much that someone leaves his computer while logged in, but the
> fact that anyone can use someone else's computer, start Opera and read
> out passwords. Only a master password may help here.
>
On Windows 2000, nobody can get into my system without my screen saver
password, unless I leave my system unattended before the screen saver
kicks in. I believe XP works this way too.
In the above case, it's the user's fault for leaving the system
un-protected, and software cannot prevent this from happening. Although
scifi buffs can think of possibilities. :-)
Can another user log in and get my passwords by starting Opera from their
login when Opera is setup properly for multiple users on a windows NT
based system with proper security setups? If so, the problem is not with
Opera, but with the os.
>
> I don't think having passwords stored encrypted on hard disk is the main
> problem, rather the fairly easy retrieval procedure. Wouldn't it be
> possible to make the Wand work without actually filling the password
> fields, only sending a direct request to the server?
>
The authorized user should have access to manage his or her own passwords
in plain text unencrypted view. It is the responsibility of the user to
insure no unauthorized person has access to his or her system period, let
alone while using or managing passwords. This includes making sure no one
is looking over his or her shoulder. I worked in information and physical
security for a number of years, and I think there is alltogether too much
efforts going on to protect the user from himself. The key to successful
security is education, awareness, and discipline on the part of the users.
Know what the risks are.
Keep alert.
Don't skip the proper procedures.
(and, in an organization context, report suspicious activity immediately.)
In view of this, the wand is a device to make it easier for the authorized
users to log into sites that require passwords. An unauthorized user
should never have been allowed to get to the system with the particular
user's copy of Opera running, in the first place. The assumption that the
password should be "doubly protected" at this point is a case of closing
the barn door after the horse has gotten out. Proper security procedures
would not allow the unauthorized user to run another users copy of Opera.
Now, if Opera can be run in such as way as to allow one user to access
another user's data files, that is a problem (with the operating system)
to be dealt with, but it's not going to be fixed by "doubly protecting"
the password field from within Opera.
--
http://www.xenodochy.org/ralph.html
Using the Opera Mail 8:00 build 7401 email client under W2K Prof
|
|
| | From: | Wanja Gayk | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Sun, 16 Jan 2005 02:51:22 +0100 |
|
|
| extrapolator said...
> Password security begins wi ththeuser.
> No software can protect a user if he or she leaves the system open to
> other users while in the process of using a password protected site.
For this reason mankind invented the automatic expiration of
authentications/sessions.
Greets,
-Wanja-
--
"Gewisse Schriftsteller sagen von ihren Werken immer: 'Mein Buch, mein
Kommentar, meine Geschichte'. [..] Es wäre besser, wenn sie sagten:
'unser Buch, unser Kommentar, unsere Geschichte'; wenn man bedenkt, dass
das Gute darin mehr von anderen ist als von ihnen." [Blaise Pascal]
|
|
| | From: | axel.friedrich_smail at gmx.de | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | 18 Jan 2005 12:01:10 -0800 |
|
|
|
> > 1. open the site
> > 2. use Wand
> > 3. hit "Stop" before the page can start loading
> > 4. enter this bookmarklet in addressbar:
> > <>
>
> This technique has been discussed before. The answer is: no, the wand
> isn't entirely safe. In fact, if you know how to bypass it, it isn't
safer
> than a plain text file with all your usernames and passwords in it.
..
..
Is it save when I use a "good" master password for wand (and mail)?
|
|
| | From: | FV | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Sat, 22 Jan 2005 13:21:39 +0100 |
|
|
| schreef op 18 Jan 2005 12:01:10 -0800:
>> This technique has been discussed before. The answer is: no, the wand
>> isn't entirely safe. In fact, if you know how to bypass it, it isn't
>> safer
>> than a plain text file with all your usernames and passwords in it.
> .
> Is it save when I use a "good" master password for wand (and mail)?
>
I suppose so, if that prevents people from booting your PC, opening the
browser and start visiting your private sites. I don't suppose one can
easily crack the file where the wand passwords are stored?
Of course, a password on your operating system and always locking it when
leaving also should be enough.
(It's about time this non-functional 'active threads' thing in the mail
panel starts working... I didn't notice your reply earlier because of it.)
--
Fabian
|
|
| | From: | Axel Friedrich | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Sun, 23 Jan 2005 18:00:49 +0000 (UTC) |
|
|
|
> I suppose so, if that prevents people from booting your PC,
> opening the browser and start visiting your private sites. I
> don't suppose one can easily crack the file where the wand
> passwords are stored? Of course, a password on your operating
> system and always locking it when leaving also should be
> enough.
Thank You very much for answering.
I have _no_ password that prevents people from booting my PC (at
home), but I have set Opera-preferrences, "Security", "Ask for
password" to "use as master password for e-mail and Wand" and I have
choosen a "good" master password. Is it than possible to get the
passwords, which are stored in wand? For example by the means of the
prefore mentioned bookmarklet? When using this master password, is
there a way to bypass wand so that "it isn't safer than a plain text
file with all your usernames and passwords in it" ? (Assuming, that
broot force takes to long for that master password.)
Axel
--
Version 7.54u1
Build 3918
System Windows 98SE
axel friedrich_smail gmx de
|
|
| | From: | Richard Grevers | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Sun, 16 Jan 2005 08:02:09 +1300 |
|
|
| On Sat, 15 Jan 2005 08:52:01 +0000 (UTC), Ivan Magerle
wrote:
> Is the wand really safe?
>
> 1. open the site
> 2. use Wand
> 3. hit "Stop" before the page can start loading
No different from any other browser* - you should only ley your computer
remember trivial passwords.
*Actually, Opera is a little safer than Mozilla, which inserts the
password but doesn't launch the link, so you don't need to be lightning
fast to hit "stop".
Anyway, please have the decency to cancel or supercede your original post
without the bookmarklet code - this issue was discussed previously without
anyone revealing the actual technique.
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
|
|
| | From: | Ivan Magerle | | Subject: | Re: Found a wand password showing bookmarklet | | Date: | Sun, 16 Jan 2005 10:08:23 +0000 (UTC) |
|
|
| Richard Grevers wrote:
> Anyway, please have the decency to cancel or supercede your original post
> without the bookmarklet code - this issue was discussed previously without
> anyone revealing the actual technique.
Ok, my apologize.
--
magi at dropbike.com
|
|
|
