Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

6
  • I agree with most of this, but I'm not entirely sure how a master password can lead to a false sense of security. If the stored passwords are encrypted with the master and the user dutifully closes the browser window when leaving the computer, what's vulnerable here? Commented Oct 27, 2013 at 6:12
  • @Manishearth The user would have to close the browser process. Neither article mentions this important requirement, and who ever closes their browser anyway? And if you're worried about offline forensics and not just somebody accessing your session (for which screen locking will do nicely), then you need to be sure that the password will be wiped from memory and swap, which closing the browser doesn't do. Commented Oct 28, 2013 at 0:06
  • You are advocating placing a lot of trust in the operating system. What if you reinstall Windows for some reason (but have backups, or don't reformat)? I dare say you won't be able to recover your old passwords from Chrome, but Firefox will be no problem. (for another example of unwarranted reliance on Windows, many websites refuse to load in Chrome on XP these days (google ERR_SSL_VERSION_OR_CIPHER_MISMATCH) because it uses Windows crypto libraries for HTTPS, whereas Firefox works just fine) Commented Apr 15, 2016 at 11:02
  • @HughAllen If you reinstall your OS, you'd better have saved your data, including of course saved passwords. This is unrelated to your choice of browsers. Commented Apr 15, 2016 at 11:29
  • I think Chrome uses CryptProtectData(). MS: "...only a user with logon credentials that match those of the user who encrypted the data can decrypt the data. In addition, decryption usually can only be done on the computer where the data was encrypted..." It's like when you reinstall Windows & can't access old files without "taking ownership". Would you want to read MSDN & the following link just to figure out whether you'll lose your data (& might get it wrong anyway): blogs.technet.microsoft.com/markrussinovich/2009/11/03/… Commented Apr 16, 2016 at 6:39