Cartoon of Author
via Mastodon

@zackeryfretty

Unmasking saved passwords in any browser. (AKA Seriously, use @1Password already)

🗓

Another good title is "Why you shouldn't be an idiot and save your passwords in any browser pretty much....ever?" For years browsers have offered the option to "Remember your password" and it's a horrible idea. These days you are even given the option to sync your password across multiple devices with Google Chrome and Firefox. As far as I am concerned this is even less secure! Someone with minimal HTML knowledge who has even just a little clue how forms work on web pages can easily gain access to your password if you've saved it in a browser--and this is how!

The first thing you need to do is load any website that has a saved password. Since I don't have any i'll just make up some fake information for Gmail.com. As you know when a password is saved it'll automatically popup in the username/password field on the website to indicate that the login is saved, like so:

Now be ready to be amazed at how crazy easy this is going to be. The first thing you'll want to do is right click on the Password area and select Inspect Element (or something similar, depending on the browser) like so:

One you click Inspect Element you'll see the DOM popup on the button of your browser window like so:

Once the DOM is loaded up take a look at the HTML for the page form. You should see a tag that says if you did Right Click > Inspect Element right on the password field like I told you so above you should automatically be really cose to the password input tag by default. It'll vary slightly website to website but it will generally read something like the following highlighted line of HTML:

You'll know it's the right one because it'll have a line that reads type="password" once you find the type="password" area double click on it and change where it says password to say text like so:

When you've done that hit enter and take a look back at the password field on the webpage you'll see that the ************'s are now gone and the password is fully shown in plain text!

aaaaand that's it! You can use that method in Chrome, Firefox, Safari, whatever. As long as the browser has a DOM you can edit the loaded HTML to display the password like this. If it doesn't have a DOM available you can just install Firebug and get the job done that way as well.

So moral of the story is basically don't save your passwords in your browser. It doesn't matter if it's Internet Explorer or Google Chrome. It's a massively horrible idea. If you want to save your passwords and be secure about it get 1Password. I'm starting to think that 1Password + 2 Step Authentication is the only safe way to be online these days!

———