Password storage by browser

February 16, 2016 at 23:07:13
Specs: Linux
In various browsers on various platforms, I see options to
save or not save passwords, or to delete saved passwords.
My impression is that these passwords are not those stored
in cookies, like the password which logs me in here. What
passwords are they?

-- Jeff, in Minneapolis


See More: Password storage by browser

Report •

#1
February 17, 2016 at 01:35:40
How passwords are stored in various browsers: http://www.threattracksecurity.com/...

After you have logged into a site, the fact that you are logged in, is stored in a cookie.

This can be tested/proven by, after having logged in to a site, delete all cookies, either with the browser or with Ccleaner, then update the web page. You should no longer be logged in.

Nigel

Wind slow


Report •

#2
February 17, 2016 at 01:42:51
In general, cookies do not store passwords. They store the fact that you have been authenticated on a site. So they are a form of token; you are given a token in exchange for certain information (your username and password) and this token is stored as a cookie. But the token, and hence the cookie, has no knowledge of what your password is - just the fact that you knew it.

When browsers store passwords they are storing the password itself, rather than just a token, and so can institute the authentication process. This is obviously less secure than the token, particularly if you use the password on more than one site. In that case the tokens only give you access to a single site each, whereas the password grants access to all of them.


Report •

#3
February 17, 2016 at 08:56:51
I seem to recall that way back passwords were stored in cookies (W95 era maybe) but not any more.

Always pop back and let us know the outcome - thanks


Report •

Related Solutions

#4
February 17, 2016 at 10:36:10
ijack,

It sounds like the token EITHER:

- Tells the browser to retreive the password from another file,

OR

- Acts as a password, substituting for the password I input.

I asked what these password storage and clearing options refer
to because I have never seen any password storage on any of my
computers other than in cookies, to access sites like this forum.
Maybe the reason for that is that I've always had password storage
turned off. But I am able to log on here, with "Remember me"
selected, then go away and come back weeks later, and I get
logged in automatically, without having to re-input the password.
So either that password is stored somewhere on my computer,
and sent when I connect to the forum, or the token in the cookie
acts as a password, and *IS* a password, substituting for and
making unnecessary the password I input.

-- Jeff, in Minneapolis

message edited by Jeff Root


Report •

#5
February 17, 2016 at 11:59:14
These may be of interest:

http://tinyurl.com/h2o6x9r

http://forums.devnetwork.net/viewto...

From which you will see that if you delete cookies (or at least one associated with a site where you let it "remember me") then you will have to supply login/password details again. As long as the associated cookie is on your computer... the "remember me" aspect persists for that website...


Report •

#6
February 17, 2016 at 20:48:55
"Credential Manager" on your Windows PC can also store website passwords.

Report •

#7
February 18, 2016 at 21:15:30
I'm more confused than ever.

Do you think that my impression (expressed in the OP) is correct?
The passwords affected by the options to save or not save, or to
delete, are something other than whatever is saved in the cookies
which allow me to log in again to various sites days, weeks, or even
months after inputting my username and password? If so, which
passwords are they?

-- Jeff, in Minneapolis


Report •

#8
February 19, 2016 at 05:59:05
As I understand it - based on the info. I posted in my earlier response - when one invokes "remember me" for a given website, the cookie associated with that site is modified; presumably data is returned to the website to retain/extend your login beyond the date you logged in; and the cookie which you have received initially is the reference/check the website uses to confirm you are already logged in (they have your details - as remember me) next time you go to the website.

Delete the cookie and the website loses its stored reference on your computer. Thus you are not able to send the cookie presence confirmation on/from your computer back to the website - even though it (the website) has a "note" as it were that you were previously logged in and did set the "remember me" option.

Local logins for users and apps/utilities are stored within the SAM data base for the OS - on the hard drive.

To compound confusions even further, there are also "session cookies" which are used by sites for train companies, airlines etc.; and these "die" only when you reboot the system. The actual website cookie will not die at that time and will persist - until you manually delete it. That deletion usually being via clear History/Cookies option in the browser, or by a util such as ccleaner. Session cookies can restrict your options at times on such website; and the only way to avoid being throwing into an endless an (and sometimes restrictive loop) is to manually locate and delete the cookie; or possibly better - reboot.


Report •

#9
February 19, 2016 at 08:32:51
Another possible confusion factor is DOM storage.

Always pop back and let us know the outcome - thanks


Report •

#10
February 19, 2016 at 10:45:43
What I'm trying to find out is what passwords are affected by the
options in the browser settings to save or not save passwords or
to delete saved passwords. Using various browsers on several
platforms, including Windows and (at the moment) Android 4.4.2,
I have never seen any indication of any password being affected
by these options. But that may be because I have never tried to
save any passwords.

-- Jeff, in Minneapolis


Report •

#11
February 19, 2016 at 12:56:04
Browsers only deal with passwords on the web... Hence the clearing of the "remember me" setting whenever you deal with the cookie associated with the website where you have used that option.

Passwords for OS and installed apps/utilities etc. are stored in the SAM data base of the OS (as per members of NT family); and that is accessed (checked) when you seek to login using your profile log/password. Once the login process has found "your" login/password details to allow you login to the OS, it then loads a (your personal) set of allowed privileges; and thus loads your profile, and you engage/use "your" profile settings various... Any passwords set by you for apps/utilities etc. will be available as a consequence, thus allow you to login (automatically) to whichever app/utility when you open that app/utility.

Cumbersome though it might be - and I wouldn't bother going there personally - one logically could configure a computer to require a user to provide a login/password for a given app/utility each time the logged in user wished to use sed app/utility.- once they are logged into the desktop. On some corporate networked system this may actually be done; as a means of restricting (in a rather questionable and awkward way) access to whatever; when it might better be done via the networked user's profile settings (on the sever).

Way back when I was still in the broadcast biz... (we used to regard it as profession - but nowadays...?) I used to have access at a local level of all user's machines in my area; but I had to log out the actual computer in question, and use a specific login/password to allow me to access many settings not otherwise available... I could not do it using the user's details, nor my own... There was a local admin level login - which I used and which did not allow access above the local area; thus I couldn't affect higher levels of the system (which was a wise practice and policy...). We had a proper IT department to deal with anything above local level; and also local level too. My access was a locally granted privilege to use as/when there was no IT staffer available and the problem needed to be resolved there and then. I wasn't actually part of the IT dept...

Browsers as such (at least in my limited experience...) do not normally have a password associated with them. But... the actual profile for your personal login will have settings that are configured to allow you to use a given browser (or browsers) by default. In Windows OS etc. and in most domestic situations all browsers are available by default - when the OS is first installed; and this applies for its associate browser when the OS installed and configured. If/when you install any other browser(s) you "may" be able to allow it for only "you" or all users... (user profile/permissions etc. - a user's profile can be tweaked/set to allow or disallow the use of a given utility, app etc. - including a browser via an Admin login). Control of browsers etc. is done frequently in corporate (domain type) networked systems for a variety of reasons (security especially). Such "control" can permit local in-house browsing - but nothing on-line...This applies to any networked Windows and Mac/Linux/Unix systems; and in a typical domestic p-2-p network it's no different. An Admin login can set what a non-Admin user/login can and cannot do...

On Smart phones - you're on a network...; be it via Android or whatever system. Your phone is configured when you set it up with "your" personal profile - when you first get the phone - to allow you to use the network via "your" personal profile (as set by the network's admin and policies); and by default the associated browser for the phone's OS is configured for use - no restrictions and no further password required. I'm surmising that if you had access to the phone network's servers and their SAM or equivalent data base, you might find the whole list of what you're able (allowed) to use when the phone is logged in to that network - using (in this case) "your" profile (account details). Much as one would with any standard Windows, Mac,Linux, Unix system of networking.

message edited by trvlr


Report •

#12
February 19, 2016 at 15:50:02
Yow! I guess the bottom line is that the settings aren't relevant to
any computer setup I ever had.

-- Jeff, in Minneapolis


Report •

#13
February 22, 2016 at 09:22:51
Firefox for example saves the info in a master password file on your hard drive that is encrypted. It would be recommended to set a master password if you chose to do that.

Internet explorer saves them here
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
for many of their versions.(note again encrypted)

note that saved passwords are only as safe as their encryption and with enough time most of these can be bypassed.

::mike

message edited by mikelinus


Report •

Ask Question