On Password Prompts

Feb 27 2007

I’m no expert in security, but the master password dialog in Firefox is calling for problems. There are tons of websites that require you to create an account, the password manager helps you cope with it. If you use Firefox you are likely to be a person with ADD, err use tabs to browse multiple sites at the same time. A generic query dialog from any random javascript looks exactly the same as the master password query. I sense a huge potential for phishing.

It did happen to me. A friend was wondering why I’ve sent him a password-looking message over last.fm messaging service. Typing that password took less time than to figure out I’m making a fool of myself (last.fm does need you to authorize to send the recommendation message and I really had a Homer’s D'OH moment).

There appears to be a bug on this filed in 2001.

There is an intersting and very scary presentation on phishing techniques I was pointed to recently that presents studies showing that a majority of tested users disregard hints such as the protocol (https://), the colored URL widget and the lock key completely. But I still believe that presenting this dialog in a distinct way that’s outside the possibilities of document scripts/css is long overdue.