Do You Store Critical Passwords In the Password Manager?

[suzyne]

I have countless passwords because I never use the same password twice and nearly all of them are stored in the default password manager of Pale Moon.

I use the Master Password, which I am confident is secure because it has never been written down and is 20+ random characters with a mix of case and punctuation and has not been used outside of Pale Moon to open the "Software Security Device."

But I cannot bring myself to store my bank account passwords and AWS credential in Pale Moon. Because of some paranoia about doing so.

Am I being overly cautious? Do you put all your passwords in Pale Moon?

Or are you like me, and get a funny feeling about storing super crucial details in a browser, even though you use a strong master password?

[ron_1]

I don't store my passwords anywhere, except on a piece of paper, and on a password protected file locally. I don't mind having to manually type in my passwords.

[Moonchild]

Am I being overly cautious?

Yes, you are. The encryption of the password manager is strong and is implemented in a strongly peer-reviewed library (NSS) that is used for the cryptography of many enterprise systems. If you use a sufficiently-strong master password then there is no real way to recover the passwords from the password store (even if one has physical access to your machine or gets your browser profile data) without knowing the master password -- not within a feasible time frame, anyway. Even password guessing is mitigated through sufficiently-strong PBKDF stretching (many rounds).
You should feel confident storing your bank passwords and AWS credentials in Pale Moon. For critical services you should, of course, use some form of multi-factor authentication or secondary verification in the services in question "just in case".

[Moonchild]

I don't store my passwords anywhere, except on a piece of paper, and on a password protected file locally. I don't mind having to manually type in my passwords.

Eventually that becomes infeasible. I have so many strong passwords (over 650) that I need a manager
Mind you that that includes other things than just the web, so I do use a separate manager with strong encryption and a master password on it.

[Lucio Chiappetti]

Am I being overly cautious? Do you put all your passwords in Pale Moon?

I can answer as Cardinal Caprara replied to Napoleon who asked whether all Italians are thieves: Not all, but most of them. ( in Italian it is a pun, "tutti no, ma buona parte" (lit. "a good part") sounds as "not all, but Buonaparte" (and Napoleone Buonaparte was born in Corse before it was annexed to France).

I do store all which I regard as useless passwords, and even some which are useful, but I will never remember (for instance the SPID password which has to be changed every so many months ... but in general I avoid using SPID for public administration sites in favour of authentication with a national card inserted into an USB card reader ... the PIN or such card is stored on paper). I do not store my bank password (actually a numeric username, followed by a PIN I can remember, followed by an OTP sent by SMS), and navigate my bank site in a private window. That's all.

[Night Wing]

As they say; "To Each, Their Own".

I have eight sites which use username and password. I do not store any passwords in Pale Moon, SeaLion, Waterfox, Firefox.

Since I am retired from the maritime industry, this makes me "old school" which means I'm "old style" with me using a written (paper & pencil) "logbook" for my username and passwords. Mostly just passwords since my username, "Night Wing" is used on seven sites. The eighth site uses a different username and password.

Why do I use a written logbook? Simply because if I ever have a medical stroke which affects my memory and I can't remember things before the stroke, the logbook is an easy and sure fire way of getting back into the sites I visit everyday.

I have two logbooks. I keep one at my home and the second logbook is stored in a safety deposit box at one of my three banks I do banking at near the small rural town where I live in southeast Texas.

[back2themoon]

Because of some paranoia about doing so.

I think this might be because of:

1. Fairly widespread news and opinions about browsers not being a safe place to store passwords, for not very clear reasons. Or perhaps because of the below?

2. Since websites -malicious ones, too- deal directly with a browser, it does seem and feel easier for them to "trick" the browser into giving them the password. I'll admit this does make some sense, since a password manager would be a much tougher target -if not an unreachable one- for a malicious website.

No, I use a password manager for all passwords.

[suzyne]

You should feel confident storing your bank passwords and AWS credentials in Pale Moon. For critical services you should, of course, use some form of multi-factor authentication or secondary verification in the services in question "just in case".

I read that and think I am good to go with 100% of my passwords stored in Pale Moon, provided I use a strong Master Password. And certainly my online reading suggests that the builtin password manager vulnerabilities are for browsers without or not using a master password.

2. Since websites -malicious ones, too- deal directly with a browser, it does seem and feel easier for them to "trick" the browser into giving them the password. I'll admit this does make some sense, since a password manager would be a much tougher target -if not an unreachable one- for a malicious website.

Then I read the above and wonder if there is more to it? While looking into the issues more I come across this article.

https://www.theverge.com/2017/12/30/16829804/browser-password-manager-adthink-princeton-research

And I question whether, if even my passwords are secure, could Pale Moon vulnerable to this? So I decide to turn off the Automatically fill in log-in details option (which was previously turned on) in the Security Preferences.

[Moonchild]

So I decide to turn off the Automatically fill in log-in details option (which was previously turned on) in the Security Preferences.

Automatically filling in log-in details has been default off for a long time (since 27.7.0, Jan 2018) in Pale Moon. It's recommended you keep this off for exactly the reason that in some rare cases it could give up the passwords without user interaction.

[Michaell]

With "Automatically fill in log-in details" off, it still takes only a click (or two) to fill in [after master pw has been entered]. Can scripts simulate those clicks? I have most of the dom.disable prefs set to true but there doesn't appear to be one for auto clicking.

FWIW, I never save logins for financially related sites like Amazon. (Don't do online banking - don't trust that at all.) I use KeePass for storage of all logins including the more sensitive ones and copies of the ones in the browser. No linking, like an extension, between browser and password program because I'm not that lazy.

[Moonchild]

Can scripts simulate those clicks?

no because they are not content clicks.

[suzyne]

To be clear, my motive for the thread is to see how secure the users and developers think the Pale Moon password manager is, and whether there is a rational reason to divide my passwords into two groups, those for which it is sufficient, and another that it is not suitable for? My question is unrelated to convenience or saving effort.

I'm not that lazy.

[back2themoon]

Of course, if proper filterlists and A/V are used then the chances of encountering such a malicious, password-stealing website are next to zero.

A reminder to uBO "Legacy" users: its built-in Online Malicious URL Blocklist (in the Malware domains section) does NOT work (dead link). You need to disable it and import the correct URL in the Custom section. I'd suggest to also import the phishing filter from the same source.

[Falna]

Do you put all your passwords in Pale Moon?

No, but not because I doubt its security, but for flexibility. I prefer a separate password manager (Keepass) that I can copy to other devices and use in other browsers.

[Michaell]

my motive for the thread

a) you seem to be under the impression that you own the the thread and therefore control all the comments - get over it, that's not how most sites work.
b) I wasn't responding to you but to moonbat

My question is unrelated to convenience or saving effort.

You apparently misunderstood the context - my comment was related to many people think an external pw manager needs to automatically fill in passwords for them, kind of like the built-in pw manager does. They don't like having to do copy/paste. But those linking mechanisms weaken security. So I made the comment referencing those who think that way; it had nothing to do with you, unless the shoe fits.

[Navigator]

Automatically filling in log-in details has been default off for a long time (since 27.7.0, Jan 2018) in Pale Moon. It's recommended you keep this off for exactly the reason that in some rare cases it could give up the passwords without user interaction.

I feel stupid for having had this on. Do you have a guide for settings like this and how they should be set for proper security?

[Moonchild]

Do you have a guide for settings like this and how they should be set for proper security?

I don't have a guide, but our provided defaults should provide proper security.

[suzyne]

I don't think anything I said is about me needing to:

own the the thread and therefore control all the comments

Yes, I could be accused of being overly defensive in the way I expanded my original question, but that is part of my personality and if it occasionally surfaces, whatever, this probably isn't the first or last time.

[Moonchild]

Off-topic:
Everyone has exactly the same level of "control" over posts as anyone else. Nobody "owns" any threads although they may dominate it if it was their question to begin with; that's normal. So it's never really constructive to make remarks about how someone replies or take offense to it. If you don't like the conversation, don't participate any further but please don't make it about how someone posts rather than what someone posts. We all have our own way of talking, and there's generally no need to apologise for you being you, and unless it's egregiously bad, hateful or inappropriate in need of moderation, there really isn't a need to trip over word choice, post length, detail, or what not. It's in everyone's interest to foster an atmosphere that conduces rather than hinders discussion.

If a thread's progression upsets you, don't reply. Instead, just step away and let others talk for as much and as long as they feel they want to.

[Lucio Chiappetti]

I do store all which I regard as useless passwords, and even some which are useful

And there are some I would like to store but I can't. What follows is sort of an off-topic rant (about websites, not Pale Moon)

Off-topic:
Yesterday evening I wanted to book a theatre ticket for mid December. So I started going to my bank site to create a virtual credit card. I got a message that online operations were disabled because my identity card had expired. Which is not true, it expires in 2026. I followed the link to "replace" it (with the same and only identity card) and got an "invalid format" on my id card number (perhaps because it is an electronic card 2.0 and the current ones are 3.0 ?). So I placed an e-mail asking how to proceed. This morning I retried, there was no answer to the e-mail, but full access was restored, so I generated my virtual credit card, took note of number and CVV, and went to theatre site (teatrocarcano.com).
I did not remember whether last time I had to log in, and there were no saved logins in Pale Moon, so I selected my seat and proceeded. It offered me a choice to register or log in ... I checked my e-mail and found that I had used one of my e-mail addresses in the past, but had no trace of the password. So I entered the e-mail and asked for password recovery. This produced a blank popup and got stuck. So I tried to register afresh ... and it told me I was already registered. I moved to Chrome and tried the password recovery (this time the popup was not blank, it asked me to give a new password, which I did, but did not save inside Chrome, I try to avoid Chrome and do not save anything oin it but the institutional Gsuite address). It sent me an activation e-mail, which succeeded (though I had to use the HTML portion of the e-mail ... using cut-and-paste of the URL from the ASCII portion of the mail - I use a linemode client - into Pale Moon produced an "Unauthorized" message).
Done this I went back to the theatre site: seat selection, proceed, login ... it asked me to supply supplementary information not previously recorded like my fiscal code and postal code. Then once stored ... it requested me to login again. So I did, but since this placed me in the home page I had to navigate the whole calendar to find my date, and repeat once more seat selection, and proceed. This time I entered the chain of third party transaction handlers (vivaticket.com, happyticket.it and nexi). I entered the credit card number, got a transaction successful ... and then (as it often seems to happen recently) I should have been redirected back to the theatre site to print/retrieve the ticket ... instead I got an error message about something not belonging to me, suggesting to wait some 10 min and check e-mail. In fact I soon got a transaction successful e-mail from the nexi handler (with the amount, but no ticket of course). I logged in again to the theatre site, and finally found my ticket and receipt there (a copy by e-mail arrived in a while).

And of course the password was not (offered to be) stored anywhere (I stored it in an e-mail to myself in the theatre folder). I have Classic Password Editor, but apparently I cannot record manually an username/password for a site because it asks me for a "submit prefix" or "annotation" which I do not know what they are.