2
On the internet it is common to have the "remember password" in the login fields. I know this is done by the developers of the application, but how google Chrome, for example, stores a saved password? Since most applications have not been developed to have a genre integration with the browser(at least as far as I know).
It simply keeps a "Plain text" password?
1
When authentication to an external system is done by password, this password corresponds to access pass to this system - that is, to authenticate with it, you need to present this password, in its original format. For this reason, whatever means the program uses to store this password, this process must necessarily be reversible (i.e. it must be possible to obtain the original password from whatever has been stored on the disk).
The problem is: how to protect this password? You cannot hash it because the hashes are not reversible. You could encrypt it, but where to store the key? If the key is in a file right next to the encrypted password, that’s like locking your door and leaving the key in the lock... You could also store this key in an external storage, and ask the user to enter it every time he wanted to use the saved password, but then what is the advantage of memorizing the password? Guard she on the external device at once... Similarly, if you encrypt the saved password with another password, you avoid having to enter a password but now have to enter another one, so what’s the advantage?...
(I speak from the point of view of the user, of course - you can have advantages in using a "master password" that unlocks access to all your saved passwords. Firefox, for example, offers this option. Or you can use a password manager, with browser integration. But in general only those more concerned with security do this, the common user just wants to not have to enter the password and that’s it!)
Because of this, most programs that store passwords for other services (and in this case, helps the discussion not refer to them as "passwords", but rather as "secrets") does not take any extreme measures to protect them: either store it in plain text or place it in a binary file and/or use a simple obfuscation to prevent access accidental (not worrying about malicious access), or delegates this task to another system - for example the operating system. There is no standardized way to do this, precisely because there is no "right" answer - anyway you do, the person who is sitting in front of the browser and has the option to use the password saved by default has unrestricted access to it (even if it opens the browser console and inspects what was sent on POST...).
0
Websites use cookies which is a text file that has as its main function storing user preferences on all websites. When you search for a product on a particular website and it appears on your screen when you browse other pages, it was the cookie that informed the system. It is the cookie who says that you are you and that you wanted that product.
In the case of passwords browsers use the memory cache is a temporary storage on the hard drive of web pages, images and other documents and files using cache techniques to reduce the use of available bandwidth, increase the speed of access, among other advantages.
Based on this concept, browsers, when accessing a website, save a copy of the files used by it on the hard drive; it can be used in the assembly of the page rather than traffic the entire original file over the Internet to your computer again.
You can download the Chromepass tool. It is free to display saved passwords in Google Chrome browser. The best thing about this free tool is even allows you to export these passwords in a file in HTML, XML format.
Browser other questions tagged security-guard web-application
You are not signed in. Login or sign up in order to post.
To my knowledge, [in browser] is automatic, even a while ago opened another question to know if it would be possible for the programmer to have more influence on the process. When to how to store, it is not "Plain text", but only to prevent accidental access - whatever the process used (encryption, probably) is a reversible process and most likely accessible to any OS administrator or person with physical access to the machine.
– mgibsonbr
P.S. In the case of Google Chrome, it is quite easy to access the saved passwords as indicated by that post (in English): just open the address
chrome://settings/passwordsclick on the password you want to display and on the "Show"...– mgibsonbr