# Browser Password Saving



## Phishfry (Sep 2, 2019)

I am wondering about other FreeBSD users browser preferences. I personally consider this feature a risk.


----------



## yuripv (Sep 2, 2019)

Yes, I even do use the "firefox sync" feature for that.


----------



## k.jacker (Sep 2, 2019)

I keep all passwords in my head and a backup of everything inside an encrypted csv file on my server. That‘s all.


----------



## ralphbsz (Sep 2, 2019)

I voted "yes" above, but that is not really true.

I do keep passwords (and credit card numbers and such stuff) in a browser, but only in one browser and on one computer. That computer is administered by professionals who really know what they are doing, and logging in requires both a password, and a security key.

Other than that one exception, I do not store passwords in browsers. Nor in password managers. In order to do that, you need to nearly completely trust the browser, and the OS, and the administration of the machine. In general, I don't think that condition is met without professionals taking care of it. Instead, I store passwords myself, in an encrypted file that is kept on a machine that I administer myself. There are backups of the encrypted file in various locations. The encryption password is probably about 25 or 30 characters long, and I use trustworthy encryption software. So instead of using a browser or other complex software, I rely on relatively simple but powerful encryption.


----------



## Deleted member 30996 (Sep 2, 2019)

No. I keep passwords for different sites in separate encrypted files.


----------



## trev (Sep 2, 2019)

I've been using SeaMonkey (and its earlier incarnations of Netscape Communicator and Mozilla Suite) to save passwords since the 1990s.

I did for a while flirt with ridiculously long random passwords not recorded anywhere, but found that relying on "Forgot password" responses was somewhat hit and miss - about 40% of the time there was no promised email response (I know for certain as I run my own mail servers) and about 50% of the time said email response came via a source that needed to be whitelisted because the relay server did not have forward and reverse DNS entries; did not have any DNS entry at all; and/or was a common spam source (Vultr, Linode, Amazon WS et al).


----------



## Phishfry (Sep 2, 2019)

I really appreciate the varying views.

Backstory: A friend whose machines I keep running had a Windows 7 'Windows Update' meltdown.
Totally hosed the machine so bad I couldn't bring it back. So it is 6 year old machine and I re-installed Win7 keeping his data.
All programs were lost so I reinstalled Firefox and Office.
I get this frantic phone message while out about Firefox not saving passwords and I wanted to laugh.
This is a college professional who does GIS for a major U.S.A.F. contractor. Can't find the setting he needs.
I had buttoned down the browser the way I normally would and thought this guy is a dummy for messing with my virgin install.
I wanted to berate him but withheld.
This guy is worth alot of money from family trusts and I just wanted to protect him.
Normally rich people understand money and password sensativity. He has much, much more to lose than me.


----------



## Phishfry (Sep 2, 2019)

I always had to chuckle at the crypto spaces on Navy boats. They used to use those round numerical locks for sensitive spaces.
Push buttons with numbers.




__





						Kaba Simplex 900 Series 9170000 Pushbutton Lock
					

Kaba Simplex 900 Series 9170000 Pushbutton Lock, Kaba , 9170000 , American Locksets



					www.americanlocksets.com
				



Usually right above it, in wax crayon, is the code.
Same thing with nuke repair department at the Navy Yard.
We had to go thru two layers of mag swipe badges (General Access and Controlled Industrial Area) but inside spaces were only using those round numerical pushbutton locks. Usually with the code scribbled right above it.
The illusion of security.


----------



## Crivens (Sep 2, 2019)

Phishfry I somehow expected the key cards to swipe hanging from a nail on a piece of string...


----------



## olli@ (Sep 2, 2019)

I voted “yes”, but I only use that feature for accounts that are not important and not critical, especially those that don't even have my real personal data (name, date of birth, …) and only a throw-away e-mail address that I can disable any time.

However, I do _not_ use it for sites that could cause damage when the credentials are lost, i. e. basically all online shops (and anything else that knows my credit card number) and sites that have a certain amount of (real) personal data. Those credentials I keep encrypted on a small USB stick.


----------



## bookwormep (Sep 3, 2019)

No. Especially client files (passwords) are kept in a locked safe.


----------



## rigoletto@ (Sep 3, 2019)

I use security/keepassxc for passwords and a few other things, and I keep some backup of the file and key using net/syncthing.


----------



## gpw928 (Sep 4, 2019)

I don't store passwords in web browsers, except for trivial cases where exposure could not lead to any significant loss of financial or personal data.

I use a random password generator (attached) to create maximum length gibberish passwords, and the very portable /sysutils/password-store to keep then encrypted.  $HOME/password-store gets sync'd with my notebook.

My password generator needs lots of options to cope with the mindless restrictions on passwords (one bank I use won't allow special characters of any kind; others exclude some non-alpha numerics, but not others).

I also try to avoid keeping credit card numbers with on-line merchants (banks and PayPal are hard to avoid).  Instead I keep my credit card details in the password-store.

I really have only three passwords that I have to remember:

the dumb one for the sites I don't care about;
a good one for my principal bank; and
another good one to unlock the password-store.
And, $HOME/password-store is replicated, and backed up to my ZFS server, with backups rsync'd to my eSATA portable disks (one always rotated off-site every month or so).


----------



## PMc (Sep 4, 2019)

I don't store passwords in the web browser, I store them in the web server, so that I can access them from everywhere.


----------

