{"id":91,"date":"2005-09-25T20:07:02","date_gmt":"2005-09-25T10:07:02","guid":{"rendered":"http:\/\/www.somethinkodd.com\/oddthinking\/?p=91"},"modified":"2007-09-10T18:30:05","modified_gmt":"2007-09-10T08:30:05","slug":"browser-comparison-password-management","status":"publish","type":"post","link":"https:\/\/www.somethinkodd.com\/oddthinking\/2005\/09\/25\/browser-comparison-password-management\/","title":{"rendered":"Browser Comparison: Password Management"},"content":{"rendered":"

<\/p>\n

Abstract<\/h2>\n

In the comments to my last post<\/a> about web-page password management Casey<\/a> and Alastair<\/a> explained that their favourite browsers (Opera and Safari respectively) has cool web-page password management features.<\/p>\n

I planned to send a comment back to them stating that all of the big browsers had identical functionality in this area, and there was nothing between them.<\/p>\n

I tested the hypothesis first, and the results were more interesting than I thought. A quick comment turned into this article instead.<\/p>\n

Hypothesis<\/h2>\n

That all of the big browsers have identical functionality for Password Management.<\/p>\n

Method<\/h2>\n

I found a publicly-available free-to-register site that suffers from the “automatic-login-only-works-the-second-time dance”<\/a> – and now you can see why I was keen to find a better name. Once we name a problem, it is easier to discuss its solutions. The site is the WordPress Support<\/a> site.<\/p>\n

I attempted to reproduce the problem in Opera, IE and Firefox. I am afraid I have no access to Safari, so I based it entirely on Alastair’s comment<\/a>. I apologise for not going to original sources.<\/p>\n

Results<\/h2>\n\n\n\n\n\n\n
Browser?<\/strong><\/td>\nHas Password Management?<\/strong><\/td>\nSupports Multiple Passwords for Each Username?<\/strong><\/td>\nPassword Stored Per:<\/strong><\/td>\nCredential Editability?<\/strong><\/td>\nUI<\/strong><\/td>\n<\/tr>\n
Firefox 1.0.4<\/td>\nYes<\/td>\nNo – re-using a username will automatically override existing stored password.<\/td>\nDomain<\/td>\nDeletion + Display of passwords in clear-text available. <\/td>\nClick (pre-selected) username field to choose username. Tools | Options | Saved Passwords | View Saved Passwords to display or delete. <\/td>\n<\/tr>\n
Internet Explorer 6.0<\/td>\nYes<\/td>\nNo – re-using a username will prompt to override existing stored password.<\/td>\nURL <\/td>\nDeletion only.<\/td>\nClick (pre-selected) username field to choose username. Delete key to delete one. Tools | Internet Options… | Content | AutoComplete | Clear Passwords to delete all. <\/td>\n<\/tr>\n
Opera 8.02<\/td>\nYes<\/td>\nYes<\/td>\nURL or Domain – user-selectable<\/td>\nDeletion only? [No option to edit. I couldn’t get add (New) to work.]<\/td>\nCTRL+ENTER to choose username. Delete button to delete one. Tools | Advanced | Wand Passwords… to delete by site. No ability to delete all? <\/td>\n<\/tr>\n
Safari<\/td>\nYes<\/td>\nNo<\/td>\nDomain<\/td>\n???<\/td>\n???<\/td>\n<\/tr>\n<\/table>\n

Discussion<\/h2>\n

So there are some visible differences between the systems.<\/p>\n

Notably Firefox and Internet Explorer take different approaches to the scope of the password. Firefox appears to offer the same username\/password combination to any site on the same domain. Internet Explorer insists that it be the same URL. Opera offers the choice to the user. If you store it per domain, the dance is resolved! All of the login points for the domain will be equivalent. However, you need to trust the domain not to allow XSS hacks<\/a>.<\/p>\n

There was a difference in usability too. In my opinion, Opera was the worst – requiring an unguessable CTRL+ENTER combination – I couldn’t find a menu item equivalent. Internet Explorer and Firefox were not much better. Clicking on the username field twice<\/em> is more guessable, but still no other means to get there!<\/p>\n

Opera’s ability to store multiple passwords for a single username seemed a misfeature to me. I can’t imagine why anyone would want to have this feature, and it made selecting the correct credentials difficult – you had to select the correct item from two choices that are indistinguishable. Internet Explorer’s prompt to warn you that you were choosing to override the password makes the most sense to me, and it has saved me a few times.<\/p>\n

Firefox’s ability to display passwords in cleartext appears to be a terrible security hole. Don’t let me play on your computer for even two minutes if you use Firefox – I’ll have your passwords for all your favourite sites and, if you are like much of the world, you use the same password for your PayPal and eTrade accounts too.<\/p>\n

I have largely ignored Safari – I don’t have enough information to really judge it. <\/p>\n

Conclusion<\/h2>\n

My hypothesis was wrong. When I looked at the browsers with more care, I noticed key differences in their functionality.<\/p>\n

None of the browsers I looked at passed with flying colours.<\/p>\n

Internet Explorer is the most likely to suffer from the original problem. It has reasonable usability and security. It does require you to learn a couple of tricks, but they are useful throughout Windows (e.g. Windows explorer and Internet Eplorer’s address bars and also file-completion in the file-choosers)<\/p>\n

Opera’s power is the greatest and its usability is the worst. If you stick to the default scope, it also lets you suffer the worst – typing in a correct password on the opening page doesn’t solve the problem.<\/p>\n

Firefox is probably gets the most points for usability, and discards them again with its security.<\/p>\n

Each of these browsers is evolving. Maybe they will all improve over time.<\/p>\n","protected":false},"excerpt":{"rendered":"

The password management facilities of three common browsers are compared and contrasted<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_s2mail":"","footnotes":""},"categories":[31,25,47],"tags":[],"class_list":["post-91","post","type-post","status-publish","format-standard","hentry","category-geek","category-insufficiently-advanced-technology","category-review"],"_links":{"self":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/91","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/comments?post=91"}],"version-history":[{"count":0,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/91\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/media?parent=91"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/categories?post=91"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/tags?post=91"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}