Unsafe Password Fields On Web Browsers
Most people nowadays (who still use a computer) rely on their web browser to store information to quickly fill forms such as addresses, personal information, usernames and passwords. When a password field is stored in your browser and later filled into a form, it will be automatically masked as usual on any password field.
If you wish to see what the password is, you must go to your browser’s passwords manager and it will usually require you to type in your OS’s user password before it will show you anything in plain text. However, since HTML is very developer friendly (and web browsers make it remarkably easy to debug websites with built in tools), altering a simple attribute in the password field will make it readable without asking for any password.
This is risky as anyone could perform this trick a lot faster than finding the desired password in the browser’s manager and doesn’t require any credentials. Picture yourself in a coffee shop where you stand up to get some napkins or sugar and leave your laptop unattended for a minute. That’s more than enough time to retrieve a stored password and go unoticed.
I’ve tested it on Google Chrome and Firefox and at the time of writing, both browsers being in their latest versions and the same technique shows me my stored passwords in plain text.
All you have to do is go to a login page where your username and password have been filled in by your browser and right click on the password field. Select “Inspect” (Chrome) / “Inspect Element (Firefox) and you’ll see the HTML code for the website on screen. All you have to do is search for the password field and then find the “type” attribute which will have a “password” value indicating the browser that it should visually mask that field with dots or whatever character it uses for hiding the password’s text. Replace the word “password” with the word “text” and press enter. That’s it, the password will be shown.
<input class=”form-control ng-valid ng-dirty” name=”password” ng-model=”password” type=”password“> (Replace “password” with “text”)
This of course doesn’t apply to all websites (but surely does apply to most of them) and only works if the user has stored the login credentials for the specific website you are testing. I’d report this as an issue but most likely it’s a feature that works as intended because it’s a debugging tool for developers. However, it doesn’t make sense to me that the password manager requires the user to provide a password before actually showing anything in text but it does input your password into the form without any security whatsoever.
Just something to take into account when storing passwords inside your browser as it might not be the safest idea.
SSD + HDD on (almost) any Laptop
With the prices of SSD’s dropping and stupid people dumping their desktop computers in favor of cheap, shitty and low end laptops, OEMs are making the gap between good hardware and crappy but affordable laptops even larger. This leaves power users (who not necessarily have tons of cash) with not much options for buying a good laptop. Since they are focusing on low energy consumption and slim designs and because performance is not an issue for most people (they barely understand the difference between RAM and HDD) there’s little to no interest on selling balanced systems for people who actually care and do need good performance (but for real stuff they rather use their desktop computers). With that being said, it brings me to the point of this post. When buying a laptop you may expect only 2 or 3 possible upgrades: RAM, HDD and battery. At this point, many vendors are soldering RAM into the motherboard and getting even slimmer hard drives, leaving your upgrade options more limited. This is fine for most people. But I’m not most people and I don’t give a damn what the vendor thinks is right for me.
This guide is only good for those laptops that still come with an optical drive. Chances are that if your laptop doesn’t have one, then you either:
- Shouldn’t be here, get a mac maybe?
- You have a Facebook-only computer and/or all you do with it is covered by any modern web browser (you probably use Internet Explorer or Safari, hell, you might have managed to bring Netscape back)
Now, I’m not saying that a computer requires an optical drive. It’s just that most laptops that don’t are cheap models where the even cheaper optical drive was removed to reduce weight and production costs and there’s no real reason not to include it. I don’t use an optical drive myself for much, but that’s not the point here. Continue Reading →