Unencrypted password in local browser storage

Report bugs found in Poker Mavens

Unencrypted password in local browser storage

Postby MCS » Wed Apr 14, 2021 2:11 pm

Hi,

I just stumbled across my browser's local storage and realized that my PlayerPassword is saved there as plain text, unencrypted. As anyone with access to my browser can easily lookup the password, I consider it a minor security issue.

Wouldn't it be possible to replace the password with a server generated random token?

Kind regards,
Marcus
MCS
 
Posts: 2
Joined: Wed Apr 14, 2021 1:12 pm

Re: Unencrypted password in local browser storage

Postby Kent Briggs » Wed Apr 14, 2021 2:47 pm

MCS wrote:I just stumbled across my browser's local storage and realized that my PlayerPassword is saved there as plain text, unencrypted. As anyone with access to my browser can easily lookup the password, I consider it a minor security issue.


Just uncheck the "Remember Password" box and it won't get stored. You'll then have to enter it each time you login.

Wouldn't it be possible to replace the password with a server generated random token?


That random token would have to be stored locally too, especially since you won't be able to memorize it like you would a password.
Kent Briggs - [email protected]
Briggs Softworks - http://www.briggsoft.com
Kent Briggs
Site Admin
 
Posts: 5278
Joined: Wed Mar 19, 2008 8:47 pm

Re: Unencrypted password in local browser storage

Postby MCS » Wed Apr 14, 2021 3:08 pm

That token stored locally wouldn't be a problem as of its "random" nature, not being a real password.

I will uncheck the box and teach KeePass auto-type the login form (as I should have done from the beginning).
MCS
 
Posts: 2
Joined: Wed Apr 14, 2021 1:12 pm

Re: Unencrypted password in local browser storage

Postby Kent Briggs » Wed Apr 14, 2021 4:17 pm

MCS wrote:That token stored locally wouldn't be a problem as of its "random" nature, not being a real password.


If you're storing that random token somewhere, it's just as vulnerable as a password. When you use a password manager, you're storing them encrypted and then just remembering the manager's password.
Kent Briggs - [email protected]
Briggs Softworks - http://www.briggsoft.com
Kent Briggs
Site Admin
 
Posts: 5278
Joined: Wed Mar 19, 2008 8:47 pm


Return to Bugs

Who is online

Users browsing this forum: No registered users and 2 guests