Page 1 of 1
Unencrypted password in local browser storage
Posted: Wed Apr 14, 2021 2:11 pm
by MCS
Hi,
I just stumbled across my browser's local storage and realized that my PlayerPassword is saved there as plain text, unencrypted. As anyone with access to my browser can easily lookup the password, I consider it a minor security issue.
Wouldn't it be possible to replace the password with a server generated random token?
Kind regards,
Marcus
Re: Unencrypted password in local browser storage
Posted: Wed Apr 14, 2021 2:47 pm
by Kent Briggs
MCS wrote:I just stumbled across my browser's local storage and realized that my PlayerPassword is saved there as plain text, unencrypted. As anyone with access to my browser can easily lookup the password, I consider it a minor security issue.
Just uncheck the "Remember Password" box and it won't get stored. You'll then have to enter it each time you login.
Wouldn't it be possible to replace the password with a server generated random token?
That random token would have to be stored locally too, especially since you won't be able to memorize it like you would a password.
Re: Unencrypted password in local browser storage
Posted: Wed Apr 14, 2021 3:08 pm
by MCS
That token stored locally wouldn't be a problem as of its "random" nature, not being a real password.
I will uncheck the box and teach KeePass auto-type the login form (as I should have done from the beginning).
Re: Unencrypted password in local browser storage
Posted: Wed Apr 14, 2021 4:17 pm
by Kent Briggs
MCS wrote:That token stored locally wouldn't be a problem as of its "random" nature, not being a real password.
If you're storing that random token somewhere, it's just as vulnerable as a password. When you use a password manager, you're storing them encrypted and then just remembering the manager's password.