Ninety-five percent of all Internet users browse the web using Internet Explorer (IE) or Firefox. An alarming majority of these users also rely on the built-in password management and autocomplete features of the two browsers; a choice that can have devastating consequences.

Internet Explorer's AutoComplete and Firefox's Password Manager allow users to store web form usernames, passwords, and URLs to make the login experience more convenient. These allegedly helpful features aid the user from having to remember countless usernames and passwords. When navigating to a URL such as http://www.yahoo.com where form fields are present, both IE and Firefox will prompt the user if he or she wants to save their username and password. Subsequent re-visits to the site are simplified as the user is automatically logged in with their saved username and password.

Although these features greatly alleviate the responsibility of us as end users, they also introduce serious security considerations and a strong false sense of security.

What Is Really Simplified? The Ability For A Hacker To Steal Your Passwords!

Internet Explorer and Firefox's built-in password management features are far from secure and each carry the same basic threats and drawbacks:

• Both utilize insecure encryption methods.
  
• Both have fallen victim to countless malware attacks designed specifically to steal a user's usernames and passwords.
  
• Free available software, easily downloaded from the Internet, is able to crack both browsers' saved password files.
  
• Both features are physically accessible to anyone on the same computer.
  

Top Internet Explorer & Firefox Threats

Physical Access
Both IE AutoComplete and Firefox's Password Manager work under the premise that a particular Windows user account has complete access to the password database. Therefore, if an unauthorized user has access to the computer, and the account is logged in or it is not password protected, the attacker can abuse account privileges, and illegitimately use passwords. Access can be obtained by having physical presence (walking up to the computer) or by using a remote access client (VNC, Remote Desktop, etc.).

Javascript
When you visit a website that has your username and password saved, the password is always hidden to the naked eye with a series of asterisks or bullets (*****). This is done to prevent what is known as shoulder surfing, so anyone looking over your should cannot see your password. The browser itself stores the real password and submits it when the login action is invoked. It's very easy, however, to use a simple javascript method that is freely available online to reveal saved password on any site.

Password Recovery
There are many companies now that offer software that will recover your passwords from Internet Explorer's AutoComplete feature including two very popular freeware titles, PassView and IEPassView. The basic idea being that many users forget their passwords, get a new computer or do not have their passwords available on a mobile computer for travel. This allows the user to access the plain text version of his or her password. What does this mean? In short, anyone can utilize a password recovery software to access your usernames and decrypt your passwords.

Malware
Internet Explorer is usually a prime target for malware infection because of its popularity and well-known bugs. Lately, these vulnerabilities have reached a dangerous point and malware programs are specifically targeting AutoComplete information. These programs gain confidential information, and then send it back to the attacker. BackDoor-AXJ is a Trojan program that stores AutoComplete and other information on a victim's machine, and then sends the information back to the developer or controller of the Trojan. Srv.SSA-KeyLogger is a backdoor utility that installs covertly on Internet Explorer and acts as a key logger. The backdoor also covertly turns on AutoComplete, steals data from Protected Storage and sends it back to the source where it will be sold or used for a myriad of illegal gains including identity theft.

Password Crackers
Recently with Firefox's explosion of popularity the once-thought secure browser has fallen prey to password attacks as well. Nearly one dozen open-source software products exist on the Internet with the sole purpose of cracking Firefox's Password Manager. The most popular of these utilities, Firemaster, was released in January 2006 and is freely available to anyone who wishes to steal your passwords and has already been downloaded millions of times. Needless to say, weak passwords (lowercase dictionary words or addresses) can be cracked in literally microseconds.
Users of the most popular Internet browsers are neither fully aware nor informed of the risks associated with the use of the built-in password management systems, however, there are a number of ways you can prevent these problems from plaguing your life.

• Avoid using the built-in password managers for sensitive sites including financial institutions, brokerages and banking websites. Simply put, do not store your username and password via your browser's built-in utility for any website that you would not want a complete stranger to access. Sites such as forums, social bookmarking websites and online news will not damage your credit score if broken into and sold.
  
  
• Disable the password managers in your web browser especially if you are on a shared computer and do not want others to gain access to your valuable accounts. You may wish to write down your passwords or use a secure third-party solution.
  
  
• Use a proven secure password manager such as Oversight Technology's Password Prime or the open-source Password Safe. Both are free, provide multiple layers of encryption and work as a stand-alone product making cracking them far more difficult.
  
  
• Password complexity plays a major role in preventing attacks of any kind. The stronger and more complex your password is, the harder it will be for a malicious attacker to crack it. A good password should be greater than eight characters in length, with random special characters, and a good mixture of alphanumeric characters.