Should you disable saving passwords in your browser?

Majority of the free as well as commercial browsers have a password saving feature. Of course without this, our lives would not have been so much fun. We would be scampering to remember passwords or used one of our notebooks to jot down all the fun user ids and passwords for the one thousand and counting web sites we visit on a regular basis.

One of MIT's online articles here talks about when one should never store passwords in the browser (right, I am talking about the auto-fill feature that is your favorite).

Information Services and Technology recommends that you do not save passwords with your browser for sites which have:

* private information about you or someone else (e.g., medical records)
* private financial information (e.g., credit card numbers)
* private correspondence (e.g., e-mail)

For example, you should never save the passwords for your accounts with:

* Fidelity NetBenefits
* MIT Federal Credit Union, or your bank
* MIT WebMail

If you do save passwords for these types of sites, you put yourself at risk.

There is a non-standard feature to hint the browser to not do auto complete for certain fields as in:

<input type="text" name="Credit Card Number" autocomplete="off" />

Browsers like IE, Firefox (and probably Opera also) honor this.

Disadvantages:
* Using this attribute breaks the xhtml rules. So your page will not be xhtml compliant.

One of the security developers at Mozilla has basically said the following:

We respect it sufficiently that there are several popular bookmarklets/greasemonkey scripts out there that remove this attribute from sites when they find it. People really like their password fillers.

I do hope that this attribute gets into the HTML5 specification and becomes a standard web authoring practice for Banks, Financial Institutions and other secure online sites. Oh, wait. Also Paypal....

UPDATE: If you look at the comments on this post, I have been told that "autocomplete=off" is a valid attribute in HTML5. So that is good. But it remains to be seen how soon banks, financial institutions and health care services will adapt HTML5 or start using this attribute (shouldn't they already be doing this?).

Security Toolbars to prevent Phishing Attacks.....

I came across this toolbar from Netcraft that tells me whether a particular website I am visiting is legitimate or not (something like a thermometer view)....

The toolbar can be obtained here.

Since I have started using it today, I cannot tell you how good or bad it will be.

Here is a research paper that talks about how effective security toolbars are....

From the abstract,

We conducted two user
studies of three security toolbars and other browser security
indicators and found them all ineffective at preventing
phishing attacks. Even though subjects were asked to pay
attention to the toolbar, many failed to look at it; others
disregarded or explained away the toolbars’ warnings if the
content of web pages looked legitimate. We found that
many subjects do not understand phishing attacks or realize
how sophisticated such attacks can be.

There is nothing new here. People are not really looking at trust indicators
provided by the browser. Only when you have a bad experience will you, start looking
for indications.... Isn't that human nature?

Extended Validation Certificates are close to 1 year now

The CA/Browser Forum defines EV Certificates as:

The Extended Validation (EV) SSL Certificate standard is intended to provide an improved level of authentication of entities that request digital certificates for securing transactions on their Web sites. The next generation of Internet browsers will display EV SSL-secured Web sites in a way that allows visitors to instantly ascertain that a given site is indeed secure and can be trusted. A new vetting format, which all issuing Certification Authorities (CAs) must comply with, ensures a uniform standard for certificate issuance. This means that all CAs must adhere to the same high security standards when processing certificate requests. Consequently, visitors to EV SSL-secured Web sites can trust that the organization that operates the site has undergone and passed the rigorous EV SSL authentication process as defined by the CA/Browser Forum. Internet users thus will be able to trust that particular Web sites are what they claim to be, rather than fraudulent mirror sites operated by perpetrators of phishing schemes.

You can get a reasonable look at how EV Certificates have progressed since their birth at the following Netcraft article:
Extended Validation SSL Certificates now 1 Year Old

Some interesting points from the article are:

Absolute growth of EV SSL certificates has remained largely constant for several months, and the total (around 4000 sites) is dwarfed by the 809,000 sites that use traditional SSL certificates.

You can take a look at how IE7 will display EV Certificates by clicking the following image:
Paypal website in IE7

EV Certificates are certainly a welcome change, but they are not the solution to all the problems. Here is a report of vulnerability of EV Certificates to be backdoors into installing XSS.