You are here

Can't remember password on Paypal?

8 posts / 0 new
Last post
arizona480
Offline
Last seen: 8 years 4 months ago
Joined: 2007-05-02 19:15
Can't remember password on Paypal?

I'm setting up a laptop for my brother, I can't get Firefox 2.0.0.12 (portable) to ask me to remember the password for the paypal login, the site is not on the blacklist. Any ideas?

rab040ma
Offline
Last seen: 3 weeks 12 hours ago
Joined: 2007-08-27 13:35
Does FFP remember passwords

Does FFP remember passwords for other sites?

Are you on the HTTPS version of the paypal.com page?

Have you logged in a couple of times?

MC

arizona480
Offline
Last seen: 8 years 4 months ago
Joined: 2007-05-02 19:15
Yes, yes, and Yes

It remembered eBay, I did a few logins, I killed all the paypal cookies, and tried again.

Jimbo
Offline
Last seen: 4 years 5 months ago
Joined: 2007-12-17 05:43
It is a feature

Paypal's form code has the field attribute set to request that the browser doesn't store the password

The html for it is...
input autocomplete="off" id="login_password" name="login_password" value="" type="password"

And the autocomplete="off" tells the browser not to cache and fill out the password. There are greasemonkey scripts out there to strip that attribute if you want to, and once you get the browser to store it, it will fill it out for you later, but it -is- a security risk.

bakerb04
Offline
Last seen: 16 years 4 months ago
Joined: 2008-03-03 21:29
Why is it a security risk?

Why is it a security risk? With a master password set, NSS Internal FIPS enabled and the master password timeout extension installed I fail to see it as much of a risk. I am hoping that this will allow me the option to internet bank on a internet cafe while I'm travelling if I *really* need to.

Anyone wont to point out the massive security issues to me before I do it?

Jimbo
Offline
Last seen: 4 years 5 months ago
Joined: 2007-12-17 05:43
Mostly becuase

only a minority of people actually use the master password feature. Most people just let the browser remember it all without even thinking about security.

Also, however, the encryption used by master password is considered to be relatively weak. For example there is a tool out there called firemaster that can check hundreds of thousands of passwords per second to dictionary or brute force the passwords. That means for most cases, given the typical complexity of user-chosen passwords, if someone manages to get a copy of the password file, within a few hours or days, they will have all the "protected" passwords.... not nice.

More than that though, it is a really, really, unsafe idea to ever do ebanking from a public computer - there is a seriously high risk of there being keyloggers or other such malware installed, and it is totally beyond your control.

bakerb04
Offline
Last seen: 16 years 4 months ago
Joined: 2008-03-03 21:29
Yeah, I saw Firemaster... It

Yeah, I saw Firemaster... It doesn't seem like too much of a risk if you choose a reasonable password.

> More than that though, it is a really, really, unsafe idea to ever do ebanking from a public computer

Agreed.. but I'm about to go overseas for a while and I can just see myself at some point with no local money, no food and no trustworthy host. If I have a choice between not eating or using a public computer to transfer money then I'll probably choose to eat. Its not a situation I want to be in, but I am trying to set myself up with as many protections as I can before I leave, just in case.

Any pointer for making it as safe as it could be? To me, Firefox password manager seems like a better choice then KeePass for the sole reason that the KeePass 1.* stream seems to have an autotype that a keylogger can easily pick up. I see that as a higher risk then someone getting my mainpassword & usbkey.

Jimbo
Offline
Last seen: 4 years 5 months ago
Joined: 2007-12-17 05:43
If it is just in case of emergency

Then you could do something like create a password-protected archive of FFP, and just store that on the key - then unzip it if and only if you use it, which helps protect against simple loss of the drive.

However, if there is a keylogger, it will capture your master password anyway, and if there is one of the USB imager apps running, it will capture your FFP profile files, so you've still got a problem.

KeePass actually uses a deliberately complex stream to enter the passwords, involving both sent keystrokes and also the clipboard, which can actually fool most keyloggers.

All I can suggest is that you have as few passwords as possible stored, and change them all as soon as you get back.

Or, entrust them to someone back at home, who you can call on the phone to do the transfer for you.

Log in or register to post comments