As a security professional, I have a number of things I consider bad habits. One of these is that I let Firefox remember many of my passwords for me, at least when it comes to my low security sites. And for better or for worse I consider the blog one of the low risk sites, therefore I let Firefox keep the password for me and just know that I can log in with a click of the button. Until tonight that is; I upgraded to Firefox 3 beta 4 and for whatever reason, it lost the password to the blog.
At first, I didn’t think this was a big deal; after all I was pretty sure I remembered the password. But after trying the password I thought it was and half a dozen of my other passwords I use on low risk sites, none of them worked. I figured that was not a big deal either, since I could just use the reset password function to … well, reset my password. But that module told me I had a valid account name but an invalid e-mail address. This made me panic a little because I know that I sometimes get a little tricky with my email addresses and add a few descriptive characters then redirect to my active email address once the email hits my mail server. None of the standard email addresses worked, neither did some of the non-standards, and eventually I exceeded the allowed attempts.
That’s when I remembered the one other place I knew I had the password stored, Scribefire. I have been using Scribefire in one form or another for several years now, and in fact I’m writing this posting in it. It’s a great tool for WYSIWIG editing and life would be harder without it. One of the things they’ve done right is to make sure that you can’t recover the user name or password from inside Scribefire, a security measure I appreciate. Or usually appreciate, that is.
That’s when I remembered that for all the things WordPress does right, the login is done over plain vanilla http. There’s no encryption, no use of SSL, nothing. And since Scribefire has to log into WordPress to do some of the magic it does, that means the user name and password would be flowing across the ethernet cable in plain text. I had an older version of Ethereal, now Wireshark, on my system, fired that up, played with Scribefire for a couple of moments and examined the capture. Sure as snot, there was my user name and password, plain as day. Turns out I’d had the proper password, but I’d forgotten a character that’s supposed to capitalized in the user name. D’ooh.
The real lesson here is not that you shouldn’t rely on your browser to remember your password. Okay, that is a lesson, but it’s not the real lesson. The real lesson is that all too often, our passwords, user names and other sensitive information is flowing across the network unencrypted. It’s open for anyone with a little bit of curiosity. They just need one of the first tools any aspiring security pro or hacker learns to use, a sniffer. In properly switched and segmented networks, this may not be a problem, but there are probably more poorly setup networks than properly configured ones. And I don’t want to rely on the work of a network administrator I don’t know to keep me safe, I want my programs to do it themselves. I’m currently looking at Login Encrypt as a WordPress plugin to solve the problem, but I’m going to keep looking before I bite on this one. But this only solves the problem in WordPress; what about all of the other sites I use that allow unencrypted login?