any LibreWolf experts here, that know how this Wolf handles saved password / auto-login?
It's the only browser, that I'm aware of that shoots saved credentials directly into the login forms without any further clicks. You just have to click "login" and you are ready to go.
Unfortunately here on my workplace I'm forced to use Chrome and I have to login on many different site through the day. Mostly 3 to 4 clicks every time:
Activate login form - click
Open saved credentials context menu - click
Choose desired creds from list - click
Login - click
Even the global password manager Keeper is not very helpful on websites. Even more interactions are neccessary for logins.
Firefox is also installed, so I thought someone can recommend an addon or userscript, whereby I'm cautious with third party addons that are handling credentials. On the other site there is Google password manager in Chrome...
First and foremost:
Do not save passwords in browsers.
Seriously, they all suck at it. I work in cybersecurity. Every time we see a workstation get compromised, one of the first actions the attacker's scripts do is pull credentials from the browser. We had one just a couple weeks ago and the users had dozens of personal passwords compromised this way. Please, just don't store passwords in your browser.
As another poster mentioned, BitWarden is great. I personally use KeePass. At least with Firefox, the Kee extension can let it autofill forms. I think BitWarden has something similar.
Exceptionally I'm looking for the fastest solution not the safest one without violating company security policies. I personally use KeePass, too. I'll check out those extensions, thanks! One question: Browsers do not store credentials encrypted? Or too weak encrypted?
They are encrypted and the encryption is just fine. The problem is that the key is stored locally on your system and can be used to decrypt them automatically. And crucially, that key is not encrypted, it's just encoded in a well known format (base64). This means that it's trivial for an attacker's script to retrieve them, use that key to decrypt them and send them up to the attacker's Command and Control (C2) server. As an analogy, imagine having the world's best lock on your front door, but you have the key under your door mat. The lock counts for fuck all, because any thief who isn't a complete moron will look under the mat.
You can actually see this in action for yourself, without your passwords being sent to an attacker. NirSoft has a tool called ChromePass which will retrieve and display passwords saved in Chrome. If I run this on my own system, I get something like:
And this works whether or not the browser is running. So, if you get phished, or get hit by an unpatched vulnerability, any password you have saved in your browser is now in the hands of an attacker. And this happens in the first few seconds of an infection. It only takes one mistake and they are gone. And, while we all like to think that we are immune to phishing or mistakes like that, we all fuck up. It happens. This is why we plan for "defense in depth". Keeping your passwords out of a browser means that, when you make that mistake, they don't end up in the hands of attackers.
Thanks! Will check it out. Addon recommendations by LibreWolf itself sounds nice. Most important addon is in any case uBlock Origin. No way around it. Also for security reasons, not just for ad blocking.
LibreWolf is Firefox with privacy and security enhancements. If you want to you would be able to do the same in Firefox, unless your employer has disabled that. There's Bitwarden extension for Firefox that does auto-fill. Signing up with Bitwarden for a free of charge account, or self host a Vaultwarden server. Are you allowed to run Docker on your workplace computer ?
Looking for a short way without involving inhouse IT department right now. I've used Bitwarden once long time ago and I will check it out again and those browser extensions. Thanks! Not sure about Docker. That would be for the Vaultwarden server?
Looking for a short way without involving inhouse IT department right now. I’ve used Bitwarden once long time ago
and I will check it out again and those browser extensions. Thanks!
You can use two factor authentication with Bitwarden, and their passkeys implementation is in the works.
Not sure about Docker. That would be for the Vaultwarden server?
Yes, but easiest would be a sign up with bitwarden.com for a free or premium account.