I actually memorised my credit card number including the expiration date and security code. it's very convenient and I highly recommend it.
this post was submitted on 10 Feb 2024
1 points (100.0% liked)
Firefox
17865 readers
12 users here now
A place to discuss the news and latest developments on the open-source browser Firefox
founded 4 years ago
MODERATORS
It's the banks problem, to be frank. If you're in the US, your liability for fraud is capped by law at $50 per card.
I simply use my credit card number for my password on every site. it makes it so much easier to remember both. back in the day i would use my social security number. thanks to that simple trick, i never get robocalls or spam and i've been removed from most mailing lists because no one will ever issue credit or do business of any kind with me. a hacker stole my identity once and my credit score quadrupled. he even gave my identity back a week later!
You joke but back in the 90s when I first used the internet in the library I had to choose a password for the email. And the requirements were weird. Needs to be an exact length, letters, numbers, and so on. Then I realized my country SSN was a perfect match with the requirements! "Wow that's perfect, so I gonna use that as a password, nobody gonna guess that" - the naïve boy thought. Of course it was hacked by some other classmate that got the same conclusion and I realized that it wasn't that perfect and that almost everyone had the same idea due to the strict exact length requirements. (SSN in my country can be easily found again if you know name and DOB)
Please don't save stuff in your browser. It's very easy to rip those passwords and logins. If you must, keep it in a proper password manager like bitwarden or keepass.
How about when using a primary password?
Doesn't matter, can be bypassed on both firefox and chrome.
Just checked it, it doesn't seem to be the case
When you save website passwords, the Primary Password feature encrypts them before storing them on your computer
Chrome passwords are free for the taking though
Yup, I only store testing creds for work use. My actual credentials are in a proper password manager.
Historically, I've seen more "proper" password managers with breaches than browser storage.
Well yeah, if you breach a password manager, you get tons of credentials. If you breach a person's computer, you get one set of credentials. And most of those breaches are low impact, such as Okta:
For 99.6% of customers, hackers accessed only full names and email addresses, according to Okta, though in some cases they may also have accessed phone numbers, usernames and details of some employee roles.
Here's an example of a browser attack (not necessarily password management, but related):
These scams have been going on for months, and one YouTuber claims they work through fake sponsors reaching out to creators. The YouTubers are then convinced to download a file related to the sponsorship, which is just malware designed to steal cookies, remotely control PCs, and ultimately hijack YouTube accounts.
Basically, any script that can run on your machine can compromise stored passwords and credit cards if there's no master password set (typically the default behavior). If there is a master password, it could be brute forced (I'm guessing most attackers don't bother). It's just a lot harder to detect this kind of breach since it happens on end-user machines instead of an audited web service. I'm guessing a lot of people get hacked this way, but it doesn't make the news because individuals don't dig into the breach to find the cause.
My understanding is that password managers are still way more secure than using your browser's built-in PW management, and you can take it a step further and self-host (e.g. Bitwarden offers this) to require attackers to actually target you.
The thing with built in browser password manager like in chrome or firefox is even if it's password peotected, you can still get those very easily.
Sure, but it requires a more sophisticated attack, so risks are a bit lower. There are tons of easier targets, so an attacker will probably just go after them instead.
But when it comes to a proper password manager, there are a ton of similarly protected accounts, so an attacker will either go for all the data or not bother. You're more likely to get corporate accounts and whatnot than by hacking a built-in browser PW manager, which is a lot more lucrative than someone's credit card info.
But the core point I'm trying to make is that we won't know how many people get hacked with built-in browser password managers because nobody is monitoring them. We do know about proper password manager breaches because someone is watching for them. In other words, absence of evidence is not evidence of absence, so the number of publicly reported breaches won't tell you which is safer, it just tells you which are high profile.
I guess I feel somewhat safer as relatively anonymous target of spearphishing as I have been for 20 years without incident, instead of as part of a much more valuable collective target, even though that data is probably better protected.
I'm guessing you practice relatively secure computing, meaning you don't download suspicious stuff, keep your system updated, etc. But that's not true security, you could always run into a browser vulnerability on a random website.
Also, there's no guarantee that you haven't been hacked, all we know is that you haven't noticed your private information being used. Usually what happens is attackers get a bunch of data then sell it on the black market. Buyers of that data will probably only use a subset of that data, so your data could be sold, just not used. You can check if your passwords have been leaked by examining data sets of leaked latest ([e.g. Have I Been Owned; I recommend not actually sending important info here).
There are two routes to go here:
- Use proper security - high quality password manager, self-host your data (Bitwarden allows this)
- Reduce the impact of a breach (don't use debit cards online, monitor credit card statements, etc)
The second is probably sufficient for most people though.
One important thing to note is that the main reason to go with a password manager is to have really secure passwords that are unique for each site. That way if one service gets breached, attackers can't just use the same credentials on other sites. Browser password managers don't do that, so you're opening yourself up to that if you're not careful in constructing good, unique passwords. I have >100 accounts, each with their own password, and that just wouldn't be feasible without a password manager.
I was with you right up until the unique passwords. I do use a different randomly generated password for each site.
And honestly, that's the 80% of the 80/20 trade-off for security vs practicality. If you use a different password for each site, you're protected from the most common attacks (password dumps). The rest of the measures you could take are just optimizations on the last 20%.
If you have a solid backup plan for if you get hacked (e.g. only use credit online), you're probably fine. Most likely, you're not going to get your browser password manager scraped, because that means you need to both get malware, and get the type of malware that knows how to scrape browser password manager data. If it's protected by a master password, it's incredibly unlikely you'll get hacked unless it's a targeted attack.
But if you want to go the extra mile, you can close a lot of that 20% with a few extra measures. It's up to you how far you choose to go.
With credit cards any fraud is the responsibility of the credit card processor not the individual. So the risk isn't on your side.
No. I don't save cc's on any browser.
Dont save anything* in a browser. Permanent private mode
No... not leaving cc on any browser... I use KeepassXC and setup to clear anything in the clipboard within 10 seconds
reversible encryption
All encryption is reversible, otherwise it wouldn't be encryption, it would be a hash. If you don't use a password, it's easy to reverse the encryption. If you do use a password, the maximum security with a brute force attack is 112 bits, which is pretty weak.
I recommend using a different password management service (which also handles credit card info), any password manager will be fine. I personally use Bitwarden, which uses 256 bits of encryption. That's pretty standard across password managers, so you're better of focusing on making a secure password.
That said, if you're only worried about credit card info and not storing passwords in Firefox, you're probably fine. Credit cards have a ton of protection, so if someone steals your card info, call your bank to dispute the fraudulent transactions and get a new card, it doesn't cost anything and has little hassle. Debit cards are another story, so I recommend just not using debit cards at all online.
Prepaid debit cards for the win. You need to buy something online? Open your banking app, transfer the amount to the card, pay. After that the card is empty and cannot be used to pay flr anything until you need it again.
That sounds like way more effort than a credit card, especially here in the US where transfers between banks take 2-3 days.
If you really want to avoid credit, you can lock your debit card and unlock it when you make a purchase. That's still annoying, but effective. But if you're responsible, there's really no reason to avoid credit, and you get rewards on top.
especially here in the US where transfers between banks take 2-3 days.
*Laughs in SEPA Instant Transfer*
Anyhow, locking and unlocking is an option. Using "3D Secure" systems - which require a secondary approval via an app or website - works significantly better, and chargebacks are one tap in a banking app (modern apps, so US might again be fucked here).
You still lose the money, though. But I get your point for someone who's staunchly anti credit card
Lose the money? You mean by having a prepaid or by using it to buy stuff?
If it gets stolen (i.e. scam, or breached website), you can't charge back like with a credit card. That money is still gone, but you do limit your losses compared to using your main debit card.
Oh yeah that is true. But at least if just your card details are stolen the card is unusable when empty. As I said it's best to just keep it empty until you actually buy something and you just put on the exact amount you need.
Unrelated, I actually don't know if prepaid Visa cards have the same protections as real credit cards. Something to look into, perhaps.
What would those be? I don't have a xredit card so I have no idea what kind of protections they have? I know the prepaid does not work if the amount on the card is lower than the transaction you are trying to do.
On credit cards, the most important protection is the ability to charge back fraudulent purchases. You just call your bank, tell them which purchase is fraudulent and you'd like charged back for which reason, they then contact the seller to determine what happened, and if they either don't play ball or don't answer, they charge back and rip the money out of the recipient's accounts.
Real credit cards also have other protections, such as mobile device protection, travel insurance (cancellation, sickness, etc.), cash back (paid for by merchant with credit card fees), whatnot.
As for where to get prepaid cards, it depends on where you are, but in Canada, lots of banks offer pre-paid Visa cards, especially useful for teenagers so they can make online purchases without the responsibility of a credit card.
--
I just looked it up, it was actually pretty hard to find. Desjardins and Scotia both discontinued their prepaid cards, but here's an example of one from CIBC: https://www.cibc.com/en/personal-banking/prepaid/ac-conversion-card.html
Ah I see. Most banks here offer prepaid cards as well. I have one and must admit it's probably a good choice I gpt myself one.
banking app
Cringe
What do you use then?
A dedicated VM, a hardened/single-site/incognito browser, and website.
So something that's even worse, cool.
An app can use a lot more factors than this "hardened" browser.
Quit your trolling.
What? Theres only 2 secure factors, and I use two when I log in with my browser.
Most people have phones with biometric or shitty passwords. Its not a safe device for sensitive things like banks.
You're cringe
view more: next ›