Most password managers are heavily audited. Likely why the Trent Macro one wasn't is because nobody with any technical sense is installing their nonsense to begin with.
But LastPass, Keypass, Chrome's password manager, Firefox's manager, and IE are audited all the time, with tons of exposé articles supposedly trying to inform us about how weak they are (but all these articles do is further clarity how strong they are, since they only find trivial issues, or they misunderstand a feature as a bug).
I cannot recall the last time any of these had what I would consider a REAL security bug.
Most password managers are not heavily audited. Random third parties look at them and occasionally find things, but that's not the same thing as the development team bringing an auditing team in and giving them access to all the source repositories and documentation.
Chrome and firefox both store saved passwords in plain-text in easily accessible local databases. Don't rely on them to keep passwords safe. I have no experience with IE's password locker.
> Chrome and firefox both store saved passwords in plain-text in easily accessible local databases.
All password managers store plain text passwords. That's literally a requirement for them to work at all.
Chrome encrypts the password in the SQLite database[0] using Windows' CryptProtectData() API, and Firefox encrypts the passwords either using your master password, or if none is set then it encrypts but stores the encryption key in the key3.db.
> Don't rely on them to keep passwords safe.
You've presented no justification for that. If you're using a root compromised machine then no password manager is safe. If your machine is secure then your passwords are secure in both Chrome and Firefox, but more secure in Chrome.
You cannot hash passwords in a password manager. It has to be reversibly encrypted and turned back into plain text before utilisation.
So when people complain about password managers storing plain text (as opposed to hashing) they're barking up the wrong tree, it is a necessary evil.
You just want to see them encrypt those plain text passwords so that offline recovery is harder. That's what both Firefox's master password, CryptProtectData() for Chrome/IE, and the key-chain in OS X provide.
Ah come on, you obviously understand what he is trying to say. You don't always have to interpret every comment online as if the person writing them is stupid.
> All password managers store plain text passwords. That's literally a requirement for them to work at all.
> Chrome encrypts the password in the SQLite database[0] using Windows' CryptProtectData() API
If its encrypted, then its not plaintext. Its ciphertext. In infosec lingo plaintext specifically refers to the unencrypted and otherwise unaltered original information.
Seeing as the parent comment was in reply to an assertion that Chrome stores plaintext passwords, I think it was assumed that the assertion intended to mean "Chrome has access to your plaintext passwords", otherwise the reply would simply have been "No, you're wrong".
Firefox will encrypt your saved passwords if you set a master password on the Security Preferences panel. Really should do so by default, but at least it's available as an option.
>How am I to trust a password manager if something as obvious as this is allowed to be shipped to the end user?
You don't. Assume every online service you use subject to security holes. What defines a secure app from an unsecure one is revealed after a security incident. That's why I continue to use LastPass simply because they exemplified their security practices during their recent scare.
