Jeremiah Grossman: I know who your name, where you work, and live. Appalling unfixed vulnerability in Safari 4 and 5 —if you have the “AutoFill web forms using info from my Address Book card” feature enabled (it’s on by default) malicious JavaScript on any site can steal your name, company, state and e-mail address—and would be able to get your phone number too if there wasn’t a bug involving strings that start with a number. The temporary fix is to disable that preference.
Sign in with 
OpenID
I may sound paranoid, but I never allow browsers I use to store any of that stuff. Never save passwords, never save form values, never auto-fill. I'll type my info when needed, thankyouverymuch.
That said, I've several times tried to set up civilians with systems to manage passwords -- domain-specific bookmarklet, keepassx, 1password. All failed. People just will not, in general, put up with a hassle in return for security.
It's like we need usable security or something. ;-)
Jeremy Dunck - 22nd July 2010 14:54 - #
You can do a similar thing with Firefox's auto-filled usernames and passwords; obviously it's limited by domain, but that doesn't help if the site has an XSS vulnerability.
I wrote about it on my site 2 years ago, but nothing has changed - not surprising, as Mozilla's approach to the issue at the time was "I don't think we should sacrifice usability this much just to slightly mitigate the effect of a successful XSS attack."
Richard Terry - 23rd July 2010 10:06 - #