in Musings, X-Geek

Saving passwords in browsers

SalesForce.com
I get annoyed at some companies’ misguided attempts at password security. Take SalesForce.com, for instance (please!).

SalesForce is a web-based customer relationship management system. It holds a lot of sensitive corporate data and rightly should be protected from unauthorized access. While we SalesForce customers are expected to trust SalesForce with we consider sensitive data, SalesForce does not trust us with what itconsiders sensitive data, namely one’s own SalesForce password. SalesForce deliberately disables the ability of Firefox and other webbrowers to automatically save your SalesForce password and automatically re-enter it when you return to the login page.

Why is this boneheaded? The recent, astonishing advances in password cracking has convinced me that any password one can easily remember isn’t strong enough. Also, simply adding non-alphabetical characters isn’t enough. The only thing that will stave off the hackers is a password that’s a good combination of length and randomness.

My SalesForce password consists of over two dozen characters. You would think that would be good enough for SalesForce, but it only accepted my password when I added a few non-alphabetical characters. Never mind that each additional character (whether alphabetical or non-alphabetical) makes the password exponentially more difficult to crack, SalesForce thinks that the addition of an exclamation point somehow does the trick.

After all that, SalesForce now insists that I retype it every time I log in. This means one of two things:

  1. The password is so blatantly obvious that I don’t have to write it down (but consequently it is easy to crack).
  2. The password is a strong one and I do have to write it down. However, I run the risk of leaving it where it can be found.

I’m a true believer that Scenario #2 is best. A Chinese hacker might crack my SalesForce password but she won’t ever get to the password list I keep in my wallet (or my password safe).

What does blocking password-saving get you? Aggravated customers who pick weak passwords just because they have to type them in constantly. What would be a better approach? Let your customers save their own passwords but enforce password strengh rules. After all, if our “mythical” Chinese hacker did gain control of a SalesForce customer’s laptop, and thus gain access to the entire corporate network, isn’t blocking her from accessing SalesForce the network security equivalent of rearranging Titanic deck chairs?

Fortunately, others have seen the absurdity of this and discovered workarounds. A lively debate ensued when a Firefox user filed a bug against this behavior. A plugin was created to always store passwords, and a simple hack of Firefox’s JavaScript fixes the browser’s complicity in this bad behavior.

Update: Hacking the Javacscript didn’t do it for me. The quickest and easiest way to get Firefox remembering passwords is to use the Remember Passwords plugin.