the password manager in firefox has/had a remote exploit where a website could use javascript to extract the username/passwords from the password manager. the best solution would be not to use the password manager at all ( use something like keypass instead ) or to load the master password timeout firefox extension.

i like the idea of having a centralized place for passwords. i’ve been using the firefox password manager for years along with trying to use the supergenpass bookmarklet to hash my passwords. for awhile it worked, but since i’ve changed my primary machine so many times in the last few years my passwords are a mess.

for right now i’m trying to organize all my passwords on my pocketpc using the pocketpc keypass port. all i have to manage right now is 1 master password and a kdb file which can only be unlocked with the password. the only issues i’m having is that i’ve lost my pocketpc kdb file when it was on my storage card so now i have to work out some way to sync the pocketpc. i’m also trying to get away from closed source applications so i need to look for something other than activesync.

i also need to get back into the habit of reading the firefox release notes. ( firefox 2.0.0.6 release notes )

sources: slashdot.org & www.heise-security.co.uk