Can a browser plugin/addon access my passwords?
This post applies only to Firefox and Chromium/Google Chrome. I cannot comment on Internet Explorer, Opera or mobile browsers. Also, my math further down could be wrong, but the basic idea is correct.
Of course this is possible, though, in the case of Firefox and Chrome/Chromium, unlikely.
Are my passwords (which are stored in the browser) safe?
This answer is one of my favorites: It depends. Passwords that are saved by the browser need to fulfill one important, and, from a security point of view, nightmarish, condition: They need to be plaintext or revertible to plaintext.
Plaintext vs. Encrypted vs. Hashed
Why is that bad? Well, imagine someone breaks into a server and steals the password database. There are two possible outcomes:
- The passwords are plaintext (or easily reversible), so the cracker now has full access to all accounts.
- The passwords are hashed (or encrypted), a brute-force attack against the hashes would be necessary to get the passwords and access to the accounts. Even now that your username and password are stolen, your account is still safe.
Since the browser needs to be able to send the password to websites, it cannot hash passwords, it can only encrypt them (or even store them as plaintext). This is something that one should always keep in mind (the same goes for email clients, chat applications, and so forth).
Just because it is encrypted, doesn't mean it's safe
Firefox, by default, allows you to save passwords. It also encrypts them. The same applies to Chromium (see addendum "Well, it depends..."). The problem with this is that the key for decryption is also stored with the passwords. This renders the encryption a minor inconvenience for someone who wants your passwords and does not stop them in any way.
Then don't store the key with the passwords!
That's right, to make the passwords safer, we need to get the key away from the encrypted passwords. This is done in Firefox by setting a Master Password, which is then used to encrypt and decrypt all your passwords. By using this technique, you separate the key from the encrypted data, which is always a good idea (after all, you're not keeping your front door key on a hook in front of your door on the outside, right?).
Passwords are only as safe as you make them
So, why did I say earlier that your passwords are now safer and not safe? Because now the safety of your passwords depends on the password you've chosen. That is, the password "asdf" should not be considered safe in any way; neither is "12345". Good passwords are long, because brute-forcing them takes a considerable amount of time. The password "VioletIsAnotherColor" is technically more secure than "D0!l4riZe" because of its length, despite the fact that the second contains special characters. Let's have a short look at that.
"VioletIsAnotherColor"
Length: 20
Possible characters: 52 (26 lowercase + 26 uppercase)"D0!l4riZe"
Length: 9
Possible Characters: 77 (26 lower + 26 upper + 10 digits + 15 specials)
Specials: !"@$%&/()=?*+#-
So, how many attempts do we need to break those passwords, knowing their character sets and length?
"VioletIsAnotherColor"
5220 = ~20 decillion (~2 × 1034)"D0!l4riZe"
779 = ~95 quadrillion (~9 × 1016)
As we see, the latter password, despite the broader character set, is easier to brute-force than the long one with its limited set. This is because of the length. (Another upside is that the first one is easier to remember.) See this IT Security question for details on the matter.
So, if possible, use a passphrase, not a password.
Back on topic, how safe are my passwords from a spoofing addon?
They're not. This is because addons have access to the website you just visited. They can extract information from it, including entered passwords. Addons are a security risk like any other installed software. Install only addons that you trust.
Great! How do I know that?
Install only addons from sources you trust. For Firefox it's the AddOns page and for Chromium it's the Chrome Web Store, or if you trust the author/distributor. Both guarantee that the AddOns are checked and safe.
Neither the the Mozilla AddOns page nor the Chrome Web Store are guaranteeing in any way that the addon is safe. They employ automated reviews processes which might or might catch malicious addons. At the end of the day, there is still a risk left.
Only install addons from sources which you trust.
Wait a moment; did you just mention other installed software?
Of course! Nothing hinders other installed software from grabbing your passwords from the browser, performing man-in-the-middle attacks, or even serving a proxy that spoofs your banking websites. The same goes for Browser Plugins. The rule of thumb is: Do not install software you can't trust.
Conclusion
What should you take away from this?
- Never install software/plugins/addons you do not trust.
- If you are still in doubt, set a master password.
- If still in doubt, don't trust your browser with passwords, never save them.
- If still in doubt, never install any addons/plugins.
- If still in doubt, use a live system, which cannot be tampered with.
Addendum: "Well, it depends..."
As I came to learn, my assumptions in this paragraph are not 100% correct, and I'd like to correct that. The following information applies only to storage of the passwords on the disk.
Google Chrome/Chromium
It actually does save your passwords in a secure manner on the disk, depending on the operating system it is running on:
Microsoft Windows
The Microsoft Windows API CryptProtectData
/CryptUnprotectData
is used to encrypt/decrypt the password. This API works with your OS account password, so it is only as secure as that password is.
MacOS
The layer for MacOS generates a random key based on the password of the keychain of the current user and adds that key to the keychain. Again, this only is as secure as the password of the user.
Linux
Well...let's not talk about it.
Okay, if you have to know, it does exactly what I assumed: it stores the data with a hardcoded password. Why is this the case? Simply because there is no common infrastructure in place to handle encrypted data in a way to the other two systems. No, I did not just say that Linux lacks encryption systems or security; there are plenty of keyring/keychain and password storage solutions available in the userspace. As it seems, Chrome developers decided to not use one of those. "Why?" is not a question I can answer.
Firefox
Always uses a generated key which is stored alongside the passwords. Exception is if you set a master password, then this will also be used.