thanks for the info friend!
I never use those bult in password managers in IE and Firefox!

I used to go with AI Roboform http://www.roboform.com/
Its a rocking software, and its compatible with all those major browsers like:
IE, Firefox, Mozilla, Netscape 7, Netscape 8, SeaMonkey, Flock



But one sad news is, RoboForm does not work with the Opera browser.

It can, fill personal informatn into online forms, can Generate Secure Random Passwords, Encrypt passwords and personal data using powerful encryptn algorithms like, AES, Blowfish, RC6, 3-DES or 1-DES..
Using that you can Backup & Restore, Print your passwords! Using that you can autoSave passwords in browser, AutoFill passwords to login form!
And you don't need to enter any one character in the address bar to login to any of the website!
Just click the desired Roboform login account! That will open the desired address, and autofill the login forms, and will submit the forms!

I do use the password manager, but stopped using addons such as gmail notifier for firefox (got the desktop one from google instead) as other addons would have been able to access my gmail login info then.

Well. I'm not using virus scanner and the likes either as I know what I'm doing, which sites I visit - so I'm not panicking. They'll fix this soon enough. Eitherway I love the password manager.

I don't think thats true, a lot of ppl use the FF password manager and nothing happened i ain't so sure about IE since it sucks you may lose your password but it's highly unlikely, maybe if you visit porn and warez type of sites that have all sorts of trojans and stuff.

Interesting little post, Lucky for me I can tell a fake from a legit site and I only save my passwords to very specific sites and what not.

Thanks for the tip micro, Im a firefox and IE7 user and I sometimes use the password manager now I am considering not to use it completely because of this post. Dont want to run the risk of having people making my life harder than it already is. thanks again for the helpful hint...

I might be missing something big here, but from the way I see it, miCRoSCoPiC^eaRthLinG is spreading lots of FUD!
Phishing is a long known phenomenon that involves crafting a fake website to look like a legitimate website and thus lure (or "fish") naive users into logging in with sensitive information, such as credentials or billing information, to the hacker's server, thus basically giving him away your bank account or whatever else.

Let me expand on this concept with an example. Imagine you have an account over at Neopets. For those who don't know, NP is a virtual pet site, where you can raise your pet and collect money and items. Say you have been slaving over this account for ages, accumulating vast amounts of "neopoints" (the site's fictional currency) and other valuable items, and training your "neopet" in various activities. Now, say some immature kid is trying to deceive you into letting him access your account. He will create a page that looks exactly like the Neopets login page, and give you the link to it, but when you log in it actually sends your password over to his computer, which he can then use to steal your account.

There are many ways to "phish" users to a fake page. Many include tricks and psychological games that will only work on computer users who are not very tech-savvy. Obviously, browsers can not defend against this phenomenon in 100%, because how can a browser know if a page is legitimate or fake? Maybe Cross-site scripting can be found by a piece of software, but that's just one of many methods of phishing. This is not a "bug" in Fx or IE, because it is the user's naivity that leads to ingenuousness that leads to the vulnerability that these types of attacks cause.

Apart from the fact that you really can't blame the browsers for these problems, Firefox 2 and Internet Explorer 7 both feature phishing protection in the form of validating websites against a list of known harmful pages (Fx actually gets its list from the all-mighty Google). So don't go denouncing any browser for their "vulnerability" to phishing! Oh, and by the way, for all you Opera zealots: Opera will only feature fraud protection in version 9.1 which hasn't been released yet, and it will be turned off by default.

Maybe I wrote this whole post just because I didn't understand something in this topic, but from what I can see a lot of critical information has been missing here!! Sorry.

@seec77, I think miCRoSCoPiC^eaRthLinG's point was that because of the way Firefox/IE7 was designed, when you do visit one of those phishing sites that try to steal your password, they can directly access your password manager the minute they ask you to fill out a form.

So basically it's like you go to that fake Neopet's site, attempt to login with your username and password, and then your Neopet's username and password along with all usernames and passwords stored in your password manager are sent to the phisher.

Browsers in this case can be blamed since it's their password managers that the vulnerable ones. If they somehow changed the architecture of their password manager, then maybe people would feel safer using them.

Anyways, I guess I'm now kind of scared, so maybe I'll start deleting my passwords from my password manager now. And I'm seriously beginning to doubt the Gmail Manager. I mean, sure, it looks great and all, but maybe it'd be smarter just to download the prestigious Google's manager.

Now let me explain a little bit on how this Password Manager vulnerability compares to common phishing attacks. What you've stated is the most common mode of phishing - that someone creates a popular site lookalike BUT usually at a different similar sounding URL and then tricks the users into following that url, thus revealing their login credentials.

However, this exploit can happen over VALID URLs and hence even careful users might fall into the trap. Here's an example --> A lot of the popular Social Networking sites have started offering you human-readable links to the member profiles, rather than the cryptic php variable based dynamic URLs. Currently MySpace, Hi5 etc. all offer you such links.

Example:
MySpace: http://www.myspace.com/microscopic-earthling
Hi5: http://microscopic-earthling.hi5.com

Comapred to this earlier on the links took the form: http://www.social_network.com/index.php?profileid=xxxx

While the new URLs are clearly legible and easy to remember, they've opened up a new avenue of exploit.

As I said, earlier on a phisher would have to trick an user into following to the phishing URL - but since the domain name would be different, Password Managers wouldn't pop-up on their own and/or offer to fill the forms.

The browser pass managers essentially rely on the Domain Name + Form Elements combo to fill the pages. You might have noticed that if the name of a certain form element (say login/password inputboxes) change on a page - the password managers won't be able to fill them up properly.

Anyway, supposing the login page for MySpace is:
http://www.myspace.com/login_form.html

With the new Profile URL scheme, I can easily create a profile that looks like:
http://www.myspace.com/login_form_html
... and install an exact copy of the myspace login form there instead of my profile and then make it redirect to my own database for storing the username/passes.

Since the DOMAIN is the same and so are the FORM ELEMENTS, the Password Managers are fooled into believing that they've reached the valid login page and this fills up the form without thinking twice. Come to think of it - this approach can even fool careful users, who might not notice that the "." before html was replaced by a "_".

The whole point of this panic is that the pass managers don't validate the URLs properly before form fill-up - for some reason the coding for form-fillup is extremely loose & sloppy. It's really funny - why none of the coders ever thought of this before !! It's quite an evident validation issue. Hopefully it'll be rectified soon

And hope that explains why this isn't a baseless issue of FUD and why people should think twice before using the existing pass managers - till the fixes are released.

Cheers,
m^e

But as I know, say on Opera I can choose to use the password and login for entire domain or just for that file/url/address accessed, so that means domain.net/login.html and login.domains.net will be different, even if the address changed to domain.net/login_x.html But if you choose to use the same login information for entire domain, when it will only check for the form input names and stuff.. But I usually browse services I trust and never did get this kind of password, but whats the difference if the login will be made automatically with password manager or manually with hand, you will still send the password if you didn't see that the login page is actually not login.html but login_x.html ... As I know the password manager only works on Opera when you click CTRL+Enter and on Firefox only when you push submit button with chosen automatic logins, it is just easier for you and you don't need to waste time entering the same username and password again.. :F

Alright, so I figured out in my earlier post that I probably had something misunderstood about the topic, and now I understand it was true, so sorry about my long rant!

@m^e: You forgot to mention XSS, which I think can also trick your password manager into giving out your credentials to fishing sites! But I can definitely see the problem now with password managers. I still think that's it a bit of FUD, though, that you made users on these sites untrustful of IE and Fx.

I think that Opera's method, as Quatrux said, of having to press Ctrl+Enter for the password manager to do its thing is smart. Besides from that, it is missing a phising protector, unlike Fx and IE.