9

Whenever I go to the Netflix main page in Firefox, I'm automatically logged in.

However, when I open up Firefox's list of saved passwords, I notice that Netflix is not among the sites Firefox is keeping passwords for (Options -> Security -> Saved Passwords)

How does Netflix know the password if Firefox isn't storing it, and where is it being stored?

Improve this question
5
  • 21
    I fail to see what part of this scenario makes you think they know your password. Basically all you've said is "I just got a Chromecast." and "Firefox hasn't saved my Netflix password." What is it about those two facts that makes you believe Netflix has your password? I'm guessing this misunderstanding has arisen from something other than what you've listed in your current question. Perhaps you could edit to explain what that "something" is?
    – Ajedi32
    Commented Dec 26, 2014 at 22:02
  • 1
    @Ajedi32 Honestly, I just had a mental misfire, and assumed that because I am logged in whenever I open Netflix, it was firefox doing the logging-in. Totally forgot that cookies were a thing.
    – Raven Dreamer
    Commented Dec 27, 2014 at 0:47
  • 4
    So in fact the Chromecast is completely irrelevant.
    – David Z
    Commented Dec 27, 2014 at 4:55
  • @DavidZ Unless someone had information on how to use it through Firefox... yes.
    – Raven Dreamer
    Commented Dec 27, 2014 at 15:39
  • @RavenDreamer That would be a different question; so irrelevant regardless.
    – OJFord
    Commented Dec 27, 2014 at 21:31

4 Answers 4

Reset to default
30

To answer your first question, Netflix doesn't know your password.

What Netflix and every other competent website out there does is hash your password using a one-way hashing scheme (MD5, SHA-1, SHA-2, etc.).

What this does is essentially create a unique fixed-length hexadecimal fingerprint that identifies the string of text that is your password. For instance, here's what my-secure-password looks like after being hashed using MD5:

MD5 hashing

They store this hash in their internal database and every time you log into Netflix, the password you supply during the login process is hashed once again using the same scheme and is matched against the copy of the hashed password stored in their database.

If they match, they know that you've entered the correct password and you're granted access. If they don't, you're not authenticated. This is why when you click on some variation of the Forgot password link they don't send you your old password but rather ask you to choose a new one. It's because they don't know what your password is either.

So how are you logged in if Firefox did not store the password for Netflix?

The answer to that is session cookies. When you logged into Netflix (maybe a while ago), you may have chosen to remember your session.
remember me?

If you did, Firefox stores a small tidbit of information on your computer that uniquely identifies you whenever you visit Netflix. These 'cookies' as they are called generally persist for a short period time until the session is active and then expire. Some however may last weeks or longer. Delete that cookie and Netflix won't remember you.

Netflix cookies

Regarding your second question, if Firefox didn't 'remember' the password, it isn't stored anywhere. What's stored is the cookie. Firefox stores them in its Profiles folder in the file cookies.sqlite which is a SQLite database file.

Lastly, if you opted to log in through your Facebook account, you wouldn't need a password and so Firefox wouldn't store one.

login using Facebook

However, a cookie would still be created to identify your session.

Improve this answer
16
  • 23
    MD5 is one-way because it's a hash function. Saying that it isn't would imply that you could somehow obtain the original data from an MD5 hash through a cryptographic process. You can't. The tools you mention can 'reverse' the hash only because they've invested significant computer power to brute-force all sorts of password combinations to arrive at the original password string. This doesn't mean MD5 is reversible. Hashing is different from encryption where you can decrypt the data if you have the key. Also with hashing, no matter how long the input, the output is always fixed-length.
    – Vinayak
    Commented Dec 26, 2014 at 22:26
  • 16
    @Derek朕會功夫 MD5 is cryptographically "broken", but this is about collisions, not pre-images (which matter for passwords). MD5 is also bad for passwords, but this is because it is fast, so you can brute-force many passwords in a short time (and this is the same for more state-of-the-art hash functions like SHA-2 and SHA-3). See crypto.stackexchange.com/a/28/58.
    – Paŭlo Ebermann
    Commented Dec 26, 2014 at 23:09
  • 9
    I have to downvote just for the MD5 example, however good the rest of the answer may be. This is just not something you want to read in 2014 (soon to be 2015). It was never a good idea to use raw MD5 (even with a salt) to store passwords, and most people realized that over the course of the last 10 years. -1
    – Thomas
    Commented Dec 27, 2014 at 0:06
  • 8
    @Thomas I'm sorry you feel that way but my answer was never supposed to be a guide to choosing the best hashing scheme. SuperUser isn't StackOverflow and like it or not, MD5 still is a cryptographic hash function so I don't see what's wrong with explaining what a hash is with the example of MD5.
    – Vinayak
    Commented Dec 27, 2014 at 1:28
  • 7
    @kasperd "And in fact to this day using a single invocation of MD5 with a salt is still secure for those users who use good passwords." No. Please do not spread misinformation. A single invocation of MD5 is completely inadequate.
    – Ayrx
    Commented Dec 27, 2014 at 16:47
10

Netflix – like most other websites – doesn't care about your password during normal browsing. Instead, when you log in, Netflix has the browser store a 'cookie' with the login session ID. The browser sends it back every time it requests a new page. (Likewise, the password storage in Firefox is not used during normal browsing, but only for auto-filling the password field in login pages.)

The session cookies are usually generated randomly and don't have any relation to your login or password – only Netflix itself can link it to your account.

To see them, right-click the page, select "View Page Info", and under "Security" click "View Cookies".

Improve this answer
5

There's nothing wrong with Netflix. Just like almost all websites that you can log on, it stores a cookie on your PC which among other things, stores an encrypted data representing your password.

Haven't you seen the same behavior on Google, Facebook, Yahoo, Windows Live and whatever account you may think of?

Some web services may use cookies that are valid only for a short period of time or only in the current session (for example Yahoo and Facebook unless you select a Remember me on this computer option). But apparently Netflix uses cookies that are valid for a longer period of time which keeps you logged on unless you delete your browser history - especially cookies.

Now, you may be asking what's the use of password store in the browser. That's very simple. If you log out from Netflix (or whatever else) the cookie gets deleted. If you want to log back in you'll have to enter both the account username and the password. If you have saved your password in the browser, it will autocomplete that field when you type the username.

Improve this answer
1
  • 10
    Clarification – cookies don't contain any data representing passwords. Rather, they contain random data that identifies a session associated with your account. The sessions are stored on the server.
    – ntoskrnl
    Commented Dec 26, 2014 at 19:37
0

Did you check your cookies? Your password, or an encrypted copy of your password, might be there.

Improve this answer
2
  • 5
    That would be a terribly insecure design. Common practice is to use a session cookie which is not related to the password in any way.
    – kasperd
    Commented Dec 27, 2014 at 16:12
  • It doesn't really matter exactly specificially what he finds there. He should check his cookies.
    – hymie
    Commented Dec 27, 2014 at 23:25

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .