Is it secure to save password in your browser?
As you navigate through Chrome, or Safari, or Firefox, or whatever your browser of choice is, you're often given an enticing option - Would you like us to save your password? A recent browser breach is a reminder that if you answer yes, you're taking a risk.
It turns out, your saved web passwords are less safe than you might think. How much of a risk depends on which browser you're using, whether you sync with other devices, and whether you're using any of the browser's extra security features. Here are the main vulnerabilities in some of the most popular browsers like Google Chrome, Mozilla Firefox, Internet Explorer, and Opera - and ways you can protect against those weak spots.
Recently, Opera confirmed a successful attack on its systems. The hackers were likely able to access personal information, company developer Tarquin Wilton-Jones wrote in a post announcing the breach, "including some of our sync users' passwords and account information."
The biggest problem with having your browser save your passwords involves prying eyes. Not only can other users who have access to your computer log in to your accounts and see your actual passwords, but so can a thief if your computer, smartphone, or tablet gets lost or stolen. Most popular browser like Google Chrome lets you browse through the list of saved usernames and passwords or enter the site name into the search field to filter the list.
For privacy, Chrome masks each saved password with asterisks, but you can click the entry and press the Show button to reveal the actual password. You can also change the password, but unfortunately Chrome doesn't sense password changes, so it won't prompt you when you log in to a site with a new password. You must go to the saved password entry and update it manually.
Unfortunately, Chrome doesn't offer a master password feature like Firefox does in order to protect all your passwords. Thus, anyone who's logged on to your system can view all the saved passwords.
Even Chrome sync most of your settings and saved data including passwords across multiple computers and devices, but this creates another security vulnerability.
In case of Internet Explorer, it remember your name, address, and other data you type into Web forms or search fields for AutoComplete feature. But, it doesn't provide a way for you to view saved passwords from within the browser settings: It only allows you to change the main settings and delete all AutoComplete history, which can prevent casual snooping. However, a determined hacker can use a utility to see a list of all your saved passwords or to reveal the actual characters behind the password field on a login page.
Where Firefox offers advanced password-saving features that are even better than Chrome. Though you can't change the passwords in the settings, Firefox automatically senses password changes you've made elsewhere and asks if you want to update your password when you log on to a site with a password that's different than what's saved on your PC. Even Firefox offers master password to encrypt and password-protect the saved password list. Though Firefox also sync your passwords, settings, and other saved data among multiple computers and devices. But by default Firefox encrypts all synced data instead of just your saved passwords. Additionally, there's more security when you add a new computer or device to your Firefox Sync account. You can either enter a passcode from the new device into one that you've already set up, or take the recovery key from a device you've already set up and input it into the new device after logging in to your Firefox Sync account.
So, When you're asking a question about "how safe" or "how secure" a saved passwords are, the answer is always more complicated than the simple 1 - 10 scale. A good answer will consider a threat model, or what kinds of attacks are likely and how well protected against them are you?
In terms of a threat model, switching to the Google password manager opens you up to two new attack vectors that are likely relevant to you: 1) Unsophisticated malware can steal your credentials 2) In-person attacks.
or some people, those two attacks might be irrelevant or worth taking on, but it sounds like you're already doing it right, so you have to decide if it's worth it to take a step backwards. All security decisions come down to the cost of defense vs. the value of protection.
Here is some additional tips to help you boost the security of your passwords:
- Never save passwords or sync browser data on other people's computers.
- Try to use different passwords for each site - at least for banking and other sensitive accounts.
- Protect your computer and mobile devices with strong password.
- Think about fully encrypting laptops, netbooks, and mobile devices.