The risk that’s often overlooked
I wouldn’t say incredibly stupid. But it’s definitely an additional risk, and one you need to understand.
You’re correct in considering physical security first. People often assume they have more physical security than they do.
And master passwords? Well, they’re important, but they have limitations.
Become a Patron of Ask Leo! and go ad-free!
- Letting your browser remember passwords can be risky.
- When you do, it’s easy to view actual passwords.
- If you let your browser remember passwords, specify a master password to prevent unauthorized access.
- For better security and greater convenience, use a dedicated password vault instead.
Remembered passwords in a browser
If you have your browser remember passwords for you and you’re wondering why this is even an issue, do the following in Firefox:
- Type the ALT key to expose the menu bar
- Click on the Tools menu
- Click on the Options menu item
- Click on Privacy & Security in the left-hand pane
- Scroll down to “Logins and Passwords”
- Click on the Saved Logins… button
This page lists the sites for which you have login information saved. Click on one in the left-hand pane, and you’ll see information about that login.
Click the eye icon next to the row of dots representing the password, and you’ll see the actual password.
A few clicks, and all your passwords are visible.
This should have you thinking very carefully about your security.
Anyone who can walk up to your computer is able to examine your passwords quickly and easily.
Letting the browser save your passwords
If you allow it, most web browsers maintain their own database of usernames and login information collected on your behalf. It fetches the information as needed and fills it in for you. Convenient!
Unfortunately, there are a couple of security issues.
First, the database is sometimes not quite as secure as we want it to be. While this has definitely improved over the years, depending on the browser it may be possible for a hacker to extract the contents should they gain access to your machine. There are even utilities that display the database contents, including the passwords, for some browsers.
Second, most people fail to place a “master password” on the database. A master password further encrypts the database and prevents hacker access, but it does something much more important: it prevents casual access.
This is the real issue I see. If you have your passwords stored in the browser’s password vault, anyone can walk up to your machine and wreak all sorts of havoc. They may also be able to view passwords and make off with them.
If you’re going to use your browser’s password vault, I strongly recommend you place a master password on it. In addition, if the browser supports it, instruct it to require the master password more often than just once when you start using the browser — perhaps again after some amount of time has passed.
Let a utility save your passwords instead
I’m a strong believer in using dedicated “password managers” or “password vaults”, explicitly designed to keep website logins and much more secure.
Like the browser, these tools store your information in a database on your machine. Unlike your browser, however, a master password is required. You’ll get nothing out of a password vault’s database until you’ve specified your master password.
In addition, you can add more security:
- You can specify the master password be re-entered after a period of inactivity.
- You can configure certain logins (like, say, your bank’s) to require you to re-enter your master password before they can be used.
- Two-factor authentication can be enabled, requiring you to enter both your master password and a second authentication factor in order to be able to access your vault.
Password managers often store your encrypted information online. This is done so you can use your vault’s information from anywhere, on multiple machines and devices.
The reason I prefer these tools is that when the tool is implemented properly your master password never leaves your machine — it’s not stored elsewhere, period. It’s used only on your machines, and only to encrypt and decrypt your information on the machine. Even if the information stored on the tool’s servers were compromised, all the attacker would get is encrypted blobs of information they could do nothing with. They would not get your actual usernames or passwords.
It’s important to use password vaults properly. Configure them to require that master password periodically, and don’t walk away from your computer in a situation where someone else could walk up to it and begin using it.
What about cookies?
Cookies are not used to remember your password.
Cookies simply remember the fact that you’ve logged in. They remember that you did, indeed, specify the correct username and password when requested. Cookies prevent you from needing to specify a username and password for every page you visit after logging in.
The service puts a bit of data into a cookie — securely, and understandable only to that service — allowing it to remember who you are and that you are logged in.
Cookies typically expire after “a while” (as defined by the service). All that means is you need to log in again every couple of hours or every day or so, even though your browser never left the website.
This is also why explicitly clearing cookies forces you to log in to all sites when you return to them.
Mitigating the risk of browser-remembered passwords
What can you do? There are several approaches.
- Do nothing but rely on physical security. You must be certain about your physical security and know your machine cannot be easily stolen or accessed.
- Use a master password. A master password is used to encrypt stored passwords stored in your browser. In theory, you cannot access the stored passwords without it. Make it as strong as is practical.
- Clear the list and stop remembering passwords. Don’t use your browser to remember passwords.
- Use a dedicated password vault instead. If you want your computer to remember passwords, it’s far better to use a reputable application designed solely for the purpose of securely storing your information.
What I do
I’m a big fan of password managers1.
- I disable the “remember password” feature in all my browsers.
- I use a password manager to store all my password information. All of it.
- I use the password manager to generate long and strong passwords. These days, that means 20-character passwords like vx6RKPj4TDQ8Teq4TBsA. As a result, I couldn’t tell you the password for many of my accounts; I rely on my password manager to provide them as needed.
- On my mobile devices, the password manager is configured to require the master password after a period of inactivity.
- On my laptop, I require two-factor authentication in addition to the master password.
This is what I recommend you do as well. Don’t use the browser’s “remember password” feature, but instead rely on a tool written specifically to do so. Add additional layers of security — like reprompts, timeouts, and two-factor authentication — for the devices you use in potentially less-than-secure environments.
And as always, make sure that the master password — whether it’s for your browser or a password vault — is strong and secure.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!