The short answer is yes – if you’re not careful, anyone who walks up to your computer can access those websites as you, or perhaps even walk away with a copy of all your usernames and passwords.
There are actually several important issues around letting your browser – or any utility for that matter – save your passwords. Particularly when we advocate using multiple complex and different passwords for different sites, it’s not only important to use these types of features to keep it all straight, but to use them properly so as not to expose yourself to security issues should your machine ever be compromised.
I’ll review how these features work, and how to use them safely.
Letting the browser save your password
As you’ve pointed out, by default most web browsers will offer to save your username and password when you login to a web site. Once you’ve done so, the next time you’re asked to login to that site your browser will fill in the information automatically – you won’t have to remember it.
The browser maintains its own database of the usernames and login information that you allow it to collect on your behalf, and fetches the appropriate information as needed.
Unfortunately, there are a couple of security issues.
First, and perhaps most importantly, is that the database is often not quite as secure as we might want it to be. Depending on the browser, it’s often possible for a hacker to extract its contents should they ever gain access to your machine. In fact there are even utilities that will display the database contents, including the passwords, for some browsers.
Second, is that most people fail to place a “master password” on the browser’s database. This can further encrypt the database and prevent the hacker’s access, but it does something more important: it can prevent casual access.
The real issue is exactly that – what I call “casual access”. If you have your passwords stored in the browser’s password vault, anyone can walk up to your machine and at a minimum login to your accounts as you, and naturally wreak all sorts of havoc if they so choose.
If you must use your browser’s password vault, I strongly recommend you make sure you can place a master password on it. On top of that, if the browser supports it, instruct it to require that master password more often than just once when you start using the browser.
Letting a utility save your password
I’m a strong believer in using a utility like LastPass to save website logins and more. But, like the browser equivalent, if used improperly it can result in security issues that aren’t so obvious.
Like the browser, LastPass stores your information in a database on your machine. Unlike your browser, however, a master password is required. You’ll get nothing out of a LastPass database until you’ve specified your master password.
In addition, you can specify several types of additional, important security:
- You can specify that the master password must be supplied after a user-specified period of inactivity.
- You can specify that certain logins (like, say, your bank’s) require that you re-supply your master password before they can be used.
- Two-factor authentication can be enabled such that you need both your master password and a second authentication factor in order to be able to open your vault.
Utilities like LastPass also store your encrypted information on their servers on the internet.1 This is done so that you can have a single database of logins that can be used across multiple machines and devices.
The reason I prefer LastPass is that your master password never leaves your machine – it is not stored elsewhere, period. It’s used only on your machine, and only to encrypt and decrypt your information on the machine. Even if the information stored on LastPass’s servers were compromised (which has never happened) all the attacker would get is well-encrypted blobs of information, and not your actual usernames or passwords.
It’s important to use utilities like LastPass properly. Configure them to require that master password periodically, and of course don’t walk away from your computer while using it in a situation where someone else could walk up to it and begin using it. Once again, they could then log in as you.
A word about cookies
In a sense cookies are also used to “remember” your password – kind of.
Cookies are actually used by the websites you visit, and are only placed on your machine after you’ve logged in.
Their purpose is simply to remember that you’re logged in – that you did, indeed, specify the correct username and password when requested. This prevents you from needing to specify that username and password for every separate page that you visit after logging in.
In reality, your account credentials are not saved in a cookie. Rather, the service that you’ve logged into places some bit of data – ideally understandable only to that service – that allows it to remember who you are, and that you are logged in. Remember that a cookie, once placed on your machine by a website, is then included with every request you make for a new page from that same website.
These cookies are typically time constrained – meaning that they expire after “a while”. That simply manifests as you needing to log in every couple of hours or every day or so, even though your browser never left the website. Similarly these cookies are invalidated and/or removed when you log out from the service, or you can opt to remove them when you shut down your browser.
What I do
As I said above, I’m a big fan of utilities like LastPass, and indeed it’s LastPass that is at the center of my password management.
- I disable the “remember password” feature in all my browsers. Experience says that while things are getting better, the track record for the security of browser-stored passwords isn’t the best.
- I use LastPass to store all my password information. All of it.
- I use LastPass to generate random and obscure passwords, as needed. These days those are 16 character passwords like “9WZqQrqvBd3p94fA”. As a result I couldn’t tell you the password for many of my accounts; I rely on LastPass to provide it as needed.
- On my mobile devices (laptop and phone) I have LastPass configured to require the master password after a period of inactivity.
- On my laptop I further require that two-factor authentication be used in addition to the master password.
To honest, this is what I recommend you do as well. Don’t use the browser’s remember password feature, but instead rely on a tool written specifically for security such as LastPass. Add additional layers of security – like reprompts, timeouts and even two-factor authentication – for the devices that you use in potentially less-than-secure environments.
And as always, make sure that the master password – the only password you really need to remember when using a tool like LastPass – is strong and secure.