How Safe Is it to Let My Browser Save My Passwords?

//
 I’ve got a quick question concerning saved username/passwords in browsers. Whenever you visit a website and need to login, you’ll be asked (depending on your browser settings) if you’d like to “save” the username/password information to make future logins easier. If you choose to do so, is this username/password information made visible to anyone who has compromised your computer when you access the website in the future? Since the fields are already filled in for you, you don’t actually need to type in anything.

The short answer is yes – if you’re not careful, anyone who walks up to your computer can access those websites as you, or perhaps even walk away with a copy of all your usernames and passwords.

There are actually several important issues around letting your browser – or any utility for that matter – save your passwords. Particularly when we advocate using multiple complex and different passwords for different sites, it’s not only important to use these types of features to keep it all straight, but to use them properly so as not to expose yourself to security issues should your machine ever be compromised.

I’ll review how these features work, and how to use them safely.

Become a Patron of Ask Leo! and go ad-free!

Letting the browser save your password

As you’ve pointed out, by default most web browsers will offer to save your username and password when you login to a web site. Once you’ve done so, the next time you’re asked to login to that site your browser will fill in the information automatically – you won’t have to remember it.

The browser maintains its own database of the usernames and login information that you allow it to collect on your behalf, and fetches the appropriate information as needed.

Unfortunately, there are a couple of security issues.

First, and perhaps most importantly, is that the database is often not quite as secure as we might want it to be. Depending on the browser, it’s often possible for a hacker to extract its contents should they ever gain access to your machine. In fact there are even utilities that will display the database contents, including the passwords, for some browsers.

Second, is that most people fail to place a “master password” on the browser’s database. This can further encrypt the database and prevent the hacker’s access, but it does something more important: it can prevent casual access.

The real issue is exactly that – what I call “casual access”. If you have your passwords stored in the browser’s password vault, anyone can walk up to your machine and at a minimum login to your accounts as you, and naturally wreak all sorts of havoc if they so choose.

If you must use your browser’s password vault, I strongly recommend you make sure you can place a master password on it. On top of that, if the browser supports it, instruct it to require that master password more often than just once when you start using the browser.

Letting a utility save your password

I’m a strong believer in using a utility like LastPass to save website logins and more. But, like the browser equivalent, if used improperly it can result in security issues that aren’t so obvious.

Like the browser, LastPass stores your information in a database on your machine. Unlike your browser, however, a master password is required. You’ll get nothing out of a LastPass database until you’ve specified your master password.

Two Factor Authentication CodeIn addition, you can specify several types of additional, important security:

  • You can specify that the master password must be supplied after a user-specified period of inactivity.
  • You can specify that certain logins (like, say, your bank’s) require that you re-supply your master password before they can be used.
  • Two-factor authentication can be enabled such that you need both your master password and a second authentication factor in order to be able to open your vault.

Utilities like LastPass also store your encrypted information on their servers on the internet.1 This is done so that you can have a single database of logins that can be used across multiple machines and devices.

The reason I prefer LastPass is that your master password never leaves your machine – it is not stored elsewhere, period. It’s used only on your machine, and only to encrypt and decrypt your information on the machine. Even if the information stored on LastPass’s servers were compromised (which has never happened) all the attacker would get is well-encrypted blobs of information, and not your actual usernames or passwords.

It’s important to use utilities like LastPass properly. Configure them to require that master password periodically, and of course don’t walk away from your computer while using it in a situation where someone else could walk up to it and begin using it. Once again, they could then log in as you.

 A word about cookies

In a sense cookies are also used to “remember” your password – kind of.

Cookies are actually used by the websites you visit, and are only placed on your machine after you’ve logged in.

Their purpose is simply to remember that you’re logged in – that you did, indeed, specify the correct username and password when requested. This prevents you from needing to specify that username and password for every separate page that you visit after logging in.

In reality, your account credentials are not saved in a cookie. Rather, the service that you’ve logged into places some bit of data – ideally understandable only to that service – that allows it to remember who you are, and that you are logged in. Remember that a cookie, once placed on your machine by a website, is then included with every request you make for a new page from that same website.

These cookies are typically time constrained – meaning that they expire after “a while”. That simply manifests as you needing to log in every couple of hours or every day or so, even though your browser never left the website. Similarly these cookies are invalidated and/or removed when you log out from the service, or you can opt to remove them when you shut down your browser.

What I do

As I said above, I’m a big fan of utilities like LastPass, and indeed it’s LastPass that is at the center of my password management.

  • I disable the “remember password” feature in all my browsers. Experience says that while things are getting better, the track record for the security of browser-stored passwords isn’t the best.
  • I use LastPass to store all my password information. All of it.
  • I use LastPass to generate random and obscure passwords, as needed. These days those are 16 character passwords like “9WZqQrqvBd3p94fA”. As a result I couldn’t tell you the password for many of my accounts; I rely on LastPass to provide it as needed.
  • On my mobile devices (laptop and phone) I have LastPass configured to require the master password after a period of inactivity.
  • On my laptop I further require that two-factor authentication be used in addition to the master password.

To honest, this is what I recommend you do as well. Don’t use the browser’s remember password feature, but instead rely on a tool written specifically for security such as LastPass. Add additional layers of security – like reprompts, timeouts and even two-factor authentication – for the devices that you use in potentially less-than-secure environments.

And as always, make sure that the master password – the only password you really need to remember when using a tool like LastPass – is strong and secure.

Footnotes & references

1: AKA “the cloud”.

21 comments on “How Safe Is it to Let My Browser Save My Passwords?”

  1. On my mobile devices, in addition to auto logoff after a few minutes of idle time, I set LastPass to clear the master password every time I close my browser. That way, if I step away from my laptop at work, I just exit the browsers and no one can access accounts.

  2. Please describe how you disable the “remember password” feature in browsers. And how to clear previously remembered passwords, as well.

    • In Firefox, press Alt+t to get the Tools pulldown from the menu bar, then select “Options”. Next click the “Security” tab. Uncheck the “Remember passwords for sites” box.

      In IE, press Alt+t to get the Tools pulldown from the menu bar, then select “Internet Options”. Next click the “Content” tab and under “Autocomplete” click the “Settings” button.Finally, uncheck the “User names and passwords on forms” box.

      I believe unckecking those boxes will clear the passwords.

  3. Useful article. I have a query. I find that some sites just don’t get stored by my browser (Chrome). Is this a bug in the browser or do some sites actually block the browser, & for that matter external products like LastPass?
    Observation: I have come across sites that do not handle special characters, so you’re just left with alphanumerics and usually these sites don’t have very long password fields, reducing the strength of the password. A bit more consistency in development practices might not go amiss here.

    • I’ve had some sites block the password saving in Firefox in the past, but in the many years I’ve been using LastPass to manage my few hundred passwords, I’ve never had any block LastPass from saving the password.

    • I don’t think it’s because they intentionally block anything, but rather because they code their web page login forms in a non-standard way. (Of course they could be doing that intentionally, but more often it’s that they want to do things their own way.)

  4. Very helpful article, but a key question is not addressed:
    Does LastPass or any of the other password managers like Dashlane, KeePass, and 1Password import in your existing passwords?
    I’ve got a nearly two decades of passwords saved in my FireFox browser and do not want to lose them. So it’s pretty critical that any application like LastPass be able to import my existing passwords for websites.

    What’s the scoop, Leo? Or anybody else who might know?

    Thanks.

  5. Thanks to Leo for this topic because had I not seen it, I would not have realised I have a problem. I use LastPass which is great and served me well for some 5 years or more, but the problem is… it never asks me for my master key even though I turn off my computer every night when sleeping…. what have I done wrong?

    • As Leo mentioned:
      “In addition, you can specify several types of additional, important security:
      You can specify that the master password must be supplied after a user-specified period of inactivity.
      You can specify that certain logins (like, say, your bank’s) require that you re-supply your master password before they can be used.”
      And my previous comment:
      “On my mobile devices [including my laptop] , in addition to auto logoff after a few minutes of idle time, I set LastPass to clear the master password every time I close my browser.”
      LastPass is so flexible, on my home computer, for a while I intentionally had it never request the master password. With the possibility of robbery, I’ve stopped being so trusting of my house locks.

  6. While I am not particularly concerned about my privacy (all that stuff on the internet was out there before the internet, it was just a little harder to find), I am not particularly trusting. I realize that TrueCrypt was open source and Lastpass etc are all paid services but what happens if they go belly up? What happens if they hire some idiot and all of their saving software goes up in smoke? I have a hard time trusting these services or any others for that matter and these are things that I want under my control.

  7. Leo, you have a link on this page that went to Ebay with someone selling Oregano Oil. I just bought some O.Oil the other day from Ebay. I clicked on it and it showed me the same guy that I bought the Oregano Oil from. How could this ad be on this page of yours? How is this Leo page related to my Ebay item? I don’t know if I will ever find out the answer to this because I am sure that you are not going to email me.

  8. If I’m using my private house internet, will it still any chance to be hack my password that store in my browser or my website {url removed}?

Leave a reply: