Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Is it safe to let my browser remember passwords?

//
If I consider my computer to be physically secure, am I reasonably safe letting Firefox remember my passwords (without using a master password), or am I being incredibly stupid to do that? What if I do use a master password?

I certainly wouldn’t say incredibly stupid at all. But it’s definitely an additional risk, and one that needs to be understood.

But you’re correct in considering physical security first. The problem is that people often assume they have more physical security than they actually do.

And master passwords? Well, they’re nice, but they too have their limitations.

Become a Patron of Ask Leo! and go ad-free!

Remembered passwords in Firefox

If you’re at all wondering why this is even an issue; if you have Firefox remember passwords for you, do the following:

  • Type the ALT key to expose the menu bar
  • Click on the Tools menu
  • Click on the Options menu item
  • Click on the Security tab
  • Click on the Saved Passwords… button
  • Click on the Show Passwords button

Yes, the Show Passwords button.

Saved Passwords in FireFox

A few clicks and all your passwords are visible.

While I’ve obscured my own information, that dialog shows a list of URLs, Usernames and Passwords as remembered in my copy of Firefox. All we had to do was walk up to the computer and follow the simple instructions above to make all passwords clearly visible.

That should have you thinking very carefully about your security.

Anyone who can walk up to your computer can do that, and pretty darned quickly.

Internet Explorer

IE’s situation, prior to IE 11, is actually slightly worse when it comes to remembering passwords. While there is no option to actually display saved passwords, there are several downloadable tools that will. The article I forgot my password – can I somehow get my auto-login remembered password? discusses them.

With Internet Explorer version 11, Microsoft moved to using Windows-provided credential storage, which is significantly more secure, and poses significantly less of a risk.

Mitigating the risk of remembered passwords

What can you do? There are several approaches.

  • Do nothing but rely on physical security. Depending on your circumstances, this may be a viable approach. The key is that you must be certain about your physical security. That means you know that you machine cannot be easily stolen, and that no one can simply walk up to it and access Firefox’s remembered password list.
  • Clear the list and stop remembering passwords. This is actually what I recommend. As an alternative, I use LastPass, which allows me to store my password database where I choose, and keeps it securely encrypted as well.
  • Use a master password. Firefox allows you to select a master password which is used to encrypt the stored passwords. In theory, without knowing the master password, you cannot access the stored passwords.

Here’s the problem I have with master passwords and remembered passwords: traditionally browsers have been built for browsing first, and on-machine security second. I was able to find at least one password-cracking tool aimed specifically at the Firefox master password. If someone with malicious intent can steal your computer, or Firefox’s encrypted files, they still have a reasonable chance of breaking through this security and gaining access to your remembered passwords.

Aside from that, and as with any password, one key is to make it as strong as possible. My take is simply this: it’s like a padlock. It’ll keep most people out.  However, if someone who knows what they’re doing comes along with a large enough crowbar or a bolt cutter, it’s possible that they could get in.

My recommendation

My rules are very simple:

  • Never use the browser to remember passwords on a computer you don’t control completely. Period.
  • Never use the browser to remember passwords on a portable computer, even if it’s yours. If it’s stolen the thief can take all the time he needs to crack it.
  • In fact, never use the browser to remember passwords. Instead, use tools specifically written for the task like LastPass, Roboform or others. On top of that, use a good, strong master password, and set options such that the master password is required after the machine’s been idle for a while.
Play

31 comments on “Is it safe to let my browser remember passwords?”

  1. I have my computer memorize my passwords for non-sensitive sites (blogs, newspapers). However, for stuff like my bank and Yahoo webmail I don’t save those and type them every time.

  2. Firefox uses the RC4 algorithm to encrypt the password file. Brute force attack using the known cracker will take years to crack if the master password is a long passphrase. After all, brute force can be used to attempt cracking even Roboform. So, in theory nothing is safe, but practically speaking the FF master password system is adequately secure.

  3. There is a nice Firefox addon called LastPass that will save your passwords for you. Everything is stored in the “cloud” and not on your machine. You just log into your LastPass account with a password of your choice and they take care of filling in usernames and passwords. As an added feature, LastPass also handles form filling and supports multiple profiles.

    • Last pass has been hacked a few times, the last time was some months ago, even though they claim no information was taken but you never know do you.

      • They have never been “hacked” to my knowledge, and if so exactly and only once. They’ve noted “suspicious activity on their network” and warned everyone – which is not a hack as no data was stolen. No unencrypted user data has ever been stolen from LastPass, because they don’t have the means to decrypt it on their servers. They don’t have the decryption key – only you do.

        • Absolutely, great tool and being on my phone means I have password to sites I am permitted to view at work available, which incidentally includes a dozen just for my company alone so I can function as a manager where they base me, most of which resources are cloud based and insist on strong passwords.

  4. Don’t forget the Quick Dial Syndrome. Not using your passwords all the time means you will forget them when you have to enter them manually again!

  5. hello leo. thank you for the information. my next question is now do we burn things on the computer. i wish you a happy new year.

  6. Well, I feel motivated to do something more about password security… but I’m not sure what? Maybe get a small flash drive and install Roboform on it?

  7. I keep passwords in an Excel file and password protect that file. They are always with me and I understand that this is very hard to crack and gain entry to the file.

  8. By having the browser remember one’s password does not seem all that secure. I’m OK with typing in the password each and every time. However, when one uses a computer at work or in some public places, there is always the risk of key loggers being installed in the computers. So, which method would be better for privacy and security.

    Use good security measures on your own computer, and don’t visit sites where you need to enter your password on computers you can’t trust.

    Leo
    05-Jan-2010

  9. Leo,

    You could enable FIPs encryption in Firefox. It is little known that FIPs is standard on Firefox and can be enabled under advanced options and under encryption devices. Cracking a master password with FIPs enabled and a salt is virtually impossible.

    TrueCrypt can’t be recommended as none of its encryption techniques has ever been verified since the creators are anonymous. Lately they have been deleting posts criticizing any faults in the program, which is disturbing.

  10. Saving passwords in a browser, no matter which browser it is, leads to a host of security concerns. Definitely think that everyone should be using an actual password manager, my top pick is Roboform.

  11. As a small point, you still have to remember a Last Pass master password. So one is not completely without remembering something.

    • Absolutely. But by having only one thing to remember you can elect to make it strong and lengthy, and let Lastpass worry about remembering everything else (which can be long and strong and completely UNmemorable),

  12. This is a valuable post, Leo. Thank you. I’ve been using RoboForm for the past few years to accomplish the same objective as LastPass.
    Is there a material difference between the two programs that would make me want to consider switching to LastPass?

    • Not really – Roboform is also good. I switched to Lastpass because Roboform has more of a “lock in” mentality (it’s VERY difficult to export your information to a different tool), and Lastpass was examined in detail by Steve Gibson of grc.com and does their encryption in a way that I really, REALLY appreciate. (Always local – never on the Lastpass servers.)

  13. Now I admit I didn’t thoroughly read each post but I did do a search in my browser on this page. That browser is Chrome. Currently Chrome asks for your Windows login password, which providing that’s strong is a pretty neat way of securing access to stored passwords. Like you, Leo, I am a fan of Gmail but it doesn’t stop there, I think most of what they have is pretty good in the application space. It also works for me across a number of different devices, one of them an Android mobile where the security is changed depending on when & where I am.

  14. Hi Leo
    Could you comment on Cyber Firefox using the RC4 algorithm to encrypt the password file.

    Wikipedia states; “While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure cryptosystems such as WEP.

    As of 2013, there is speculation that some state cryptologic agencies may possess the capability to break RC4 even when used in the TLS protocol. Microsoft recommends disabling RC4 where possible.”

  15. I would never save passwords for banks, credit cards, other “high security” stuff like that on browser, but enter them every time (often along with other security measures specific to the particular institution). Also important to change them a lot. For things like local clubs, stores etc where to spend money (but not when they have retrievable credit card details), various other “trivial” websites I am happy to use browser facilities.

  16. I do use a password manager (RoboForm) to help me generate secure/unique passwords for my various accounts but feel much safer knowing that the encryption key is known only to me, (even if that means not being able to recover it if I forget it). The other thing that is more convenient with a third part password manager than one built into my browser is that RoboForm is available in ALL of my various browser as well as on ALL of my various computers/devices

  17. I just physically write my passwords into a note book, especially any pw’s related to banking. Would this be the most secure method of storing passwords? (lock the book in a safe for maximum security if concerned about it). Or am I being naive?

    • That depends on the physical security of the notebook. For example, if it’s not in a safe place, and your house is broken into, the thief would get your passwords

    • I know a lot of people who do this sort of thing. I see them have a hard time finding their passwords over the years in all the pages of the notebook. Sometimes they’ll update and write it in a new place and get all mixed up. But the biggest problem I see is that they don’t use very secure passwords. They use ones that are very easy to type, write and remember. The best solution I’ve found is Leo’s recommendation of LastPass.

    • The most secure? Don’t know. I don’t think I’d consider it so. It remains vulnerable to physical theft when it’s out of the safe, you have to remember to put it in the safe every time, and when out it’s vulnerable to loss by fire or similar catastrophe.

  18. Leo, I took your advice years ago about making passwords different and *long* (most more than 15 characters, if permitted). Fortunately, many websites now allow more characters to be used…something worth checking if you hit their limit when you set up the account or tried to strengthen your password. And as a password manager I use Norton Internet Security’s built-in “Identity Safe” feature. I have no idea if its encryption is local, or on their servers. Do you have any opinion or comments about it?

    BTW, rather than “renew” NIS each year I’ve found it much cheaper to buy a new “download” copy (digital key only) at discount from a reputable software retailer and just apply the new product key. Norton actually has an “I have a product key” button that appears when you click on Renew. (Wait until just before your current copy expires b/c unused days do not roll over.)

  19. I was fairly happily using LastPass until they did an upgrade and then it no longer worked and I couldn’t do the restore option as it wasn’t happy with my browser, Firefox. So that was a major hassle and I gave up.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.