Is it safe to let my browser remember passwords?

Letting your browser remember passwords is a convenient feature. However it's important to understand that with that convenience comes risk - often significant risk.

//
If I consider my computer to be physically secure, am I reasonably safe letting Firefox remember my passwords (without using a master password), or am I being incredibly stupid to do that? What if I do use a master password?

I certainly wouldn’t say incredibly stupid at all. But it’s definitely an additional risk, and one that needs to be understood.

But you’re correct in considering physical security first. The problem is that people often assume they have more physical security than they actually do.

And master passwords? Well, they’re nice, but they too have their limitations.

Remembered passwords in Firefox

If you’re at all wondering why this is even an issue; if you have Firefox remember passwords for you, do the following:

  • Type the ALT key to expose the menu bar
  • Click on the Tools menu
  • Click on the Options menu item
  • Click on the Security tab
  • Click on the Saved Passwords… button
  • Click on the Show Passwords button

Yes, the Show Passwords button.

Saved Passwords in FireFox

A few clicks and all your passwords are visible.

While I’ve obscured my own information, that dialog shows a list of URLs, Usernames and Passwords as remembered in my copy of Firefox. All we had to do was walk up to the computer and follow the simple instructions above to make all passwords clearly visible.

That should have you thinking very carefully about your security.

Anyone who can walk up to your computer can do that, and pretty darned quickly.

Internet Explorer

IE’s situation, prior to IE 11, is actually slightly worse when it comes to remembering passwords. While there is no option to actually display saved passwords, there are several downloadable tools that will. The article I forgot my password – can I somehow get my auto-login remembered password? discusses them.

With Internet Explorer version 11, Microsoft moved to using Windows-provided credential storage, which is significantly more secure, and poses significantly less of a risk.

Mitigating the risk of remembered passwords

What can you do? There are several approaches.

  • Do nothing but rely on physical security. Depending on your circumstances, this may be a viable approach. The key is that you must be certain about your physical security. That means you know that you machine cannot be easily stolen, and that no one can simply walk up to it and access Firefox’s remembered password list.
  • Clear the list and stop remembering passwords. This is actually what I recommend. As an alternative, I use LastPass, which allows me to store my password database where I choose, and keeps it securely encrypted as well.
  • Use a master password. Firefox allows you to select a master password which is used to encrypt the stored passwords. In theory, without knowing the master password, you cannot access the stored passwords.

Here’s the problem I have with master passwords and remembered passwords: traditionally browsers have been built for browsing first, and on-machine security second. I was able to find at least one password-cracking tool aimed specifically at the Firefox master password. If someone with malicious intent can steal your computer, or Firefox’s encrypted files, they still have a reasonable chance of breaking through this security and gaining access to your remembered passwords.

Aside from that, and as with any password, one key is to make it as strong as possible. My take is simply this: it’s like a padlock. It’ll keep most people out.  However, if someone who knows what they’re doing comes along with a large enough crowbar or a bolt cutter, it’s possible that they could get in.

My recommendation

My rules are very simple:

  • Never use the browser to remember passwords on a computer you don’t control completely. Period.
  • Never use the browser to remember passwords on a portable computer, even if it’s yours. If it’s stolen the thief can take all the time he needs to crack it.
  • In fact, never use the browser to remember passwords. Instead, use tools specifically written for the task like LastPass, Roboform or others. On top of that, use a good, strong master password, and set options such that the master password is required after the machine’s been idle for a while.
Play
This is an update to an article originally posted : December 25, 2009

Comments

  1. David

    I have my computer memorize my passwords for non-sensitive sites (blogs, newspapers). However, for stuff like my bank and Yahoo webmail I don’t save those and type them every time.

  2. Cyber_100

    Firefox uses the RC4 algorithm to encrypt the password file. Brute force attack using the known cracker will take years to crack if the master password is a long passphrase. After all, brute force can be used to attempt cracking even Roboform. So, in theory nothing is safe, but practically speaking the FF master password system is adequately secure.

  3. Jason

    There is a nice Firefox addon called LastPass that will save your passwords for you. Everything is stored in the “cloud” and not on your machine. You just log into your LastPass account with a password of your choice and they take care of filling in usernames and passwords. As an added feature, LastPass also handles form filling and supports multiple profiles.

  4. Dan

    Don’t forget the Quick Dial Syndrome. Not using your passwords all the time means you will forget them when you have to enter them manually again!

  5. mona georgetti

    hello leo. thank you for the information. my next question is now do we burn things on the computer. i wish you a happy new year.

  6. Greg McDonald

    Well, I feel motivated to do something more about password security… but I’m not sure what? Maybe get a small flash drive and install Roboform on it?

  7. Ralph Cosh

    I keep passwords in an Excel file and password protect that file. They are always with me and I understand that this is very hard to crack and gain entry to the file.

  8. rew

    amherst college says to lock your computer…will that make it safe?
    xp/vista…windows-key+l or options+l….seems to me if you can lock it, a few folks know how
    to unlock it and help themselves? tu for your
    hard work…

    I ended up writing a new article on this: Does locking my computer keep it safe?

    Leo
    01-Jan-2010

  9. v w

    By having the browser remember one’s password does not seem all that secure. I’m OK with typing in the password each and every time. However, when one uses a computer at work or in some public places, there is always the risk of key loggers being installed in the computers. So, which method would be better for privacy and security.

    Use good security measures on your own computer, and don’t visit sites where you need to enter your password on computers you can’t trust.

    Leo
    05-Jan-2010

  10. Will

    Leo,

    You could enable FIPs encryption in Firefox. It is little known that FIPs is standard on Firefox and can be enabled under advanced options and under encryption devices. Cracking a master password with FIPs enabled and a salt is virtually impossible.

    TrueCrypt can’t be recommended as none of its encryption techniques has ever been verified since the creators are anonymous. Lately they have been deleting posts criticizing any faults in the program, which is disturbing.

  11. OhHai

    Saving passwords in a browser, no matter which browser it is, leads to a host of security concerns. Definitely think that everyone should be using an actual password manager, my top pick is Roboform.

  12. Ed Boyd

    As a small point, you still have to remember a Last Pass master password. So one is not completely without remembering something.

    • Absolutely. But by having only one thing to remember you can elect to make it strong and lengthy, and let Lastpass worry about remembering everything else (which can be long and strong and completely UNmemorable),

  13. Robert Lehrer

    This is a valuable post, Leo. Thank you. I’ve been using RoboForm for the past few years to accomplish the same objective as LastPass.
    Is there a material difference between the two programs that would make me want to consider switching to LastPass?

    • Not really – Roboform is also good. I switched to Lastpass because Roboform has more of a “lock in” mentality (it’s VERY difficult to export your information to a different tool), and Lastpass was examined in detail by Steve Gibson of grc.com and does their encryption in a way that I really, REALLY appreciate. (Always local – never on the Lastpass servers.)

    • Mark Jacobs

      And even if all things were equal, the PC version is free. It costs $12 a year to for the phone app which is well worth it.

  14. Harry Broom

    Now I admit I didn’t thoroughly read each post but I did do a search in my browser on this page. That browser is Chrome. Currently Chrome asks for your Windows login password, which providing that’s strong is a pretty neat way of securing access to stored passwords. Like you, Leo, I am a fan of Gmail but it doesn’t stop there, I think most of what they have is pretty good in the application space. It also works for me across a number of different devices, one of them an Android mobile where the security is changed depending on when & where I am.

  15. John at the Falls

    Hi Leo
    Could you comment on Cyber Firefox using the RC4 algorithm to encrypt the password file.

    Wikipedia states; “While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure cryptosystems such as WEP.

    As of 2013, there is speculation that some state cryptologic agencies may possess the capability to break RC4 even when used in the TLS protocol. Microsoft recommends disabling RC4 where possible.”

  16. Nick

    I would never save passwords for banks, credit cards, other “high security” stuff like that on browser, but enter them every time (often along with other security measures specific to the particular institution). Also important to change them a lot. For things like local clubs, stores etc where to spend money (but not when they have retrievable credit card details), various other “trivial” websites I am happy to use browser facilities.

  17. Ben Grimm

    I do use a password manager (RoboForm) to help me generate secure/unique passwords for my various accounts but feel much safer knowing that the encryption key is known only to me, (even if that means not being able to recover it if I forget it). The other thing that is more convenient with a third part password manager than one built into my browser is that RoboForm is available in ALL of my various browser as well as on ALL of my various computers/devices

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.

Your email address will not be published. Required fields are marked *