The Problem With Storing Passwords in Your Browser (and How to Fix It)

Ever since the introduction of a built-in password storage feature on modern browsers, it has quickly become the go-to password management and security solution for the majority of users. In 2017, 18% of users said that they use their browsers for password storage, and since then, the number has only snowballed. 

Indeed, it is hard to deny the sheer convenience of having the login credentials readily available on the login interface itself (i.e., your browser). But these gains come with a costly trade-off — one that you simply cannot ignore in 2021. 

How Do Browsers Like Chrome, IE, and Safari Store Passwords? 

All modern web browsers come with a built-in password manager that offers to store your login credentials, with varying degrees of security encryption. For instance, user passwords on Chrome are protected by AES encryption, and the encryption key is secured by a separate API, which is the Windows Data Protection API. 

As you can see, your passwords aren’t kept completely exposed when you choose to store them on your favorite browser. 

So, what is the problem? 

The problem arises when someone else obtains access to your system (either physically or remotely), thereby gaining access to your entire library of passwords across different websites. Your exposure footprint is massive due to the fact that all your credentials are stored in one place without enough protection. 

This problem has intensified due to two emerging trends in 2021: 

1. 1. Extremely weak passwords continue to rule – Passwords like 123456 remain popularOpens a new window , and it takes an average hacker less than a second to crack it. When you combine such weak passwords with a poorly protected storage system, the risk of exposure multiplies.
   2. Password sharing is common in a WFH world – When working from home, it isn’t uncommon for employees to share their device passwords with a spouse or a child. ResearchOpens a new window suggests that nearly one in five employees have done this in 2020, a trend that could continue in 2021. 

Your device passwords are frequently the only protection mechanism separating an unauthorized user from getting your browser stored password. 

That’s how browser-stored passwords work — the user provides their permission to store and auto-fill login credentials for specific websites, and anyone using the system will be able to sign in without further authentication. Someone else could even view your entire list of stored passwords if they had access to a system and knew/guessed/cracked your device password. 

Learn More: Why Your IT Department Needs to Part Ways With Passwords

Common Attacks Resulting From Browser Stored Password Management 

Passwords have always been linked to a high degree of cyber risk exposure. 

“It’s well documented in the Verizon DBIR and other content such as the LastPass Phycology of PasswordsOpens a new window that weak and unsecured passwords are the single biggest reason for data breaches. This is true for both personal data and corporate data,” Barry McMahon, senior global product marketing manager at LogMeIn (Identity & Access), told Toolbox. 

If you add a poorly-thought-out storage and security system on top of this, it could open the way for a variety of threats. 

First is credential dumping, a technique where hackers try to gain persistent access into your network. They obtain access to a workstation remotely (either through phishing or hacking tools) and then use the procedures a typical network admin would follow for monitoring systems to create an exhaustive dump of all credentials stored in the target endpoint. 

Ethical hackers have repeatedly shownOpens a new window that it is possible to reverse engineer browser-based password security mechanisms for credential dumping. 

Second, there is malware that steals autofill data. Between 2018 and 2019, cases of autofill data and credential theft by malware increased by nearly 33%Opens a new window , and the risk increases as we rely on browsers for more and more business-critical activities. 

The stolen data could be sold on the dark web to cybercriminals. 

Finally, ransomware could force encrypt your browser-stored passwords and block your access to them. A threat of this type was spotted in 2019, with hackers making changes to an earlier variant called FTCODEOpens a new window . This latest iteration encrypts your credentials and asks for a ransom of $500 and upwards.

The obvious answer to these threats is to stop storing passwords in your browser in the first place. 

Fortunately, purpose-built password management software will keep your convenience/productivity tradeoff to a minimum. 

Learn More: 2020’s Worst Password Offenders Revealed

Why You Need a Dedicated Password Solution 

Password management solutions have all the convenience of a built-in password storage feature, without most of its security risks. Using password management software, you can: 

• • Set a master password: A master password protects your password library with a credential that is different from your device login mechanism. Typically, password management software will make master passwords mandatory and have you reset them at regular intervals.
  • Define optional 2FA: You can further protect your password library with two-factor authentication, like an SMS code on top of your master password. Given that browsers allow users to export entire password lists, this feature is highly recommended.
  • Configure website specific rules: Password management solutions can override credential storage for sensitive websites like banking pages or corporate assets, requiring you to fill in credentials manually. 

Depending on the software you choose, you can get a host of value-added features like random password generation, secure password sharing, and unified management across browsers — which, incidentally, only adds to the convenience factor. 

“In addition to being able to set the strength of passwords, with dedicated passwords such as LastPass and others, you can also get insights into how secure your passwords are and if they are on the Dark Web. This capability is invaluable as it allows you to stay proactive in protecting your identity and site logins,” McMahon said.

“At the end of the day, dedicated password managers are more than just password managers. They can store secret notes, banking card details, addresses, and so on — ensuring that you have your most personal and private data to hand at all times,” he added.

Learn More: 5 Ways Hackers Can Get Around Your MFA Solution

Getting Out of the “Better Than Nothing” Mindset 

As our reliance on browsers grows, users cannot afford to hold on to early notions of password management. 

As McMahon puts it, users tend to feel that any “trustworthy service that offers the ability to store and save passwords is better than using nothing.” And often, that trustworthy service is our favorite browser — despite the inherent challenges of putting all your eggs (in this case, credentials) in one basket, as it were. 

That’s why it is so important for end-users to carefully go through a browser’s default password security settings and turn off auto-storage/autofill. You can also selectively start or stop saving passwords when you are logging into your Google account on a shared system. Finally, make sure to turn on Safe Browsing features on Chrome (or its equivalent on your preferred browser), so that you are alerted to any credential breach and can change your password immediately. 

Simple, proactive steps like these and switching to a dedicated password management tool, instead of a “better than nothing” mindset, can help protect your online activity and prevent unauthorized access. 

Do you use your browser for password storage? If yes, tell us why on  LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window .   We would love to hear from you!