Why You Shouldn’t Store Passwords In A Browser

Published by Adrian in Web Security

how to store passwords safely

In a world thundering with cyber-attacks and major security breaches, many still wonder… Is it safe to let the browser remember passwords? Should I let the web browser store my passwords? Where do I store my passwords, in the browser or some other dedicated third-party software?

Why are so many people still contemplating this option when there are many question marks around it?

Because it’s convenient.

It’s so irresistibly convenient that a significant number of internet users are tempted to close their eyes in front of all the risks that come with it.

On second thought, everybody tells you to create secure passwords. To change them periodically. To use unique passwords for unique accounts.

Yet when it comes to handling it all, you’re left on your own.

And through it all, your web browser friendly suggests you allow it to store your passwords whenever you log in to an account from it…

It’s as if everything is pushing you towards this obvious decision.

Having your passwords at your fingertips, stored in your favorite web browser? It is not only convenient, but it also helps you save time and be more productive.  As you know, the more secure the password is, the harder it is to remember it. And so, the bigger is the temptation to store it in your browser.

But here’s the catch: regardless of how secure your password is, if you store it in your browser, you make it vulnerable.

Why you shouldn’t store passwords in the web browser

The logins you save in web browsers are easy to see. Some browsers would ask you for a user password to access them. Others will not ask for any password at all.

The differences, from one browser to another and from one OS to another, are very small. In essence, those who want and who know what to do can easily access those passwords.

More often than not, those who want also know how to do it. And they can do it either locally (while having direct, physical access to your device) or remotely, once they hack the device.

In addition to this major inconvenient, if you store passwords, you’re making it easier for other people to access your accounts, without your permission. Whether you lose the device, someone hacks it, or a roommate or family member takes a peek, they can log into your accounts at ease.

A bit less obvious but just as concerning, storing the passwords will spare you from having to remember it. And when you don’t bother yourself to remember it for some time, you have all the chances to forget it. So, even more hassle to restore your access if you’ll ever have to.

Are there any differences from one web browser to another?

To put it simply, no. It might be slightly more difficult with some browsers, but ultimately, getting your passwords is doable.

Some browsers ask for a master password to protect these logins and they do it by default. Chrome is one good example where users have to have a user password to look at the saved passwords.

Other browsers are giving you this option but if you’re not aware of it, you won’t use it. Firefox is the kind of browser where the user needs to set up a master password to benefit from some kind of protection for the stored credentials.

The bad news? Even if you set up a master password, there are loads of online tools that can break into these passwords.

Not that we’re trying to give you some ideas, but everyone in the field of hacking browser passwords has at least heard of iSumsoft Windows Password Refixer. With its help, your master password can be easily reset, thus making your protection useless.

Alternatively, someone with minimal coding knowledge can un-hash a user password while making use of the Inspect Element window of a chosen browser.

Leaving aside the free (or paid) hacking tools, there are also info stealers roaming around. This is a too well-known type of malware, conceived to steal browser data among other sensitive information from your device.

Long story short, you’re better not storing your passwords in the web browser, no matter what.

In fact, you should disable both the Save Password Settings and the Autofill options from your browser settings. And it certainly cannot hurt you if you choose to use a reliable VPN for all of your internet-related activities.

best way to store passwords

Then what’s the best way to store passwords?

The bad news is that there’s no other place completely safe to store your passwords.

The good news is that there are safer places to store your passwords, other than the web browser.

As much as we hate to admit it, the online provides no certainty. In every single product specifically designed for the web, there are flaws that sooner or later will be exploited by hackers.

So, in the absence of the absolute best or the absolute safety, we have to settle for what’s left. What’s left is better, safer, more secure. That, along with not keeping all your eggs in one basket.

Long story short, here’s a big YES to using one of the best password managers out there.

After that, let it come up with unique passwords for each of your accounts. And you just focus on setting up a strong master password. That’s pretty much the best you can do.

How are password managers different from web browsers?

From a distance, the similarity is striking. With both options, you’re putting all your eggs in one basket. Why should you trust the password manager more than you trust the web browser?

First of all, dedicated software makes the best way to store passwords because its developers have only this main goal, to ensure the security of the data they store. Whereas the developers of web browsers need to work in many different directions.

In other words, the chances for a dedicated security team to mess it up are even just a tad smaller than the chances for a web browser development team to overlook security flaws.

Next, even if password managers deal with some kind of organized server attacks… And even if their servers do get hacked… The millions of passwords that the hackers would get their hands on would be pretty much useless without the master passwords. And yes, password managers don’t store the master passwords of their clients.

In other words, here’s how to store passwords safely:

  • Pick a good password manager;
  • Set up a strong master password;
  • Don’t share your master password with anyone;
  • And don’t forget your master password.

Do that and you should be fine, provided you do set unique passwords with each account. Otherwise, hackers know how tempting it is for users to reuse passwords. So, the first time they find a password, they test it on multiple sites, trying to break into your other accounts, just in case you’ve shared that password with other websites.

What is risk, if not another word in the dictionary?

Truth to be told, unless you hide a few meters underneath the ground, in some kind of bunker or whatever, there’s no place online where you’re 100% safe.

Between reusing passwords (because you don’t trust saving them in one place and you can’t remember so many unique passwords) and trusting a password manager, we say you’re safer with the second. Note that we haven’t even included storing passwords in the web browser among your options. That one, certainly, shouldn’t be an option!

And so, if there’s one thing you should take away from this article, it would be this:

No online account is unhackable, yet the hackers are the only ones to decide if it is worth bothering to find a crack in your security wall or not. Usually, it’s either money or the ease of access that motivates them. Unless you’re a celebrity, ease of access is the only thing that will make them consider your account is worth hacking.

To keep their interest low, you can always:

  • Make a habit of updating your software every time you get the chance. All new software versions include important security patches that you want to have.
  • Make a habit of scanning your computer for viruses or any kind of malware. If your password manager has a flaw, it can make certain passwords visible when in locked mode, but only for those with direct access to your device. Make sure you don’t have malware that gives hackers direct access to your device.
  • Make a habit of not installing software from unreliable third-parties. Unknown developers or shady app stores are not an option for you if you want to minimize your risks. Focus on Microsoft, Apple, and the Google-managed app stores. While we all know that those aren’t bulletproof either, they are certainly safer than any APK you might want to install.
  • Make a habit of keeping the most important passwords somewhere safer. Somewhere safer doesn’t have to mean in that underground bunker. But it can help to keep it disguised among some personal notes or in physical places, where only you know its true meaning. Bitcoin private keys and other valuable codes obviously deserve your efforts of finding more sophisticated and, therefore, more secure storage options!

In the end, the risk is a relative thing. It can mean different things for different people, circumstances, and, most importantly, for different moments in time. Online products that used to be considered safe become vulnerable at some point later on. Because their flaws were discovered. Or because hackers got better at bypassing their protection mechanisms.

For sure, cannot beat that, but you can always strive to choose passwords that are very difficult to guess. And since they are also very difficult to remember, you would have to trust someone storing them for you. Let that someone be a dedicated password manager, not just another web browser out there.