Do you save your passwords in the browser you use? If so, this post is for you! Let me show you why this isn’t the safest option for you, and what you can do instead. Ever heard of a password manager? If not, it’s about time you do!
Increased Vulnerability
First, is it convenient to save your passwords in a browser? Yes. Is it a security risk? Also yes, and a big one at that! Hackers frequently target browsers, which is understandable. We all use them, many of us daily. And we don’t always store our passwords like we should. Many re-use passwords as well, another big no-no.
One problem when you store your passwords in your browser is that once your browser has been compromised, all your saved passwords are exposed to the intruder. Browser-stored passwords are not always encrypted properly. This means they lack that extra layer of protection and security that some kind of authorization requirement would give you.
Lack of Encryption – Some Personal Examples
I have two personal examples showing you why saving your passwords in a browser is a bad idea.
At my last workplace, I saw a student in the computer lab save his passwords in Google Chrome on a lab computer. I politely asked him if he realized that in doing this he also gave everyone in the room access to his passwords. At least if he forgot to lock that specific workstation. When he was clueless, I showed him exactly how to download all stored passwords from Chrome as a .csv file. I also showed him the information contained in the downloaded file.
This exact thing happened at home as well. I noticed one of my sons had saved passwords in his Google profile. It turned out most of them didn’t belong to him but to his dad. His dad had, at some point, saved passwords while being logged in to the wrong Google profile. I notified the person in question about the risk and sent him a copy of the .csv file. Next, I also scanned the browser to see if the passwords had been reused. I then removed the passwords stored in the wrong profile.
Had I wanted to do some damage right there, I had the passwords to do so. If the user only used a username and password to access different systems, I wouldn’t need anything else. I could gain access and potentially lock the rightful owner of the accounts out. It doesn’t take much to lose a lot of your digital assets today.
Limited Control and Visibility
When you store passwords within browsers, they are typically organized alphabetically or by the website or application they belong to. They are not categorized by date. This allows users to easily locate and access their saved passwords when needed.
There is no way to see when a password was created. This makes it difficult for you to see when it would be a good idea to change your password. Since your browser stores your logins alphabetically or by the website name, it’s also more difficult to organize passwords. You can’t sort them by the type of service they connect to or in a folder system. The latter is possible in many password managers.
If you don’t know when you created a password, it’s difficult to know how long you’ve used it. In some password managers, you can also set passwords to expire on a certain date. You can also set a reminder for when it is time to change your password. Both things are good to keep your data safe!
Password Reuse Risks
One risk when you store your password in your browser is the bad habit of reusing the same password across multiple accounts. This is a security risk but even more so if you don’t know how long you’ve used the same password.
To sync passwords across your devices by just logging into your browser is convenient and can save you some time. But what happens if someone gets access to your password on a device? If you are compromised in one browser it means that all your passwords, and data, are in danger. To avoid a security breach, it’s better to suffer the inconvenience of having your passwords properly under lock and key and stored more safely.
Alternative Solutions – Password Managers
Password managers can be a good way to move away from reusing your passwords, or storing them in your browser. In a recent article, Malwarebytes mentioned that some different instances where a password manager can help protect you are:
- Encryption – you’re no longer able to easily get access to your passwords in clear text like you would be in a browser
- Lookalike phishing sites – if the domain doesn’t match what’s in your password manager, the credentials won’t be sent.
- Syncing – if you sync your password across your devices, leaving one of them unlocked is a big security risk for you
- Offline – many password managers can cache your passwords locally, which means you can still access them even if your connection is unstable or goes down. This wouldn’t be the case if your passwords were stored in a browser.
- Business devices – you help your IT department out if you use a password manager made for businesses. It’s easier for your IT department to get better insight, and to revoke passwords when necessary.
- Password stealers – it’s more difficult for malware to target and harvest passwords from your device if you use a password manager. Malware is usually built around finding where your browser stores passwords and encryption keys. But your password manager is separate from your browsers and not at risk in the same way.
- Data breaches – several password managers will inform you if they find that your credentials have been involved in a data breach so you can act quickly and change them.
- Complex passwords – set up the parameters inside your password manager and creating complex passwords that are difficult to crack is a breeze!
Risks When Using a Password Manager
Even though password managers are good for many things, Malwarebytes also raises a word of caution regarding how you as a user might create a security risk of your own:
A word of warning here, some password managers have the option to keep you logged in for hours or even days.
The best practice here is, in my opinion, to make sure that you don’t stay logged into your password manager that long. In fact, on a few of them, you can set the database to automatically lock when you lock your computer. Sure, you have to use your passphrase and log back in after you come back from your break, but security wise it’s well worth the time! A word of advice, be sure to choose a strong master password for your database! A passphrase is better than a single password, just make sure it’s one you won’t forget!
Examples of Password Managers
A simple search on Google will give you plenty of suggestions for password managers to use. Some of them are subscription-based like Dashlane, 1Password, and NordPass to mention a few. Others are free to use but might take some more tinkering to set up and use. A short article like this can be used for a quick overview.
My password manager of choice KeePass falls in the latter category. I have some setup to do if I don’t want to manually copy and paste things from the database, and I need to store the database file somewhere I can access it.
When it comes to deciding which password manager to use, you have to look at your personal needs. Are you willing to spend some time setting things up, or do you just want to log in and get started? Do you need to access your passwords on mobile devices as well? If so, is the password manager of choice available for those devices? Do you want to use biometrics, a passphrase, or something else to unlock your password manager? What kind of encryption is offered? Can you generate new and complex passwords from the password manager itself?
I’d also suggest you take some time to look into the different solutions out there, both in regards to user reviews but also check if there have been any security breaches lately.
In conjunction with using a password manager, I’d suggest you turn on and use MFA – Multi-Factor Authentication, whenever possible. This adds yet another layer of protection, especially if you use biometrics to unlock the MFA app of your choice.
Conclusion
A password manager might not be the only way to store your passwords, but it’s a safer way than storing that type of data in your everyday browser. While it might take you more time to do the initial setup of your password manager than just storing a password in your browser, it’s time well invested.
While using a password manager is not a guarantee for staying out of reach for hackers, it’s better than storing your passwords in your browser. Keeping your passwords encrypted and locked away is a good safety precaution to take. After all, a lot of our lives are spent online these days. You wouldn’t give a random stranger the keys to your house or apartment, so keep your passwords to yourself as well!