Why you shouldn't use your browser to store online passwords

A recently publicised "flaw" in Chrome and Firefox could allow someone with access to your computer to view all of your online passwords in a matter of seconds. Let's look at exactly what the problem is and what can be done about it.



The Issue

Just over a week ago Elliot Kember published a blog about an apparent security "flaw" in Google's Chrome browser that could allow someone with access to your computer to steal all of your online passwords. Any password that Chrome remembers for you is obviously stored in the browser so you don't have to insert credentials when you visit a site. The problem he highlighted was that anyone sat at your computer can view all of these saved passwords very easily.



Simply click that link or type it in your browser and you will find yourself at a sort of password management screen for Chrome. From here simply click on the password of any account you wish, click the show button and tadaa, you can read the password in the field.





This article caught a lot of attention in the press and has become quite a hot topic for debate online. At face value someone reading this may already be thinking how terrifyingly easy it is to steal all of your precious user credentials. In truth though, it's not really quite as bad as it seems at first glance. The simple fact is that for an attacker to do this, they need physical access to your computer. At that point it's pretty much game over already. If they have stolen your PC and you're not using full disk encryption you can consider any data on there to be compromised. It does however raise the concern that your mates/sister/mum/dog could quite easily take a quick peek at your user creds whilst you're making a drink and you would be none the wiser to their intrusion. Firefox suffers from the exact same issue, although strangely not covered as much, but allows users to set a 'master password' that is required before you're allowed to view all the passwords in the list. The Google Chrome security lead said that whilst this would stop someone casually observing your passwords it would provide little to no protection from an actual attacker, which is why it hasn't been implemented. They don't want to give you an illusion of security when it isn't secure.



The obvious mitigation to this problem is to not have your browser store your passwords. Whilst Internet Explorer does do a slightly better job of this, there are free tools available online that can recover the passwords in seconds. Ultimately, having your browser store your passwords is generally not a good idea.



This could leave you in a bit of a tight spot with regards to remembering all those passwords for the wide range of sites you may need to login to. This leads to further problems like reusing the same password so you don't have as many to remember which is even worse! The answer is to use a password manager. Password management software will securely store all of your passwords and requires one very strong master password to access it. Because you only have to remember the one password you should make it a very strong one. Once you have the app open you can store all of your passwords for every site you might need. Because they are stored and remembered for you, each one can be very long and complex but more importantly it can be unique as you never need to remember it. I've been using Password Safe, which has an associated android app too.

You simply open the app, type in the very long and complex password you created and then each time you login to a site you just right click the appropriate entry, copy your password and paste it in the password field:




Because Password Safe encrypts the password file, if an attacker stole your computer they would not be able to recover the user credentials. It should be obvious that if you're going to leave the computer unattended you should close the program that has all of your passwords in it! With Chrome or Firefox closing the browser would not stop someone gaining access as they could simply open the browser again to steal your passwords.



Using a password manager is far more secure than having your browser remember your passwords. As long as the application employs proper protection of the password file and you use a strong password it should be the preferred way of doing password business. You can use online storage like Dropbox or NSA Google Drive to store your password file (it's encrypted, remember!) in the cloud and then access it from any computer where you may need it. I'm working on another blog post covering password managers and 2 factor authentication in a lot more detail but for now, even if you're only sending your laptop to the local PC shop for repair, just remember to remove your passwords!

Short URL: https://scotthel.me/BrowserPass

Author image
About Scott
Researcher, blogger and international speaker. I'm the creator of report-uri.io and securityheaders.io, free tools to help improve online security.