Can You Trust Your Browser With Your Passwords?
Having your Web browser remember your passwords and/or credit card
details can be convenient, but it poses some security risks. How much of
a risk depends on which browser you’re using, whether you sync with
other devices, and whether you’re using any of the browser's extra
security features. Here are the main vulnerabilities in some of the
most popular browsers—Internet Explorer, Google Chrome, and Mozilla
Firefox—and ways you can protect against those weak spots.
Common Security Risks
The biggest problem with having your browser save your passwords
involves prying eyes. Not only can other users who have access to your
computer log in to your accounts and see your actual passwords or credit
card details, but so can a thief if your computer, smartphone, or
tablet gets lost or stolen. And the same risk applies if you haven’t
properly erased your data from your PC when you get rid of it; whoever
ends up with it next might be able to recover your information. Also,
some viruses and malware can steal your saved passwords or credit card
details.
As you’ve may have noticed, banking sites—and many
others that deal with highly sensitive information—don’t let your
browser save your password. However, if you use the same or a similar
password on sensitive sites that you do on less-secure sites, someone
else may be able to easily guess your banking password, for example.
Some browsers let you (or, potentially, thieves) view a list of your
saved login credentials, including the site, username, and password. And
for those that don’t, utilities like WebBrowserPassView can easily let
you compile a list of them. This is handy if you forget a password or
you want to evaluate all your passwords, but it's problematic if an
intruder uses such software on your computer. Another way you (or
thieves) can recover saved passwords is by using a utility like
BulletsPassView to reveal the password behind a masked password field on
a webpage or window.
In the next sections, we’ll take a look
at three popular browsers—Internet Explorer 9, Chrome, and Firefox— to
evaluate their credential-saving features, and discuss some tips for
better securing them.
Internet Explorer 9
Internet
Explorer 9 offers the most basic password-saving functionality of the
three browsers we’re covering. Its AutoComplete feature can also
remember your name, address, and other data you type into Web forms or
search fields. It doesn’t provide a way for you to view saved passwords
from within the browser settings: It only allows you to change the main
settings and delete all AutoComplete history.
Not being able to
view a list of the passwords can help prevent casual snooping. And even
though you can still log in to sites the browser saved the password
for, you can’t by default view the password itself. As mentioned before,
however, a determined hacker can use a utility to see a list of all
your saved passwords or to reveal the actual characters behind the
password field on a login page.
Unfortunately, Internet
Explorer 9 doesn’t offer a native synchronization feature to keep your
settings and saved data synced across multiple computers or devices,
but, from a security standpoint, at least that’s one less security risk
you have to worry about.
Internet Explorer 10 in Windows 8 will
provide new password saving and syncing features, but it’s not yet
clear if they will be available when you use Windows 7. When I tested
the Release Previews of Internet Explorer 10 and Windows 8, I found that
you can view and manage saved browser passwords using the improved
Credential Manager in the Control Panel. And for security, before you
can view the actual saved passwords you must reenter your Windows
account password, which can help prevent casual snooping by others.
Windows 8 will also offer a new synchronization feature that lets you
sync passwords for apps, websites, and networks—in addition to Windows
settings and preferences—across your other Windows 8 computers and
tablets. For security reasons, before you sync your passwords with a new
computer or tablet, you must log in to a Microsoft site and approve the
new device. And if you’ve specified a mobile number on your Microsoft
account beforehand, you'll get a confirmation code texted to your mobile
phone that you must enter on the Microsoft site before the trust is
granted and passwords are synced.
Google Chrome 21
Google Chrome provides a more feature-rich password-saving feature than
Internet Explorer does, as well as an autofill feature that can also
keep track of your credit card details. But while these can be great
time-saving features, they also pose more security risks.
Chrome lets you—or a thief for that matter—browse through the list of
saved usernames and passwords (alphabetized by site name) or enter the
site name into the search field to filter the list.
For
privacy, Chrome masks each saved password with asterisks, but you can
click the entry and press the Show button to reveal the actual password.
You can also change the password, but unfortunately Chrome doesn’t
sense password changes, so it won't prompt you when you log in to a site
with a new password. You must go to the saved password entry and update
it manually.
You can view a list of all saved addresses and
credit card details, including the name on card, the account number, and
the expiration date. Chrome partially masks your credit card numbers
with asterisks, but you can click the entry and then click Edit to
reveal the full number. The only card detail not saved is the card's
security code, which is often—but not always—required to make purchases.
Unfortunately, Chrome doesn’t offer a master password feature like
Firefox does in order to protect all your passwords and credit card
details. Thus, anyone who’s logged on to your Windows account can view
all the saved passwords and credit card details.
Chrome offers a
syncing feature to keep most of your settings and saved data (including
passwords, but not credit card details) synced across multiple
computers and devices, but this creates another security vulnerability.
By default, Chrome only requires you to enter your Google account
password to set up a new computer or device to sync your browsing data.
This is a great convenience; but if your Google account password is
hacked, the intruder can potentially access a list of all your passwords
unless you set a syncing passphrase, as we’ll discuss.
Chrome's sync settings.
To keep your saved passwords secured during syncing, Chrome encrypts
them when they travel from your computers or devices to Google's servers
(and vice-versa). You can also set the browser to encrypt all other
synced data.
By default, Chrome uses your Google account
password to encrypt and decrypt the synced data, but you can enter
another passphrase if you want to add an extra layer of protection to
your synced data. When you set up Chrome to sync on a new computer or
device, you'll need to sign in with your Google account password and
then also enter your encryption passphrase.
Firefox 14
Firefox offers advanced password-saving features that are even better
than Chrome's. But while Firefox doesn’t natively support saving credit
card details, at least that's one less security issue you need to worry
about. As with Chrome, you can browse, search, and remove saved
passwords via the Firefox settings.
Saved passwords in Firefox.
Though you can’t change the passwords in the settings, Firefox
automatically senses password changes you've made elsewhere and asks if
you want to update your password when you log on to a site with a
password that’s different than what’s saved on your PC.
Unlike Chrome, Firefox lets you set a master password to encrypt and password-protect the saved password list.
Can You Trust Your Browser With Your Passwords?Firefox lets you set a "master password" to add an extra layer of security.
You must enter the master password the first time you use a saved
password, once per browser session. Additionally, even though you enter
the master password the first time, you must always enter it before you
can view saved passwords via the list in the Firefox settings. This is a
great feature to help prevent casual snooping of your passwords, and it
even prevents most third-party utilities from recovering them.
Firefox can also sync your passwords, settings, and other saved data among multiple computers and devices.
This is similar to what Chrome provides, but by default Firefox
encrypts all synced data instead of just your saved passwords.
Additionally, there’s more security when you add a new computer or
device to your Firefox Sync account. You can either enter a passcode
from the new device into one that you've already set up, or take the
recovery key from a device you've already set up and input it into the
new device after logging in to your Firefox Sync account.
Summary
Internet Explorer 9 helps prevent casual snooping—there’s no list of
saved passwords in the settings—but it doesn’t provide any advanced
security features to prevent someone on your Windows account from using
third-party utilities to recover your passwords.
Google Chrome
21 allows anyone on your Windows account to view your list of saved
passwords and credit card details, so be careful who you let on. And if
you sync your browsing data across multiple computers and devices,
consider turning on encryption of all data and setting a custom
passphrase for double-protection.
Firefox 14 also by default
allows anyone on your Windows account to view your list of saved
passwords, but you can create a master password to encrypt and protect
them. And if you use the browser syncing feature, Firefox offers great
security.
Of the three browsers we reviewed, I’d choose Firefox
for the best password security thanks to its master-password feature,
but I’m also eager to see the final version of Internet Explorer 10 for
both Windows 7 and 8.
I’ll leave you with some additional tips to help you boost the security of your passwords:
Never save passwords or sync browser data on other people’s computers.
Try to use different passwords for each site—at least for banking and other sensitive accounts.
Password-protect your Windows account.
Create separate Windows accounts for each user, or at least for those you don’t fully trust.
For extended family or friends, utilize the Guest Windows account.
Use a good antivirus program and keep it updated.
Think about fully encrypting laptops, netbooks, and mobile devices.
Look into third-party password-management services like LastPass or KeePass.
this is such a helpful info. thanks great
ReplyDelete