OCS banner and logo
Keeping clients' computers safe and profitable for over 25 years



Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category


powered by pmc2m

 

Don't save passwords in browsers




Unless I've configured your browser for you, it will offer to save passwords. However, this is not secure enough for me to accept it as a good practice.

There are different ways this is done, the Firefox way and the Chrome/Safari way.

Firefox (also Cliqz)

With Firefox or Cliqz, passwords are normally encrypted with an easily broken algorithm that gives you very little protection. Besides being able to show passwords in the program itself, tools like Nirsoft's WebBrowserPassView can display all your Firefox passwords.

Firefox does offer the additional option of using a master password to login to your passwords and decrypt them until the browser is closed. This might work. Since they do not make their encryption methods available to study; we don't know how good they are, but they probably do a decent job. However, the benefit of using this weak password manager, integrated into the browser, over a good password manager is removed if you have to open it with a strong password. Furthermore, you lose the advantage of being able to store non-browser passwords and possibly losing the store if you switch browsers.

The one advantage that can exist, however, is that if you were to use the Sync across devices and used the same passwords on mobile devices and laptops, then your passwords would be synced across devices. However, this can be better accomplished with Lastpass, and most people can simply copy their KeePass database from the Windows tower to their mobile devices.

Chrome and Safari

Chrome and Safari use the normally weak password for logging into your computer as the encryption password for all your passwords. They do not give you the option of using a strong password. I think I'd best not say what I think of this bizarre idea other than I cannot recommend it. I know I must have seen stupider ideas somewhere, but just can't think of  them now.

Edge

Edge encrypts passwords with their Microsoft account password, giving them access to all your passwords on all your accounts. This could be exploited by any corrupt employee. Also, you probably do not have the really really strong password you need for a password manager for your Microsoft account, since you may have to type it. Finally, there are free password tools that will reveal your Edge passwords without the login credentials. This too is not a good option. It does have the amusement factor of an even dumber method than used by Chrome and Safari.

What to do?

My recommended and most secure password manager is KeePass. I've written many articles about it. There are excellent Android programs that will use the KeePass database, so simply copying the file to your phone or tablet or laptop gives you access on multiple devices. However, if you need to synchronize your passwords across many devices so you want to store your passwords in the cloud, then Lastpass is your best option.

Further reading





Date: July 2017


Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

 
 
  Please direct questions/suggestions about website to the webmaster