Can You Trust Your Web Browser With Your Passwords?
Learn about the advantages and drawbacks of letting your browser store your passwords.
Google Chrome, Firefox, and Safari allow users to store their passwords using a built-in password manager. Some browsers will even generate random passwords for users and remember them on their own.
This is undoubtedly a useful feature created to meet popular demand. Nobody wants to remember dozens of difficult, unique passwords.
But just how secure are web browsers at keeping that data safe? Do web browsers have what it takes to keep unauthorized users away from sensitive data?
Read on to find out how each of the three major browsers rank up in terms of built-in password security, and what office managers and IT leaders can do about it.
Convenience Often Comes at the Price of Security
Web browser developers have a clear incentive: get as many users on their respective platforms as possible. Most everyday web browser users are more concerned about convenience than security, and it’s hard to blame developers for aligning their products with users’ interests.
The design of browser-based password managers then don’t offer the same kind of protection a purpose-built password management solution offers. This is especially true of business users who typically use company systems during the day and leave their computers unattended at night.
If you can’t protect against physical access to your system, a browser-based password manager is unlikely to help secure your system. Instead, it will put your entire network at risk. Each of the three main browsers come with security disadvantages that put user login credentials in jeopardy:
- Google Chrome
With almost 60% of global internet traffic traveling through Chrome browsers, there’s no way to discuss browser security without starting here. On Windows and Mac OS X, Chrome prompts users to create a master password before saving any web login password itself.
In theory, this should keep users’ passwords safe, but if an unauthorized user opens Google Chrome in Linux, the web browser will not ask for any identification whatsoever.
There are also ways to reset the user password in Windows, which grants immediate access to Google Chrome’s list of saved passwords. This is because Chrome’s “master password” is automatically set to the user’s Windows password.
Simply use a tool like the iSumsoft Windows Password Refixer to reset the Windows password, and you can enjoy instant access to all the saved passwords in Chrome.
- Apple Safari
Apple’s Safari is the built-in browser application for every iPhone, iPad, and Mac computer on the market. Safari requires users to set a master password before it will save user passwords and login credentials.
Safari is slightly more secure than Chrome because it requires the user to set a unique master password. Unlike Chrome, a Safari user can set a password that is distinct from their operating system password and keep their passwords locked behind that.
However, it turns out there are other ways to beat Safari’s password manager (more on that below).
- Mozilla Firefox
Firefox is a well-known alternative to Chrome and Safari, and it includes almost all of the features of its more-popular competitors, password management included.
Firefox’s built-in password management tool is more like Safari’s than Chrome’s. It allows the user to set a unique master password rather than simply using the user’s operating system password as the default. However, it does not require users to do this.
That means that users who fail to secure their Firefox passwords behind a master password are leaving their credentials wide open for anyone to access.
Easy Ways to View Saved Passwords
Beyond the security vulnerabilities of each individual browser, there is another password retrieval method that works on all browsers. It’s so simple that anyone can do it, and it can reveal a browser-saved password in less than a minute:
- Open a website login where the browser autofills the password field.
- Open the browser’s Inspect Element (or Inspector) tool.
- In the window that pops up, find and replace “type=password” with “type=text”.
- Hit enter.
- The browser will replace its usual asterisk filter with the unhashed, plaintext password.
Although the web browser’s inspector tool looks like a complicated mess of code, it takes zero programming knowledge to find and change that small value. Any passerby can force your web browser to give up the keys to your kingdom, and there would be no way to track down who did it.
The ease and convenience of storing your passwords through a browser’s password manager can be hard to resist, but it’s clear this practice should be avoided at all costs when working in an office setting.
Interact with the most used features in a password manager on our Password Generator page.
Sign up to receive news and updates about Dashlane