When I was recently asked this question about saving passwords in the browser, my instinctive response was to say, “no, of course not.” After all, I reasoned, a browser is just software, and all software is vulnerable to a variety of cyber attacks. But instead of responding immediately, I decided to look into this a little further to see if I was, in fact, correct in my assessment. That’s when I learned that the situation is more complex than it seems on the surface. In fact, your decision on whether or not you want your browser to remember your password depends on 4 factors, 1) the website that requires your password, 2) the browser you are using, 3) the operating system you are using, and, 4) your trust or paranoia level.
First of all, you have to consider the importance of the website that needs your password. If the site is something like a forum site, which you are only visiting to get some information, for convenience sake, you may simply let the browser remember your password. This is because you may not care if someone hacks your password. That said, be sure you don’t use a derivative of a password that you use on other more important sites. For example, don’t use the password, ‘password’, and on another site use ‘Password’, or ‘PassWord’.
For more important sites, sites that may have your personal information or that you go to in order to buy merchandise, it would be better not to store your passwords in the browser. Then again, that may depend on the browser.
The Windows 10, Edge browser can be, in my opinion, easily hacked. If you don’t believe me, look in your Windows control panel (windows key + x) under user accounts. There, you will find something called, Credential Manager.
Click on it and you will see all of the sites for which you have saved passwords. Clicking the down arrow will give you more information including your password. To actually see your password, you will need to give the password you use to log onto your computer. If you have no password, you are already in trouble. You would still be in danger if a keylogger was used that captured your logon information or if you had the misfortune of having a RAT (remote access Trojan) installed by some criminal hacker.
Windows gets around this weakness by offering those with the right equipment an additional layer of protection called, Windows Hello. Windows Hello offers you the option of signing in using facial recognition or a fingerprint scan. According to those who’ve investigated it, Windows Hello is pretty secure. Unfortunately, many devices don’t have the necessary camera or fingerprint readers that using Hello requires.
Firefox is a little better at general security. It puts an extra layer of protection in by giving you the option of using a master password. It’s like a password manager built into the browser. Before Firefox retrieves a stored password, it will ask you for the master password, thereby making it a bit more difficult for hackers trying to gain access to your stored passwords. It’s not foolproof, however, so I would still not recommend storing sensitive passwords in the browser. Firefox does not, by default, enable the master password option so you will need to do that yourself.
If the browser you are using does not have a master password option, you can add an extra layer of protection by getting a password manager. These will encrypt and save all of your passwords in one location that is accessible through a master password. Passwords managers store your passwords on your computer, on your hard drive, in your cloud account, or in the cloud on the password manager’s company server. None of these password managers are absolutely safe. One of the most well-known password managers, LastPass, has been hacked a number of times. Other users have had problems with Dashlane and Keepass. Be aware that no password manager can keep your passwords safe on a compromised computer. However, if your enterprise employs hardware separated security architecture, any passwords stored in the safe zone cannot be accessed by hackers and are, therefore, safe.
In the end, it comes down to trust. At some point, you will have to decide which password storage you have the most trust in. Even if you keep all of your passwords in your head, you’ll still have to trust your memory. So why can’t you use something besides passwords to get into a site? Well, that’s exactly what Google thought. Google wants to get rid of passwords completely, at least on Android devices, by replacing them with a trust score based on biometrics. If your face, fingerprints, walking style, and typing pattern look familiar, then you will receive a high trust score rating and be allowed directly onto certain sites. Some sites may require a higher trust score than others, such as banks, but it would mean you would never have to remember a password again.
This sounds pretty good on paper but I have a feeling that implementing it will be fraught with many problems. What if you do everything right but still can’t reach the required trust score level? What if, for example, you sprain your ankle and have to alter your walking style? What if you grow a beard? Well, you get the picture. It may lead to more frustration than memorizing your passwords. Why do people keep using simple passwords? Because time and again, convenience outpaces fear. If biometrics prove to be inconvenient, you can expect that passwords will persist and people will keep them simple and keep storing them in browsers.