Most modern browsers offer users the option to store passwords for convenience. However, like with many other aspects of technology, users are faced with a decision between security and ease of use. “Do you want Chrome/Firefox/IE/Opera to save your password?” Before agreeing, there are a few things you might want to consider:
- Opera – This summer, an attack directed at Opera exposed login credentials and other personal information stored within Opera browsers for over 1.7M users.
- Features – It is important to recognize that password management is a component or a feature—not necessarily the focus—of most browsers.
- Security – Security mechanisms that protect stored password information differ from browser to browser. Firefox offers a master password option for encryption, while Chrome utilizes the OS user password for this.
- External apps – Dedicated password management applications, such as LastPass or Keepass, could offer an extra layer protection.
- Malware – Browser password storage may be more susceptible to malware built to act as the user, browser hooks, keyloggers (LastPass offers a virtual keyboard for master password entry), etc.
- Updates – Check your settings to ensure your browsers are configured to automatically update. Most do this by default.
- Authentication – Always use two-factor authentication (2FA) when available.
It is also important to consider what type of data you are trying to protect. If you can do it, the safest place to store a password is in your brain. It could be beneficial to remember unique passwords for important things—such as your email and bank account—and auto-generate and store passwords for everything else with a password manager protected by a very strong master password and 2FA. Auto-logout can also be configured for external password managers. Avoid using the same password in more than one location.
At present, there are no perfect password management solutions and using any type of password management service is still a risk. However, the added layer of protection from both a dedicated service and 2FA offers users an option which many security professionals consider to be of a lesser one.