Nowadays, all kinds of websites require users to create an account before they access relevant resources and services. I believe that most of you need to log in to some websites every day. You must be tired of filling the username and password every time you want to visit a website. Thus, you may allow the browser to save your passwords and auto-login next time so that you don’t have to remember the password and fill it in again and again.
Have you ever thought that these auto-fills might be exposed?
1. The browser does not secure your passwords.
With the exception of Firefox, most browsers don’t allow you to set a master password for the saved passwords. The logon password for your operating system is used to access theses passwords saved on the browser, which means that other software on your computer also has the ability to access your browser’s saved password without your permission. If you haven’t set a logon password for your device, anyone who has physical access to your computer can steal your saved passwords.
Let’s take a look at how these saved logins are accessed.
Take Google Chrome as an example. Chrome, touted as the safest browser in many reviews, isn’t exactly secure. It is also quite easy to get access to your accounts and passwords stored in Chrome.
- Open Google Chrome.
- Tap the three-dot menu icon on the top-right corner.
- Tap “Settings”.
- Click on “Passwords” in the “Autofill” section.
- You will see a list of saved passwords.
- Click on the eye icon to show passwords. (You will be asked to enter the logon password for your device if you set one.)
When it comes to Firefox, it is also quite similar.
- Open Firefox.
- Tap the menu icon on the top-right corner.
- Tap “Options” and then “Privacy ＆ Security”.
- Scroll down to the “Logins and Passwords” section and click on “Saved Logins”.
- Tap “Show Passwords” to see the saved passwords. (You will be asked to enter the master password if you set one.)
2. Saved passwords can be accessed by web trackers.
It is possible for web trackers to access your passwords saved by the browser because there is a vulnerability in the login manager included in nearly all major web browsers. They all allow users to save login usernames and passwords to certain sites and “fill them in” the next time they visit them.
Web trackers can steal users’ personal information by embedding hidden login forms on websites that load tracking scripts.
For example, Internet advertising companies or data analysis companies can use hidden login forms to import users’ saved logins from web browsers. Users’ personal information or E-mail address may be misused without their permission.
3. It will also upload your password.
It would be safer if the passwords were only stored locally, but many browsers provide passwords sync to make it easier for us to log in on different computers. Chrome69 even lets you log into your browser with your Google account by default whenever you’ve logged into a Google service, synchronizing your password list. As long as your Google account is compromised, all the passwords saved by your browser will be compromised.
4. Auto-fills can be obtained by malicious plug-ins.
If you use the browser plug-in of a password manager, you will see a prompt for the plug-in to save your password every time you log in. In fact, the plug-in has already read your password and only asks you if you want to save it.
Similarly, if a malicious plug-in is installed on the browser, the malicious plug-in can read the password that the browser automatically fills in.
5. You may ignore the password security rules.
From a professional point of view, password security requires you to save it safely, create strong passwords, avoid repeated passwords, change passwords regularly and so on. However, users rely on the browser to remember passwords can easily forget theses password security rules, which increases the risk of being a victim of data breaches.
How do I avoid it?
- Create a very strong password for your Windows account. Keep in mind that there are a number of tools for decrypting Windows account passwords. If someone has access to your Windows password, they can also see your password saved in Chrome.
- Keep yourself away from all kinds of malware. Do not install the software from unknown sources. Regularly check and install patches. If tools can be used to access your saved passwords, malware and fake security tools can also be exploited for malicious purposes.
- Raise your awareness of personal security. Don’t allow the browser on a public computer to save your password, especially if you are logging into a financial or banking website. Privacy browsing can be used if you want to protect your sensitive data (this feature is named differently in all browsers). If you don’t want to use the private browsing mode, you can also clear all browsing history and other temporary data before exiting the browser.
- If you often use a browser to save login user names and passwords, you’d better lock the screen when you leave temporarily for something else. In a word, yo protect your data on the computer, you should try to prevent others from accessing your computer without your permission.