Prevent Access to Saved Passwords: A Guide
Password Storage in Browsers: A Security Consideration
Many users routinely save their passwords within web browsers such as Chrome, Firefox, and Internet Explorer. However, it's important to understand the implications of this practice regarding security.
Currently, passwords saved in these browsers can be accessed by anyone who gains physical access to the computer while the user is logged in.
Browser Developers' Perspective
The developers of Chrome and Firefox maintain that this behavior is acceptable. Their reasoning centers on the premise that users should already be implementing measures to protect their computers from unauthorized access.
This stance, however, may not align with the expectations of a significant number of users who assume a higher level of inherent security within their browser's password management features.
Understanding the Risk
The accessibility of saved passwords presents a potential vulnerability. If a computer is left unattended, or if someone else gains access, sensitive login credentials could be compromised.
Security best practices recommend enabling computer-level security measures, such as strong login passwords and screen locks, to mitigate this risk.
It's crucial for users to be aware of this potential exposure and take appropriate steps to safeguard their online accounts.
The Accessibility of Stored Passwords to Unauthorized Users
If a computer is left logged in and accessible to others, saved passwords within web browsers can be readily viewed. Individuals with access can navigate to the browser's settings and directly access a list of stored credentials.
For Chrome, entering chrome://settings/passwords into the address bar provides immediate access. Selecting a password entry and clicking the "Show" button reveals the password without further verification.
In Firefox, the default configuration allows password viewing through the Options window. Specifically, navigating to the Security pane and selecting "Saved Passwords," then enabling "Show Passwords," displays all stored credentials.
While Firefox offers the option to implement a master password for enhanced security, this feature is not enabled by default. Users are not proactively prompted to create one.
Internet Explorer, unlike other browsers, doesn't natively provide a method for viewing saved passwords. However, this lack of a built-in feature doesn't equate to security. Third-party utilities, such as the free IE PassView, can be used to reveal stored passwords.
Furthermore, passwords can be exposed without installing additional software. Visiting a website where automatic password filling occurs, combined with a tool like the Reveal Passwords bookmarklet, can unveil automatically entered credentials.
Is a Security Flaw Present? Examining Browser Password Storage
A considerable discussion is currently unfolding within the tech community regarding whether a genuine security vulnerability exists. Should the developers of Chrome, along with those of other browsers such as Internet Explorer and Firefox (given its standard settings), modify the current system? Have users been misled by developers due to the lack of warnings concerning this behavior?
There are valid points supporting the existing approach, however.
- Both Chrome and Internet Explorer protect stored passwords using the password associated with the Windows user account. Access to these passwords is prevented without a login. If an unauthorized individual alters the Windows account password, password access is immediately revoked. Provided a robust Windows password is utilized and the computer is secured when unattended, theoretical protection is achieved.
- Should an attacker gain physical access to a computer or deploy malware, keystrokes can be recorded, potentially compromising any "master password" used in Firefox or a dedicated password manager like LastPass. Introducing a master password in Chrome might create a misleading sense of security.
- Implementing a master password represents an extra security layer that could inconvenience typical users, leading many to disable it. The need to enter a master password before accessing saved credentials would likely be unpopular.
- If a browser is already logged into a website account, an attacker with browser access could potentially gain entry to that account, irrespective of password knowledge.
Conversely, real-world user behavior often deviates from ideal security practices:
- Numerous individuals share Windows user accounts, configure automatic login, or permit guest computer usage without constant supervision. This simplifies access to saved passwords, making them easily visible to anyone with even casual interest.
- A master password would offer users an additional means of securing their password database, enabling password saving with reduced concern about opportunistic viewing by guests.
- Many Windows user account passwords are notably weak, offering minimal protection. Furthermore, many users neglect to lock their computers when briefly away.
- Chrome supports multiple user profiles, allowing profile sharing on a single user account, but lacks mechanisms to isolate these profiles and prevent cross-profile password access.
- Even with access to an already-logged-in website, an attacker lacking the password would be unable to modify or delete the account.
- The average user likely anticipates a higher level of password security. Currently, there is no notification informing them that saved passwords are readily viewable by anyone with computer access, or advising them to establish a strong Windows password and secure their computers when unattended.
Determining the correct course of action is complex. Chrome does indeed secure passwords when optimal security protocols are followed. However, Chrome (and IE and default Firefox configurations) fail to adequately inform users about its operational procedures. In practical scenarios, a master password could prove beneficial for many individuals.
Securing Your Stored Passwords
Concerns regarding the security of saved passwords are valid. Several methods can be employed to protect this sensitive information from unauthorized access.
- Consider utilizing a dedicated password manager, such as LastPass. These applications are compatible across various browsers and employ a master password to encrypt and safeguard your stored credentials when you are not actively logged in. While Chrome's developers haven't integrated a similar feature, LastPass offers a robust alternative to Chrome’s native password management system. Other effective options include KeePass, providing enhanced control and security.
- For Firefox users, activating the master password functionality is recommended. Although disabled by default due to user experience considerations by Firefox’s team, this feature enables the encryption of your password database with a primary password. This allows secure account sharing, preventing casual viewing of your passwords by others. While not foolproof against sophisticated attacks like keyloggers, it deters opportunistic access. This principle mirrors physical security – locks don’t guarantee absolute protection, but they discourage honest individuals.
- If you prefer to continue using the built-in password manager in Chrome or Internet Explorer, prioritize strong security habits. A robust password for your Windows user account is essential, and always lock your computer when unattended. Access to an unlocked computer grants easy access to saved passwords, particularly within Chrome.
For a more detailed examination of password security within specific browsers, explore our comprehensive analyses of Chrome’s security features and Internet Explorer’s password protection mechanisms.