Here’s Why Saving Passwords In Your Browser Is a Gigantic Mistake!
We live two lives: offline and online. And we need privacy in both versions of our lives. Just like you don’t like anyone encroaching on your privacy in your personal, offline life, you would ofcourse be angered if someone encroaches on your online life. In fact these days, we have more secrets to hide in our online life than those in our offline one. And the only barrier between the intruders and your online persona is those passwords (sometimes fingerprints, these days).
So, apart from the obvious practice of using strong passwords, where you are saving those passwords is extremely crucial to audit. No matter how strong your password is, if the place where you save them is not secure then they will be of no use.
Saving Passwords In Your Web Browser: The Price You Pay
Let’s admit it, passwords are inconvenient. They waste our productivity and sometimes, if forgotten, resetting passwords is a real headache.
But they are a necessary evil. So for convenience, we store passwords in our web browsers when prompted. So next time, when you login to a website, your browser already fills the login information with your email id and password. Life becomes so easy!
But are you paying a hefty price for bringing a little ease into your life? Are password vaults in your web browser really secure? Let’s find out.
Let’s See It From a Non-Tech Point of View: Web Browsers Are Not Purpose-Built For Password Storage
Web browsers are made to help you browse the web, watch Youtube videos and perhaps play some browser games. This is what browsers do in a dedicated way. Any service or any software performs that task excellently for which it is made. If you give it any extra task, it will still perform it but there might be errors in the way it does that extra task. Why? Because it is not born to do that task. Likewise, browsers are not born to encrypt your sensitive data and store it within them. That is why there can be a reasonable chance that the password storage service of a browser can be compromised by a malicious person.
Browsers On a Logged-In System Display Passwords In Plaintext
When I work on Firefox, the system prompts me to save the login ID everytime I log into something. Once I save the login ID, it can be accessed by anybody who has physical access to my logged-in computer. Firefox does have a ‘Primary Password’ (Master Password) feature that protects all the login IDs saved in it. However, ask 10 people and I guarantee you that 9 of them will say that they don’t use any Master Password. So anyone can snoop into your password vault if they have access to your logged-in laptop. In the case of Chrome too, the situation is almost similar. Chrome uses the login API of Windows to protect passwords. Hence once again, the only barrier between a potential attacker and your passwords is the fact whether you are logged-in to your main account on your laptop or not.
Now let’s delve deeper…
Redline Malware: Here’s a Practical Reason Why You Should Not Save Passwords In Browsers
Back in 2020 when the world was busy fighting the pandemic, hackers too were busy figuring how to misuse that chaos. A new malware, Redline emerged to make the already distressed people some more distressed.
The malware is still being used even to this date. The attackers spread this malware by disguising it as a Covid Tracker (specifically: Omicron Stats.exe) and sending it via email to unsuspecting people. Once a gullible person opens the mail and executes the malware, it gets copied into
C:\Users\[Username]\AppData\Roaming\chromedrlvers.exe.
As you can see, the malware targets Chrome users in this instance. The malware establishes a connection with the attackers by connecting to a Command and Control Server.
The modus operandi is quite simple. As I said earlier, Chrome stores all the saved passwords in plain text — it is only protected by Windows CryptProtectData. Which means that whenever the user is logged in to the system, the password vault can be accessed without any encryption in place. The malware does exactly that. It searches for the SQLite database inside Chrome where all the login data is stored. If the user is already logged-in to the system, the malware can run the CryptUnprotectData and decrypt the stored passwords.
Note: This malware also steals all the cookies. Hence theoretically, it can hijack even those accounts where you sign in with Google or Facebook.
Bottomline
People don’t realise the implication of the theft of log-in credentials until it happens. You can lose all your money, your relationships can be jeopardised, your health info will be available to the whole world. You can even be wrongfully arrested if the attackers use your accounts for malicious purposes. The solution? Always use an OFFLINE password manager that is made specifically for the purpose of storing passwords with strong encryption. Cybersecurity is no longer the interest of businesses alone, individual people should take it seriously as well.
Originally published at https://www.linkedin.com.By the same author.
