If you’re ready to pull your hair out over password management frustrations, rest assured you’re not alone. The average user in the US has over 130 online accounts. Since we all know never to reuse the same password across multiple accounts (right?), that’s 130 unique, complex passwords to remember! I won’t speak for you, but my brain wasn’t built for that kind of task. Consequently, for many of us, storing our passwords is a necessity. One popular option that has cropped up in recent years is browser password management. Whichever browser you use, you likely have been asked the question Would you like us to save your password? If you answered yes, the next time you visited that website it may have autofilled your password for you. How convenient! But is it safe?
Let’s break it down…
Encryption is Key
Browsers often save your passwords in a plaintext list, frequently accessible with only the password to your device (and other times through no password at all), and commonly with fairly weak encryption. Even if the data is strongly encrypted, the cryptography and implementation specifics often aren’t publicly reported, leaving the user at the mercy of the company’s claims and reputation.
Security is Secondary
You might trust a babysitter to make your kid dinner every now and then, but would you hire him as a full time chef? Probably not. Your babysitter’s job is (hopefully) taking care of your kid! Browser companies’ chief focus will always be providing the best browsing experience. Firefox, Chrome, Safari, and Edge are all locked in a battle to win our hearts, and they know what 98% of us care about – an attractive interface and an intuitive user experience. Protecting their users’ login credentials will always be secondary, if that.
Convenience is Costly
On top of potentially weak encryption and subpar security measures, the most convenient feature of a browser password manager – autofill – is inherently dangerous. Most people using a browser password manager are not opening the browser’s vault every time they need a password and copy-pasting it into the login box. Most users allow the browser to autofill login information for them. Unfortunately, recent research by the cybersecurity company Proofpoint discovered that some digital ad companies have been scraping this autofill data to collect email addresses. This methodology could easily be applied to any saved data – including passwords.
It’s Not All Bad News
There is another (slightly less) convenient, vastly more secure option – dedicated password managers. Next week we’ll go into detail on these and help you decide what’s best for you.
Patient Computer Help for Grown Ups assists people with their Macs and PCs in the Chagrin Falls and Ohio City areas.