Ever wonder how secure your saved passwords are in your favorite web browser?
The internet has given us a lot of amazing things, like funny videos, online shopping, access to any answer we want, and much more. Yet, it has also introduced us to a new problem that many people struggle with: password management.
Seeing this as a problem, almost every web browser now offers users the ability to save passwords for quick access. While it is convenient, it also raises another question, is it safe to store saved password data in your browser?
The short answer, no. The long answer, keep reading.
How Do Saved Passwords Work in A Web Browser?
In case you are new to the internet, whenever you enter a password into a site, modern web browsers will ask you if you want the browser to remember the password and the sign-in ID. You can either select to do so or not.
If you choose to save the sign-in information, it is stored in two ways. First, it is stored locally on the device itself. And if you enable password sync, it will also be stored on that account. This enables you to access the information on multiple devices.
As a result, you can freely switch devices and quickly log in to your accounts, and it works great.
As a result, it has never been easier to manage passwords on web browsers like Chrome, Firefox, Safari, and more. Yet, just because you can do it and it makes the experience better, doesn’t mean it is safe to do so.
Is It Really That Easy to View Stored Passwords?
Absolutely! It takes less than a minute if you know where to go.
For example, if you are using Google Chrome, all you need to do is:
- Save a password in Chrome
- Click on the three dots
- Select the Settings option
- Click on Autofills
- And click on Passwords
If you are using Windows 10 or above, it is required to also enter your password or pin to log into your device. After this, you will see all of the passwords the browser has saved, and you just need to click on the Show Passwords option (represented by an eye).
The process is similar for other web browsers like Firefox, Safari, and Microsoft Edge.
Why Are Saved Passwords Not Safe In Your Web Browser?
Le’s say you went to the park with your laptop. And on that laptop, you have all of your passwords saved to the web browser.
Everything’s going fine and you take a trip to the restroom, you get back, and your laptop has been stolen. That thief didn’t just steal a piece of hardware, they stole a full list of your passwords and sign-in IDs, which is far more devastating.
Especially if you have banking information stored.
Now you might be thinking that the password or fingerprint scanner required to log into the laptop is enough to protect that information. Well, it’s not.
It’s actually really easy to force login on any modern computer, which I am not covering here.
And yes, I know some of you are thinking, “well, this won’t happen to me.” However, nearly 100% of people think that before it happens to them.
Also, this is not a problem exclusive to laptops. Your desktop, tablet, and smartphone are all just as vulnerable. And it doesn’t even require a thief. Anyone who lives in your household can easily grab one of these devices and steal the passwords saved in your browser.
You Can Export Saved Passwords From Your Web Browser
Most web browsers allow you to export your saved passwords using Excel.
On one hand, it makes it easier to import your passwords on a new device if you don’t want to use the sync options. It is also a great way to get a physical list of accounts in the event your hardware malfunctions or is stolen.
On the other hand, someone could export your passwords and save that information to a USB or the cloud to use later.
It’s a double-edged sword.
What If I Only Store Unimportant Login Information?
Clearly, there is a difference between someone getting the password to your bank account and getting the password to something like Reddit.
However, even though you have probably heard this several times, “don’t use the same password for multiple accounts,” 68% of Americans still do so. Even worse, passwords like “12345 ” and “password” still remain some of the most popular options.
If you happen to fall into this statistic, even stored passwords for simple sites are problematic.
It’s also worth noting that users often use personal information as their passwords. For example, people might use their social security number, or part of it, as a password.
It is a REALLY BAD idea to do that.
Another example would be using your phone number. This is information you do not want to use as a password.
Thus, even passwords on an unimportant website can be dangerous.
Why Is There No Focus On Sign-In IDs?
You might have noticed that I mentioned web browsers also save your sign-in IDs. Yet, they seem to get no focus.
The main reason is that sign-in IDs don’t offer accounts much protection. For example, colleges typically make your school account the first letter of your name followed by your last name. It’s not very secretive.
This means anyone who goes to the same school and knows your name, has your Sign-In ID. Only the password prevents them from logging in.
And it’s not just colleges. Many banks use a similar system because it is easy for the client to remember. Many other sites will just require you to sign in with your email address.
Again, anyone who knows your email address knows your sign-in ID.
If you’ve ever created a forum account on a website, your username that is displayed when you create a post is probably your sign-in ID. Are you noticing a pattern?
The sign-in ID offers very little, or in many cases, no account protection at all.
Doesn’t Two-Factor Authentication Still Prevent Them From Logging In?
Getting people to set up two-factor authentication (2FA) is not easy, but it really does make your account safer most of the time.
First, let’s discuss what it is. 2FA is a system that requires a confirmation code after you enter the password. This can be in three main forms: email, text, or a security token.
The confirmation codes are sent out immediately after entering the password and expire after a given time.
Now, you might have figured this out, but if you store your email password in your web browser and someone steals it, that 2FA system is breached. That said, a text message or security token (Google Authenticator App) is pretty safe.
Although if the passwords were stored on your phone’s web browser and it was stolen…yeah, the system still falls apart.
That said, 2FA significantly increases the security of your accounts. I strongly recommend setting it up, and you can even earn bonuses for doing so.
For example, adding 2FA to a Fortnite account will get you in-game rewards.
Is There A Safer Way to Store Passwords?
This is what Password Managers were made for.
These are third-party apps that store your passwords using encrypted data, which is just a fancy way of saying it makes them unreadable to anyone but the person they’re intended for.
As you can imagine, most come with a cost, but some free password managers do exist.
They are easy to understand. You enter your sign-in information into the app and when you visit the website you can select which sign-in to use from a list. Some will change your passwords to stronger versions to increase security.
The good news is you don’t actually need to remember some random string of letters, numbers, and symbols. The apps store it in a secure environment. The only password you will need to memorize is the password for the manager itself.
Some are designed to not store this information to make it impossible to steal if someone gets ahold of the device.
I said at the start, people struggle to manage their passwords, which means there’s a big market for them. Unfortunately, not all password managers are created equal.
How Do Cookies Fit Into the Equation?
If you’ve been using the internet, you have probably been asked to accept cookies when you visit. You can thank the GDPR for that.
Cookies do store your password and other information. But without them, every time you change a page, you would need to log in again. As you can imagine, the internet is not a great place without cookies.
Yet, the good news is they are safe.
Unlike passwords saved in your web browser, cookies are saved as code. So, it takes some coding knowledge to identify them.
Cookies actually expire after enough time passes, which helps minimize the data they store. And it is even possible to set your web browser to delete all cookies every time you close the browser, which is the safest option.
Does This Mean Storing My Credit Card Info Is Also Bad?
Viewing stored credit card information is almost identical to viewing stored passwords in a web browser. Thus, it’s not a good choice.
However, it is somewhat safer because web browsers do not save the CVV number on the back of your card. This means you need to manually enter this into many sites.
Though, there are times this code is not required, so the safety varies.
A much better option is to use PayPal to pay for items online. It is very secure, can detect fraudulent activity, and is almost universally accepted in the United States. Just remember that PayPal requires a password before checkout.
If you are not a fan of this, then you could manually enter billing information every time.
The good news is that modern credit cards can identify fraudulent activity and may even contact you by phone to approve the unusual charges.
Switch to A Password Manager Today
Hopefully, this has convinced you that saved passwords in your web browser are not safe. They can be accessed easily by anyone who lives in your home, works at your office, or by anyone who steals your device.
In some cases, they even undermine systems like 2FA that are designed to increase account security. Yet, I cannot deny that remembering fifty different passwords is a big hassle. That’s why I recommend investing in a quality password manager.
As a user, it works almost identically to your browser storing the passwords, but it’s much safer.
Are you shocked to find out your passwords are not that safe? Do you already use a password manager?