Practical Computer Advice
from Martin Kadansky
Volume 13 Issue 9
September 2019
Convenience Vs. Security: Should You Use Your Web Browser to Remember Your Passwords and Credit Card Numbers?



To read this issue on my website, please visit:
http://kadansky.com/files/newsletters/2019/2019_09_30.html

The problem

Every time you sign into a website, your web browser (e.g., Internet Explorer, Firefox, Chrome, Safari, Opera, etc.) probably asks you whether you want it to "Save" or "Remember" that website's username-and-password combination for you. Should you use that feature? Is it secure? What are the risks? Read on for my advice on this issue.

Convenience vs. Security

When it works properly, having your web browser remember a password for the websites that you use is very convenient. Not only does that make logging back into those websites easy, you can also have your browser display a list of all of its stored passwords, so it can serve as a kind of simple (and free) password manager.

Note that if you use multiple web browsers, each browser stores its website passwords on your computer separately.

Unfortunately, this convenience carries a number of security risks, including:
  • Physical access: By default, anyone with in-person access to your computer has nearly-instant access to all of the passwords stored in your web browser, including family members, guests in your house, cleaning staff, employees in your office, etc. This also includes someone who might also steal your computer, or get possession of it after you've sold, donated, or discarded it, especially if its internal storage wasn't wiped or destroyed first.
  • Hacking: Anyone (or any software) that gets access into your computer via the internet, including hackers, scammers, viruses, malware, ransomware, etc. could also get into your web browser and steal the passwords that you've stored there.
  • Syncing to other computers: If you "sync" (synchronize) your web passwords across the web browsers on multiple computers that you use, that spreads your risk to those computers, too.
  • Syncing to an online account: If you sync your web passwords into an online account (which is one way to share information across multiple computers and devices), those passwords can get stolen if that account gets hacked.
  • User password: If your browser requires you to enter your user password (which you use to get into your computer) before you can view your web passwords, while that's more secure than having no central password protecting your list of passwords, that user password can be hacked as well.
  • Re-using web passwords: If you use the same password on multiple websites, then someone who gets your password for a website that you might consider to be "less important" (like your Uber or online clothing store account) can then use it to break into your account on a "more important" website (like your email, bank, credit card, or retirement account).
What should you do about this issue?

Here is the most secure approach to solving this problem:
  • Stop saving any new web passwords in your browser,
  • Delete all the saved passwords already in your browser,
  • Turn off your browser's prompt to save your passwords, and
  • Stop syncing your passwords across computers and online accounts.
Then, repeat these steps for each web browser that you use and each computer that you own. How you do each of the above tasks depends on which browser(s) you're using.

You should also:
  • Start using an offline password-management program to store and organize your passwords, i.e., one that only stores its data on your computer, not in any online or cloud-based storage, and keep it up-to-date as you choose new passwords and change existing ones.
  • Make sure that the internal storage for any computer that you discard (sell, donate, give away, etc.) gets completely wiped or destroyed first.
  • Treat all passwords as important. No account or password is "less important" than any other.
  • If your browser can also save credit card numbers, treat them the same as passwords.
  • Treat all of your mobile devices the same as your computers, since they can be hacked, stolen, discarded, and misplaced as well.
Here is an alternate, slightly less secure approach:
  • If you really like the convenience of having your web browser store your passwords and your browser also gives you the option to set a Master password to control viewing your web passwords, then you should immediately pick a new (unique) and "strong" password,
  • Set it as the Master password in your browser, and
  • Enter it into your password-management program for your records.
  • However, if you discover that your web browser does not let you set a Master password to protect your web passwords, then stop saving passwords in your browser and proceed as I've outlined above.
Where to go from here
How to contact me:
email: martin@kadansky.com
phone: (617) 484-6657
web: http://www.kadansky.com

On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to martin@kadansky.com and I'll add you to the list, or visit http://www.kadansky.com/newsletter

Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter

Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.

Copyright (C) 2019 Kadansky Consulting, Inc. All rights reserved.

I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.