Should I allow browsers to remember my passwords and synchronize them?

Question

I wonder, how wise is it to allow Chrome and Firefox to a) remember the passwords b) synchronize them? My gut tells me that if it's not man in the middle who can intercept them, but Google and Mozilla themselves can see them on their servers or with help of their browsers. Of course, they say they won't and the passwords are stored encrypted, but can we know that for sure? Maybe the browsers themselves secretly send the passwords to Google and Mozilla.

I've just begun using keepass recently, therefore at least I have a place where my passwords are stored locally, because previously I stored them only in the browsers and synchronized. And now I think I shouldn't synchronize them anymore.

Answer 1

To expand on what @d1str0 said: if the creator of your browser wanted to steal your passwords, it would be trivial to send them to a manufacturer controlled server whenever you entered them - they don't need to bother with the hassle of telling you about sync procedures, or offering to remember passwords. All browsers by default send a certain level of usage data back, usually crash reports and update checks, which could easily conceal password and username data.

However, if any browser was found to be doing this, there would be outcry against that manufacturer - look at the rage directed at Microsoft following the release of Windows 10 with the reporting back enabled there.

Keepass and Password Safe are both open source (so, given sufficient programming knowledge, and a trusted compiler, you can be sure they're doing what they say they are, and nothing else - sufficient programming knowledge may well be a very high level though). In both cases, the encrypted password files should be safe to sync, even to third party sources, as long as the safe password is not provided. Breaking AES (Keepass) or TwoFish (Password Safe) without the appropriate key (the safe password) comes down, as far as we know, to brute force.

Lastpass and 1Password both require you to trust the developers, and sync by default to a remote location. Theoretically, they are safe, but there wouldn't be any obvious way to detect a vulnerability in them relating to storage. If you're concerned about Chrome or Firefox stealing passwords, logically, the same arguments apply to these apps.

Personally, I use one of the cloud based password services mentioned - I've considered the risks and benefits, and balanced the amount of security I'm willing to accept against the ease of use for the service, and decided that for my use cases, it's acceptable. Your acceptable risk might well be different - if you consider AES as vulnerable, for example, keeping a Keepass safe on an encrypted USB key which uses a different encryption algorithm might be a viable option, but uploading the file to a third party service might be "too risky" for you.

It comes down to what you consider safe, having evaluated the options. Many security professionals have considered this problem though, and generally advise using password safe type software over allowing browsers to remember passwords, simply because browsers used to be terrible at it - they allowed access without a master password, and used poor encryption methods. Some of these issues have been addressed now, but old habits die hard!

Answer 2

If you were worried about Chrome or Firefox stealing your passwords, you wouldn't be using them as a web browser in the first place.

An application like Keepass or LastPass can keep your passwords encrypted with a master password.

If you don't use a master password, your web browser can unencrypt your passwords at any time.

It's up to you on what level of security you want.

Answer 3

In addition to the answers regarding password managers, there is a moment where you must allow for uncertainty.

To take the example of KeePass: in addition to trusting people who review the code (or trusting yourself to have the knowledge to review it yourself), you also need to trust the provider of the binary (that it matches with the advertised code). Or recompile it yourself and trust that the compiler is correct. And that the OS is trusted as well.

This is a lot of "trust" and there always come a moment where your risk analysis declares that it is "good enough". This "good enough" is what you should look for, relative to other risks.

I am with @Matthew regarding the use of online password managers: you protect yourself against the most probable risk (a site is hacked but you have unique and long passwords thanks to the password manager) vs the possibility that Google/the NSA/[put your favorite organisation here] is after you. if they are after you they will have more efficient ways to get to your data.

Answer 4

Do you use a shared computer? If yes, or if your hard drive is not encrypted, then no, don't allow it to save passwords.

I would not allow a browser to remember my password, I find using a password manager far easier. Firefox (and I assume Chrome) allow, but do not require, the use of a master password, which encrypts your stored passwords (It is my understanding that passwords are encrypted regardless, but without a master password, nothing stops anyone from using the stored passwords). Most people fail to use the master password feature, and I think it is due to enabling it being something that needs to be sought out explicitly. Using Firefox 44.0.2, if a site knows your password, you can

Right click the password field > Fill Password > View Saved Logins > Show Passwords (Agree to the prompt).

No authentication required, and everything is in plain text.

What's even easier, and works across browsers?

Right click on password field > Inspect Element (May be named differently) > change the type from "password" to "text"

Again, no authentication required, and everything is in plain text.

Answer 5

Seems to me for the average user there is a reasonable compromise: have your web browser save the less important ones, and save the rest in a more secure fashion.

I have something like 100 passwords for various sites on the internet. Probably 80 of them I wouldn't care if someone stole - they could, at worst, make me look like a jerk on Ars Technica or similar. No money (or insignificant and limited money) is associated with the site and password, and it's not a password I would ever use for something that did have money. Those I let Chrome remember.

The other ~15-20 that I care about - credit card and bank logins, my health insurance site, etc. - I keep in an offline encrypted password manager. It's offline, so in theory it could be lost (though I do have it on two separate devices, but house fires and such are possible); but all of those passwords could be (at some difficulty) recovered if absolutely necessary. In general, though, they're secure from hacking, so long as the passwords aren't recovered from a hack of the site it's a password for of course (and these are unique, complex pass phrases that are likely to be relatively safe even in many of those intrusions).

Finally, my email password is not stored anywhere except in my head. That's because it is the weak point - a social engineering attack combined with access to my email might allow someone to recover/recreate passwords for all of the other locations. I use email enough that I can safely memorize that password (and I do have of course a recovery method for that if not).

Answer 6

A compromise is to use KeePass with the Firefox extension KeeFox which enables you to use passwords from your KeePass password vault with Firefox automatically, without actually storing them via Firefox.

Answer 7

The passwords stored this way are extremely insecure. Simply try to access them and you will notice they can be accessed by entering your windows/linux user account password. There were and probably are exploits to change the windows/linux user account password or cirumvent that check. You should thus never store passwords of high value targets like a online banking account, especially on a work computer.

Answer 8

It's pretty simple: trusting your passwords to a browser, which, even with good intentions is not its primary function, is always a problem. Especially if the browser has plugins installed or if the password store itself is not secured with a (strong) master password.

How big of a problem? You have to decide. I surely let my private browsers store passwords to unimportant sites, but not for my bank account or personal mail account. The fact that many online banks actually make it hard/impossible to let your browser store the password (by replacing a plain input form with some elaborate scheme, i.e. having to click on a stylized number pad with your mouse instead) should tell you something.

For KeePass etc. it's exactly the same thought, except the bar is raised higher. I.e., if you are truly paranoid, you won't use them either, but you can trust them a "little bit more" than browsers. How much is up to you.

Answer 9

One argument in favour of allowing Browsers to store your passwords, that I have not seen anybody else here make, is that it can protect you against phishing attacks.

Chrome will automatically fill in your login credentials, but it will only do it if the URL is correct... and if the site is well designed, the URL will have been verified by a certificate authority through HTTPS. If you go to a login page and Chrome hasn't filled the credentials in automatically, then that is reason to be concerned and double check that you are in the right place.

Answer 10

There are a lot of responses here with some good information. As pointed out by some of them, whenever you use any software, you are investing some level of trust in that software.

With respedt to browsers and using them to store your passwords, I don't think your main concern should be the browser manufacturer. These are typically larger organisations who have considerable investment in their reputation. They are also under a fair amount of scrutiny (esp. chrome and firefox).

The real threat is from malicious sites/web pages and browser plugins. For this reason, I think one of the most important properties to look for is whether the browser allows you to set a master password for the stored passwords and whether you need to enter that master password before a stored password can be used.

Chrome in particular has been criticised for not providing sufficient security with respect to their stored passwords. I believe the situation has improved, but that was largely due to public out cry.

If you are using something like keepas, then I don't see any real benefit in also storing your passwords in the browser. I use a password manager and disable the ability for all the browsers I use to store passwords as it isn't providing any additional benefit.

I find people often misunderstand the reason for password managers - or emphasise the wrong aspects of them. Many see them from a convenience perspective. They will enable any convenience options without considering what impact that has on security - for example, caching their master password, allowing automatic auto-fill etc. While password managers of any type can be convenient, the real benefit is in reducing the number of complex passwords you need to remember. You need remember just one very complex and strong password and what you want is the ability to enter your master password before the system fills in your 'real' password. You don't really want the convenience of automatically entering the password - accept that level of inconvenience to ensure you keep control.

Answer 11

For online logins, you have the easy tools, like Lastpass with good browser integration, and the ones that require more work, like Keepass, where you have to copy and paste logins. That's a lot more work when you need to login to many sites daily.

If you trust Lastpass (or similar tools) less, then you can still use it for the websites which are not that important.

Important websites - think of Paypal, Amazon, Ebay, where losing your account may cost money, or mail accounts like Gmail or Hotmail, where losing the account may be even a bigger problem as it makes it possible to reset logins at other website.

Lesser important websites: login for a games forum, for Reddit, for a non active Twitter account, for discussion forums etc. Good chance that you can prove you are you and reclaim the account, bad luck if not. It's not a big loss. And whether your Reddit account means your life, for me I really don't care. So I would save it in Lastpass, but maybe you want to keep it safer. What to keep where is up to you.

Answer 12

If your passwords are easy enough to remember* or important enough**, it's better to not save them to your computer (in the browser or elsewhere) because then you are practically giving your passwords away if someone steals your computer.
Even if your passwords are encrypted, that is merely a delay mechanism, fortunately not many people will have the knowledge/resources to even bother to crack it and will probably just sell your computer for quick money.
If you do choose to use a password manager, take advantage of it: Generate a random password using all valid characters and make it as long as is allowed (4096 characters might be ridiculous though...).

*don't use short passwords, too easy to brute force (10 characters is a good starting point)
**eg., banking, email, stores, Facebook (can be used to log into other services)

Answer 13

Other users are the most worrisome reason.

I would not use any passsword remembering software, because apart from handing them the passwords I use, there is a much higher risk of someone hacking into your Google account (for example) and dumping all your other passwords.

You can save your passwords in Chrome, and then configure it to backup them to Google. Then, someone hacks your Google account by doing some keylogging.

They can access all your saved passwords in clear-text, right from the profile control panel of your google account.

However, this could be mitigated by the use of TFA.

As I said, I would not ever use any pass-remembering software, but mainly for this reason.