2

Safari, Chrome, Firefox, Edge, and IE all either have a suggest-password feature, or password archival feature.

  1. How secure are these passwords when stored on a computer?

  2. If replicated, how secure are they on the cloud host?

I would assume that 1Password, LastPass, or any of the many password apps would have this comparative information, but I can't locate it. This lack of information is making me think that browsers have since improved their security when I last researched this (in the late 90's)

makerofthings7
  • 50,090
  • 54
  • 250
  • 536

3 Answers3

6

Usually, not secure at all. It really depends on your threat model, but the data is usually saved:

  • unencrypted,
  • encrypted with a publicly-known passwords or
  • encrypted with a user given master password

On Windows (I believe 7 and over) Chrome uses an OS facility for the storage, which ties the encryption to the logged in user.

On Linux systems Chrome uses gnome-keyring or the equivalent in other desktops. The principle is the same as in Windows.

Firefox on the other hand avoids the use of OS facilities and takes care of the crypto and storage itself. If you set a master password an attacker would have to bruteforce it to get to the saved passwords(*). If you don't set a master password, one will be provided to you and it will be the empty string "". Not a very good password if you ask me.

In all cases the passwords are probably accesible to an attacker with code execution in the current user context.

In the case of Firefox without a master password the passwords are also accessible to an attacker with access to the database file.

This blog has a more in-depth analysis of the issues.

(*) As noted in the comments by Mrdeep, Firefox does a lousy job of hashing the master password, so it's easily bruteforced.

GnP
  • 2,299
  • 1
  • 15
  • 25
  • 1
    Then there's [this(pdf)](https://crypto.stanford.edu/~dabo/papers/pwdmgrBrowser.pdf) which I think by now is a solved problem, but still needs to be considered when evaluating the security. – GnP Jul 26 '16 at 21:37
  • 1
    I wanted to add that there appears to be an inherent weakness in the hashing of firefox master passwords. [Source](https://nakedsecurity.sophos.com/2018/03/20/nine-years-on-firefoxs-master-password-is-still-insecure/) – Mrdeep Mar 28 '18 at 16:25
0

One additional threat of browser autofill is that it is possible to craft a page with invisible fields, and when you trigger autofill, they are populated with your personal data without your knowlege and consent.

KOLANICH
  • 892
  • 6
  • 14
0

As usual it a a matter of what you trust, and what threat you want to mitigate. You should never store private passwords on a shared computer for example.

If you trust your browser to correctly read URLs (anyway if you do not, you really should not use it!) you assume that it will only autofill a password on the right site, so the only problem is the storage of password on disk.

It is as secure as (the weaker of both):

  • the encryption implementation used by the browser
  • the master password you use

provided you consistently close you browser and/or lock the screen when you leave you computer. Anyway the latter one is a good practice unless the room containing the machine is physically protected.

My opinion is that I can trust enough a raw Firefox to store most of my passwords in it with a global master password. I would not store a highly sensitive password, and the for the browser part, the more add-ons the less trust...

TL/DR: My opinion is that it is fine for general use passwords, not for the ones that give access to sensitive national security informations.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84