We are used to store passwords in Browsers for online login accounts. Where and how those passwords are saved and I hope it is encrypted ?
Normally, the browser prompts for credentials (local) when we try to retrieve a password manually (eg : Chrome).
Generally how safe it is to save online credentials in a Browser?
We are used to store passwords in Browsers for online login accounts. Where and how those passwords are saved and I hope it is encrypted ?
This depends on the specific password manager. Some might encrypt and some might rely on the systems security. Some might store passwords local only and some store it in the cloud in order to sync between different systems.
Normally, the browser prompts for credentials (local) when we try to retrieve a password manually (eg : Chrome).
This also depends on the password manager. Some ask you if you want to fill in the data, some do it without asking. Some have a master password you need to enter while others do not.
I have seen there are tools such as Poison Tap where it can exploit browser sessions in a locked machine. Can these tools enhanced to exploit saved web credentials in a Browser?
If the password is filled in automatically (i.e. without asking the user) it might be possible. How exactly depends on the site but with HTTP sites tools like PoisonTap might help. In this case it does not matter much if the system locked or not as long as the traffic can be intercepted and modified. When HTTPS is used it might be possible to do the same if there is an XSS exploit for the site.
Generally how safe it is to save online credentials in a Browser?
It depends on the quality and behavior of the password managers and also on what the alternative would be. If the alternative is to use the same password for all sites because you cannot remember another one then most password managers probably provide a better security.
See also the paper Password Managers: Attacks and Defenses for deeper information.
