May 22, 2022

Here is Why Storing Passwords In Your Browser Is a Dangerous Concept

Google Chrome's password manager.
Google

We regularly warn that browser-based password managers lack the security and features of devoted password software program. However nonetheless, they’re higher than nothing, proper? A brand new report from AhnLab ASEC proves the alternative—storing passwords in your browser leaves you extremely weak to hackers, even should you use distinctive passwords for every of your accounts.

Whereas investigating a latest knowledge breach, researchers at AhnLab ASEC discovered that hackers stole firm login data from a distant employee’s browser. The hackers used a typical malware called RedLine, which prices between $150 and $200, to retrieve this login data. Antivirus software program didn’t detect the malware, which was most likely distributed via a phishing e-mail.

An example of login credentials stored in a browser's login table.
A browser’s login desk, which shops credentials and login makes an attempt. ASEC

Browsers like Chrome and Edge have password administration instruments enabled by default, and so they hold observe of all login makes an attempt with pertinent data like date and time, the web site URL, and no matter username or password you used. RedLine can entry and interpret this knowledge, which hackers could use or promote to dangerous actors.

To keep away from this vulnerability, it’s essential utterly disable your browser’s built-in password administration instruments. Telling your browser to not bear in mind login knowledge for a sure website isn’t sufficient—your browser will nonetheless log the location’s URL, which hackers can use to try to brute-force their means into your account with out login credentials. (This knowledge is extra beneficial should you’re signing into a piece account, which can require logins via a VPN or firewall.)

We strongly counsel disabling your browser’s built-in password supervisor and utilizing devoted software program. There are a ton of nice free and paid choices on the market, and you may simply export your Chrome, Edge, or Firefox passwords to a devoted password supervisor.

Supply: AhnLab ASEC  by way of Bleeping Computer