Passwords. They are the bane of so many users’ existence. Yet, they’re one of the only ways we have to secure our accounts, and those accounts are frequently compromised. IT pros always harp on users to create secure passwords–to the tune of creating password profiles that demand specific requirements.
And yet, no matter how hard we try to lock down those accounts, they are still vulnerable.
SEE: Information security policy template download (TechRepublic Premium)
First off, even after being constantly warned, users still insist on passwords like 12345 or password. Even when those users employ incredibly complex passwords, there is still a roadblock in the way of enjoying a truly safe networking experience. Said roadblock is when a web browser is allowed to store passwords.
Sure, it’s convenient. After all, who wants to type a password every single time it’s requested? When you make use of a large number of online services, typing a password each time you use said service can disrupt your productivity. And when those passwords are incredibly complex, such that you must use a password manager, efficiency goes out the window.
And yet, even at the expense of productivity, there’s a very good reason why you should never allow a web browser to remember your passwords. That reason is how easy it is to view passwords in modern web browsers. On Linux (which is my platform of choice), Chrome will allow users to view saved logins, even without requiring a user password (unlike on Windows and macOS, where a user password is required). Firefox, on the other hand, gives instant access to those passwords, without authentication, regardless of platform (unless a master password is set). Like Chrome, Safari at least hides passwords behind a user’s password. The difference between Firefox and Safari is the password isn’t optional in Apple’s browser.
Password or not, those saved logins are there, for anyone to view.
SEE: Phishing attacks: A guide for IT pros (TechRepublic download)
How easy can you view saved passwords?
Update: If you’re using either the Windows 10 or macOS platforms, you will be prompted for a user password in order to access saved passwords in Chrome. Linux, on the other hand, gives the user instant access, without prompting for authentication. However, there are plenty of tools available (such as iSumsoft Windows Password Refixer), which make it possible for a user to reset a Windows password and get around this hurdle. Firefox will give you access to those passwords without authentication, regardless of platform.
However, even on the Windows and macOS operating systems, there are ways around the password prompt. For example, using the Inspect Element window of a browser, you can edit the code of a page in such a way that it will un-hash a user password. To do this:
- Right-click the password field on a website.
- Select Inspect Element.
- Double-click on type=”password”, and replace password with text.
- Hit Enter, and close the Element Inspector.
- The password will be un-hashed, revealed for all.
The above steps work, regardless of browser or platform.
Let me demonstrate another way to view saved passwords on the three browsers mentioned. Remember, this only works on passwords that are stored by the browser. First, we’ll look at Chrome. To view saved passwords in Chrome, do the following:
- Open Chrome.
- Click the Menu button, and select Settings.
- Scroll to Autofill, and click Passwords.
- Locate the password you want to view, and click the “eye” icon (Figure A).
- On the Linux operating system, you will not be prompted for a user password. On macOS and Windows, you will be required to authenticate the user before passwords will be listed.
- Enjoy that password.
To do the same trick in Firefox, do the following:
- Open Firefox.
- Open the Menu, and select Preferences.
- Click Privacy & Security (from the left pane).
- Scroll to Logins & Passwords.
- Click Saved Logins.
- Click Show Passwords (Figure B).
- Enjoy your passwords.
The only caveat to the steps in Firefox is if a Master Password is in use. Should that be the case, you’ll be prompted for that password after clicking Show Passwords. Without the Master Password, you cannot view stored credentials.
Now, let’s examine Safari. Here are the steps for viewing passwords in Apple’s browser.
- Open Safari.
- Click the Safari menu in the top bar, and select Preferences.
- Click the Passwords tab.
- When prompted, either type your password or use the fingerprint sensor (if available).
- Click on the website you want to view (Figure C).
- Enjoy that password.
Clearly, Safari has the edge here, only because it requires the use of a password to view stored credentials. If Firefox-stored credentials are locked by a Master Password, it puts the Mozilla browser on similar ground. As far as Chrome is concerned, your saved passwords are there for all to see, unfettered and unprotected.
What to do?
The answer to this question is simple. Don’t allow your browser to save your passwords. None of them. Not one. If you do, those passwords are vulnerable. All someone has to do is have access to your computer (remote or physical) and, unless you use Safari or the Master Password feature in Firefox, those passwords are available for anyone to see.
If you absolutely must have your browser store your passwords, and you’re not using macOS, make sure to use Firefox and enable the Master Password feature. Use Chrome at the peril of your passwords.
In place of having your web browser store your passwords, make use of a password manager. By doing so, the likelihood of someone viewing your passwords is considerably lower. It’s not perfect, but it’s far better than handing over the security of your passwords to a web browser.
The adage, “Better safe, than sorry,” most certainly applies.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays