Web browsers want to make your life easier, which is why they all offer to store web site userids and passwords. But if you thought this was a safe way to store passwords, you’d be wrong. Still, some browsers handle this better than others.
Lock Your Computer
First of all, regardless of which web browser you use, if a person has access to your computer while you are logged in, and you allow your browser to store passwords, you should assume that the person now knows all your web site passwords. Simple techniques can be used to trick any web browser into displaying otherwise obfuscated (e.g. ‘*****’) passwords as plain text. This is yet another reason – as if you needed one – to always lock your computer when you walk away from it. Most operating systems have a setting that locks your computer for you after a period of inactivity. This is the only way to be at all secure; access to your logged-in computer potentially gives intruders access not only to your passwords, but also to all of your documents.
Password saving features in web browsers
Given the above, does it even make sense to worry about how your web browser handles saved passwords? There are arguments for both points of view. From my perspective, security should be layered: getting past one security hurdle shouldn’t open up everything. So if you allow your browser to save passwords, you should consider using the browser’s settings to secure those passwords. The four browsers I use handle passwords with varying degrees of security:
- Firefox: Prompts to store passwords. By default, shows your saved passwords to anyone who looks in the settings. You can set up a master password to control access to the stored passwords; you will be prompted for the master password once per session, and when you try to show your passwords.
- Opera: Prompts to store passwords. Doesn’t show passwords anywhere. You can set up a master password to control access to the stored passwords, which you will be prompted for once per session and at set intervals.
- Internet Explorer: Prompts to store passwords. Doesn’t show passwords anywhere. No master password.
- Google Chrome: Prompts to store passwords. Shows passwords to anyone who looks in the settings. No master password.
Google Chrome stands out in this list, since it both shows your passwords, and has no master password feature. Elliot Kember recently wrote about this, describing Chrome’s password handling as ‘insane’. I’m not sure I would go that far, but Chrome clearly needs a master password feature.
I’d like to see all web browsers show a prominent warning to any user who uses a password saving feature: “WARNING: saved passwords can be retrieved extremely/relatively easily. Always lock your computer when you leave it unattended.”
Update 2013Aug11: Here’s Google’s response.
Update 2013Aug25: Tim Berners-Lee (the person who invented the World Wide Web) weighs in. tl;dr – he agrees that Chrome should at least have a master password.