Is It Safe to Store My Passwords in a Windows Browser ?

[UK Sentinel]

Interesting thought I had regarding Passwords and Windows Edge, Google Chrome and other browsers and how safe are your passwords stored / secured in these browsers ?

Lots of different opinions and thought I would open this up for opinions etc ?

‘Note, not a Mac discussion as Safari keeps usernames and passwords secure by encrypted in your macOS keychain’

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

To examine Browser Security (password / credit card numbers) in more depth, I believe this could be broken into three General browser states.

1. Windows machine not Powered On, Disk at rest
2. Windows machine Powered On but not logged In
3. Windows machine Powered On and user logged In and Using Internet

And password managers and there purpose.

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

Introduction:

How Do Browsers Like Chrome, IE, and Safari Store Passwords?

All modern web browsers come with a built-in password manager that offers to store your login credentials, with varying degrees of security encryption. For instance, user passwords on Chrome are protected by AES encryption, and the encryption key is secured by a separate API, which is the Windows Data Protection API.

The problem occurs when someone else obtains access to your system (either physically or remotely), thereby gaining access to your entire library of passwords across different websites. Your exposure footprint is massive due to the fact that all your credentials are stored in one place without enough protection.

Your device passwords are frequently the only protection mechanism separating an unauthorized user from getting your browser stored password.

Data types stored in the browser:

• Credentials are username and password pairs for disparate sites (e.g., bank accounts, email services) that are stored for subsequent reuse.
• Cookies are text strings that websites save to the local disk. Serving a memory function, they recognize online behavior and remember actions. Cookies track visits to any given website, such as what’s in your cart at an eCommerce site, or the retention of browser login information.
• Session cookies track online activities. With them, users can be kept logged in to websites, or even to shop online – then close a session at any time with selected products remaining in their cart.
• Persistent cookies implement user preferences (e.g., language, internal bookmarks), such that they’re recalled the next time a user visits a site. These cookies remain intact even after the browser has been closed. For example, they can remember login details and passwords such that users don’t need to re-enter them every time they visit a corresponding site. They make for a more convenient and faster online experience.
• Third-party/tracking cookies collect various types of data, such as interests, location, age, and search trends. These data are then passed on or sold to marketers, thereby providing users with advertisements specific to their interests.
• Certain credit card information is saved to help a user conclude a purchase with no need to physically access a card.
• Autofill information stores alphanumeric characters a user enters in online forms to assist with filling similar fields in the future. Sometimes personal data such as a passport number is stored.
• A browser cache speeds up display time and saves bandwidth. It holds temporary files (e.g., web pages, images) that are downloaded behind the scenes while web pages are being fully rendered. And should the user revisit a given site, it’s faster to pull those saved items from the cache rather than download them again.
• Browsing history.
• Websites visited – The browser stores a list of web addresses a user has visited along with titles and visitation time. It sometimes offers to restore the last tabs that were inadvertently closed, thereby shortening the time it takes to reopen them. This is also helpful if the user wants to later revisit a closed website, since they can usually find the link in their browser history.
• Download history – The browser records all files that have been downloaded.
• Searches history – Every search term a user has used is saved so they can easily reuse it.

Source: https://talon-sec.com/blog/how-stored-browser-data-presents-risk-and-how-to-secure-it-pt-1/

 

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

Password Manager:

Thought I would touch upon password managers a little as an important area for consideration.

Password managers are a computer program that allows users to store, generate, and manage their passwords for local applications and online services.

Password managers assists in generating and retrieving complex passwords, storing such passwords in an encrypted database,[1][2] or calculating them on demand.[3]

Types of password managers include:

1. locally installed software applications
2. online services accessed through website portals
3. locally accessed hardware devices that serve as keys

Depending on the type of password managers used and the functionality offered by its developers, the encrypted database is either stored locally on the user’s device or stored remotely through an online file-hosting service. Password managers typically require a user to generate and remember one “master” password to unlock and access any information stored in their databases. Many password manager applications offer additional capabilities that enhance both convenience and security such as storage of credit card and frequent flyer information and autofill functionality.

Ref: https://en.wikipedia.org/wiki/Password_manager

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[fatimarajpoot]

Web browsers are fairly easy to break into, and lots of malware, browser extensions and even honest software can extract sensitive information from them. Instead, you should save passwords in a stand-alone password manager, or even just write them down in a book.

Share the knowledge

Liked by:

You need to login in order to vote

[UK Sentinel]

I am slowly drawing to that conclusion also:

Web Browser’s Password Manager Is Just Okay but….

Your web browser’s password manager is better than nothing. With no additional software, your web browser can remember all your passwords and securely sync them between your devices. They can be stored encrypted in the cloud. You can use strong, hard-to-remember passwords because your software is automatically remembering them for you. This keeps your accounts secure, as you won’t need to re-use passwords.

Luckily, different browsers like Edge, Chrome, Safari do not share stored passwords, so some segregation is available so that Banking, Finance and other sensitive online activities could be conducing with one Browser and then other activities, say shopping can be with a second choice browser.

What I am yet to find (need more time) is once a user is online and surfing the Internet via a browser, are the passwords still stored encrypted (hashed) until needed, as this could allow malware, browser extensions and even honest software to extract sensitive information more easily.

Update: Generally speaking, passwords are stored safely in a Browser, when the computer is not logged On, when user has logged On, then passwords are in the clear (some controls are in place, keychains, Edge’s password manager) but in essence, Browsers are designed for convenience over security and the many browser options such as Autofill,  can be exploited to reveal password credentials etc.

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

This Password Has Appeared in a Data Leak: What does this mean ?

“This password has appeared in a data leak, putting this account at high risk of compromise. You should change your password immediately”

What Is a Data Leak? – A data leak is a security incident in which private information becomes available to unauthorized persons. People may steal, accidentally transfer, or willingly give it away. Leaked data can be in digital (electronic files) or physical (documents, letters, pictures, devices) form. However, data leaks are not the same thing as data breaches.

What is a Data Breach? – A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill.

Simply put, a data leak is when sensitive data is unknowingly exposed to the public, and a data breach is an event caused by a cyberattack

Types of data leaks:

• Intentional data leak
• Accidental data leak
• Outsider working to damage the company

Types of Large Scale data breaches:

• XSS attack. A cross-site scripting (XSS) attack is a remote code execution (RCE) flaw that may be caused by web applications that employ standard vulnerabilities such as XSS vulnerabilities.
• SQL Injection attack.
• MITM attack.
• Ransomware attacks.

So even though you protect your own passwords, update operating system and AV regular, passwords are mainly leaked by systems which are outside of your control. (my opinion).

Hence the primary need to ensure and practice using unique passwords and change them regularly – this way a breached data system with one account will not impact an account you have on another system as you are using different passwords.

And welcome to Passwords Managers.

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

As /en.wikipedia.org/wiki/Password_manager states….

A password manager is a computer program that allows users to store and manage their passwords for local applications and online services.In many cases software used to manage passwords allow also generate strong passwords and fill forms. Password manager can be delivered as a one of or mixed of: computer application, mobile application, web browser extension, web based service, portable software for USB units

What are the benefits of using a password manager?

You don’t have to memorize all your passwords anymore. You only need to remember the master password that unlocks your password vault. And if you opt for a cloud-based password manager, you can access your password vault anywhere, from any device.

They can auto-generate highly secure passwords for you. Password managers will typically ask you if you’d like to use an auto-generated password whenever you create a new account with a website or application. These random passwords are long, alphanumeric, and essentially impossible to guess.

Password managers save time. Beyond just storing passwords for you, many password managers also auto-fill credentials for faster access to online accounts. In addition, some can store and auto-fill name, address, email, phone number, and credit card info. This can be a huge timesaver when shopping online, for example.

For my example, I am going to focus on PC based password managers, of which there are two main types for the typical end user:

1. Locally installed software
2. Online password manager

Locally installed software:

Desktop-based password managers store your passwords locally on your device, like your laptop, in an encrypted vault. You can’t access those passwords from any another device, and if you lose the device, then you lose all the passwords stored there. Locally-installed password managers are a great option for people who just don’t want their data stored on someone else’s network. Some locally-installed password managers strike a balance between privacy and convenience by allowing you to create multiple password vaults across your devices and sync them when you connect to the Internet.

Online password manager:

Cloud-based password managers store your encrypted passwords on the service provider’s network. The service provider is directly responsible for the security of your passwords. The primary benefit of cloud-based password managers, 1Password and LastPass being good examples, is that you can access your password vault from any device as long as you have an Internet connection. Web-based password managers can come in different forms—most commonly as a browser extension, desktop app, or mobile app.

Note: Token-based password manager is a third password manager option, but is more used in the business sector.

Token-based password managers need to have a security token mechanism,[15] wherein a locally-accessible hardware device, such as smart cards or secure USB flash devices, is used to authenticate a user in lieu of or in addition to a traditional text-based password or other two-factor authentication system. The data stored in the token is usually encrypted to prevent probing and unauthorized reading of the data. Some token systems still require software loaded on the PC along with hardware (smart card reader) and drivers to properly read and decode the data.

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[UK Sentinel]

Currently trialing  the free version for NordPass Password Manager and have gone through around 40 passwords from various website and changed them for more complex passwords using Nordpass inbuilt tools.

Nordpass also had a way of importing current passwords stored on my Edge Browser and then I was able to clear the passwords from Edge, so Edge is then a blank slate and no auto-fill activities could be exploited.

 

Share the knowledge

Attachments:

1. 

   Nordpass-Password-Manager.png
   

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[Grisu]

Do you really trust in Password Managers?

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Share the knowledge

Liked by:

You need to login in order to vote

[UK Sentinel]

Grisu wrote:

Do you really trust in Password Managers?

Not good that breach, I have tried to reduce my Risk profile by not opting for a cloud based solution, hence everything is local except the account I created to register etc.

No easy one answer fits all situations.

I initially selected NordPass as it is free, has part British origin, avoids Five Eyes and other Eyes Alliances agreements and has a zero logging policy, but yes, all my eggs are in a single basket

Who Owns NordVPN? Can You Really Trust This VPN?

 

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[kev2021]

wasn’t Nord VPN hacked a while back and they kept it quiet until they admitted it?

I recall some youtubers who used to promote it, stop promoting it.

Kev

Share the knowledge

Liked by:

You need to login in order to vote

[UK Sentinel]

Back in 2018 the VPN side got compromised I think.

You always need a couple of good breaches before security is taken seriously

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

Liked by:

You need to login in order to vote

[UK Sentinel]

For reference, the NordPass Password Manager adds the following Chrome (browser) Extension and is nothing to worry about.

extension://fooolghllnmhmmndgjiamiiodkpenpbb/injectedPasswordless.js

Share the knowledge

In a completely sane world, madness is the only freedom (J.G.Ballard).

You need to login in order to vote

[Author]

Posts