Pagoda Blog


Is It Safe to Store Passwords in Chrome or Other Browsers?

June 25, 2018

To keep all your online information secure, you should have a unique password for every account, but who can remember that many phrases or random combinations of letters, numbers, and special characters? No one, which is why people either reuse the same two passwords (increasing the odds of getting hacked) or they use their browser or a stand-alone password manager. Of these two options, your browser may be the most convenient, but is it safe to store passwords in Chrome or other browsers like Firefox and Safari?

 

We dive into the pros and cons of browser password managers and how to choose the right password manager option for your needs.    

 

Are browser password managers secure?

 

When you sign into an account or create a new username and password, your browser asks, “Would you like us to save your password?” While this is an enticing option for convenience sake, it might not be your safest option. For an article in Wired about password manager security, Evan Johnson at CloudFlare cautions against using Chrome or any other browser to save your passwords:

 

“The cryptography details and implementation details should at least be documented somewhere, but they’re not,” says Johnson. “Chrome says ‘Your passwords are always encrypted,’ but this doesn't say a whole lot.”   

 

Even though Chrome recently took steps to improve the security of their password manager feature, it’s still secondary to a browser’s core function. And this should have you worried. When your password manager’s primary goal is convenience, the level of security takes a hit. That said, using your browser to store passwords is still more secure than only using one or two passwords across your accounts. Fortunately, there are other options.  

 

Why you should use a stand-alone password manager

 

Browsers like Chrome, Opera, Firefox, and Safari offer the convenience factor but they fall short in the password generation department. Browsers don’t require you to create a strong master password to protect all your other stored passwords--a major oversight that puts your information at risk. Stand-alone password managers that function separately from your browser like LastPass, 1Password, or Dashlane require every user to first set up a master password that you will remember but that no one else can easily crack.

 

Pro-tip: Only use your master password for your password manager to avoid getting hacked.

 

Related Post: New Password Guidelines Call for Simple, Memorable Phrases

 

Once you’ve created a strong master password, you can also use the manager to generate passwords that offer maximum security (random combinations of letters, numbers, and characters) across all your accounts.

 

 

Tips for increasing the security of your password manager

 

Using a stand-alone password manager is a good start but there are certain convenience features that are best to avoid for maximum security. The main feature to be wary of is the autofill function.  

 

Forgo the autofill 

Autofill means that the password manager automatically fills in your username and password for frequently used sites. While fast and convenient, this option also makes your information more readily accessible to third-parties looking to harvest your data for advertising and more malicious purposes.

 

For example, there’s the possibility that an experienced hacker could impersonate a credible website, like MailChimp, where you store both payment information and individual’s emails addresses, full names, where they live ... You get the picture. If you use the autofill feature, the fake MailChimp site could trick your password manager into providing it with your user credentials, allowing them to access everyone’s information.

 

To store or not to store your master password?

Password managers like Dashlane and 1Password have an extra security feature to protect your master password. These managers don’t store your master password which means no one can steal it, but if you forget it, you’ve lost access to all your other usernames and passwords. LastPass, however, does store your master password, giving you the option of a password reminder or reset should you forget it. (This is why memorable passphrases are so important.)

  

Two-factor authentication 

Last but not least, make sure to choose two-factor authentication when setting up your password manager. This requires two steps and two devices when you login: your username and password and either a secure code that’s texted to your phone or a fingerprint. This second piece of information provides an extra layer of security for all your passwords inside the vault. Although it may take a little longer this way to log-in, the small sacrifice in convenience is well worth the additional security.

 

Which stand-alone password manager should I use?

 

There are many options out there for stand-alone password managers and they’re not all created equal. Choose your manager based on these three factors in order of highest priority:

  • Security
  • Convenience
  • Cost

 

Here at Pagoda, we have chosen LastPass as our password manager of choice because it meets all three requirements. Wirecutter recently reviewed several stand-alone password managers and came to the same conclusion.

 

Security:

LastPass does store your master password but we like to know that should we ever forget it, we don’t have to start over entirely with all our accounts. They also provide an entire blog post on how to create a strong master password because they recognize that this is the most important step in creating your LastPass account. They use local encryption that keeps all your information secret from other users and from LastPass and offer two-factor authentication. We also like that LastPass auto-generates secure random passwords for every account we use, ensuring optimum security across our online activity.  

 

Convenience:

LastPass works with nearly any browser on any device and each time you create an account, you can use LastPass to automatically generate a random password and add it to your LastPass vault. You can also organize your passwords into folders so you can easily search for a specific account.

 

It’s important to note that you can also store other sensitive information, besides passwords, in any password manager. Think credit card numbers, contact information, passport numbers, prescriptions, receipts, and the login info for your wireless router.  

 

Related Post: How to Secure Your Wi-Fi Router

 

Cost:

All the features described above are offered in the free version of LastPass. The paid premium version is still only $24 per year and has additional features such as advanced security options, priority tech support, and additional storage.

 

Bottom line: Use a password manager separate from your browser 

The bottom line is that it’s more secure to use a stand-alone password manager rather than allowing Chrome, Safari, or another browser to store your information. For more password manager options, check out this article by PCMag that compares the best password managers of 2018.



Related Posts:

7 Cyber Security Myths Debunked

Your Web Browser and ISP Know You Better Than You Think

How Secure is Your Messaging App?

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and learn how to protect and grow your business with monthly IT tips from our experts. Subscribe today.

 

Need ongoing IT support for your business? Contact us for a free consultation. We’d love to work with you!

 

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.

 




Return to Pagoda Blog Main Page