Storing Passwords In Your Browser...It's Convenient, BUT Very Risky Too

Most of us know that password fatigue can lead to security mishaps and that creating a safe and secure entrance into our personal or work accounts can be a real challenge. Fortunately, security experts also know that safe password use has long been a problem, one that can lead to epic malware infections like ransomware, banking trojans, and more. Popular browsers like Chrome, Firefox, Safari, and Opera offer the option to store passwords for you, but hackers using the malware RedLine Stealer can hijack those stored passwords in a heartbeat.

Looking deeper into RedLine Stealer shows that the malware is capable of stealing more than passwords from browsers. Even though browsers encrypt what they store, RedLine can decrypt it. This info-stealing trojan takes more data such as usernames, credit cards, cookies, FTP credentials, and files if they also are stored in the browser. RedLine Stealer also downloads and runs other malware, takes screenshots of active Windows’ screens, and executes additional commands. In short, RedLine hijacks every bit of data stored in a browser.

Security experts note RedLine also sneaks past anti-virus solutions, making it nearly impossible to prevent infections. It doesn’t help that this malware is readily available on hacker websites like 2easy and others. Apparently, half the stolen data sold on 2easy is there thanks to Redline Stealer’s, well…stealing. Experts also saw evidence of spam campaigns using website contact forms and discussion forums and a host of other lures that download and install RedLine.

Adding to RedLine’s success is that it exploits a substantial security gap for password-storing browsers that is yet to be acknowledged and fixed. And since that day isn’t today, browser password storage remains a convenient but very risky road to take.

Rather than store your passwords in the browser, consider another solution to remember them. Writing them down with the old-fashioned pen and paper and storing them securely is one option. Another is using clues to trigger your memory. But if you want to use a password manager, use caution.

Password managers are an alternative to having a browser store them. They keep usernames, passwords and other guarded data like credit card info that is encrypted and in theory is safe. But most also have a master password that if stolen, gives up all the usernames and passwords they store. Think “keeping all your eggs in one basket.” Be sure to shop around, as password manager providers offer different services at differing prices. Use MFA (multi-factor authentication) to secure your password manager. Even if a hacker gets hold of the password, they won’t have the required MFA to abuse it.

Alternative methods to password managers are giving users a way to authenticate their identity without relying on passwords at all. They include using alternate options like a smartphone, hardware token, one-time passwords (OTP), or a biometric measure like a fingerprint.  Many mobile devices use this already. However, those are coming our way in the future for our laptops and desktops. For now, it’s best to find another option besides storing them in browsers.

Stickley on Security