I am often asked this question: should I use password manager software? The answer is simple…yes. But no matter how many times I give this advice, many ignore it and continue to use their browser’s built-in password manager. I understand this, because using the browser’s password manager is convenient and doesn’t require installing any other software.
Everyone seems to be very busy, and having to go the extra mile just to log into one of your many accounts can hamper your productivity. Nobody wants that.
But let me ask you another question: is this slight disruption to your workflow worth the peace of mind that password security gives you? If you answered yes, I suggest you download one of the many powerful password managers and start the transition. If you answered with a resounding no, I suggest you read on.
Widespread use of Chrome puts a target in the back of the browser
One of the big issues, when it comes to browsers and passwords, is that the vast majority of users opt for the Chrome browser. Among all the popular web browsers (Chrome, Firefox, Edge, Safari, Opera, Brave, and Vivaldi), this particular browser is one of the least secure.
Part of the reason is that such widespread use puts a target behind the browser. But it is not the only reason. Google regularly issues warnings urging users to update Chrome due to one or more serious vulnerabilities. Given the propensity of users to overlook these updates, a large number of Chrome installations are still unsafe.
And then there’s the ubiquitous Chromebook. In 2022, nearly 30 million Chromebooks were shipped. I know many Chromebook users who use Chrome as their password manager. By doing so, when they log back in, they still have quick access to all their passwords.
What if someone is looking behind your back?
Let me show you something. I installed Chrome on my desktop computer. I don’t actually use Chrome, but I have it handy, in case I need to write about it. I don’t allow any of my browsers to save passwords.
I use a password manager instead. However, for the purposes of this article, I’ve added a text-based password entry in Chrome to illustrate how easily anyone could break into your desktop and steal your passwords.
Here’s how it works:
- Open Chrome.
- Go to Settings > Autofill > Password Manager.
- Locate the password you want to display.
- Click the eye icon.
- Display the password.
It should be noted that the above process depends on the operating system. On Linux, there is no password protection for Chrome’s password manager, so the above scenario applies. On macOS and Windows, the password manager behaves the same way as on ChromeOS: the first time you need to display an entry, the system asks you for your user password. After entering this password, you can view another entry without authentication for the next 60 seconds.
Yes, it takes special circumstances for someone to steal these passwords, but it is possible
This means that if you enter your password to view an entry and leave the Settings tab open, someone else could (before the 60 second timeout expires) view a password without having to authenticate with your account. Of course, 60 seconds isn’t a lot, but it’s enough if you look up a password and immediately leave your desk.
These are very specific criteria for someone to steal a password. And you might find yourself in the same situation with a password manager. My password manager is set to automatically lock after five minutes of inactivity, but I work from home and it’s almost always just me and my wife home. On my mobile devices, this delay is set to Immediately. So as soon as I display a password and close the app, the vault locks.
Yes, it takes special circumstances for someone to steal these passwords, but it is possible.
Back to the desktop version of Chrome. Unlike Firefox, Google’s desktop browser doesn’t have a true master password feature. This feature (at least on Firefox) allows you to lock your passwords behind a master password (just like a password manager). Once you set the Firefox master password, passwords cannot be viewed or even used by the browser until you successfully authenticate. This feature can protect your saved passwords from prying eyes.
Web browsers are not the most secure software on your computer
Even better, it prevents someone from opening your web browser and logging into an account whose password you saved in the browser. Until the master password is entered, these passwords may as well not exist in your browser. Chrome does not have a similar function. Therefore, if you save your account passwords in Chrome, as long as someone can access your desktop, they can access those accounts.
Despite this, web browsers are simply not the most secure software on your computer. With them you transmit data (sometimes in clear text) and even your passwords are often synchronized with an external server. Can these passwords be intercepted during transmission? Of course. Can they be seen by this third party? Not easily.
But why take the risk, when you can adopt a password manager that alleviates many of the problems associated with entrusting your passwords to a less secure system? There are many password managers out there, most of which are free.
I’m not saying that all password managers are 100% secure.
I’m not saying that all password managers are 100% secure. If your computer is connected to a network, nothing is 100% secure. Even if your computer is not connected to a network, it is still possible that it could be hacked. With technology, we understand that the question is not “if” but “when” an account will be compromised. This is why you should consider taking all possible measures to stay as safe as possible. To this end, we invite you to follow the following advice:
- Use a secure browser like Firefox or Brave.
- Never let your browser save your passwords.
- Adopt a password manager.
- Use two-factor authentication for each account as well as your password manager.
- Always use randomly generated passwords from your password manager.
- If your chosen browser has a primary password feature, use it.
- Set up your password manager to automatically lock its safe immediately after use.
- If you’re using a Chromebook, enable Linux and install a password manager.
By following the tips above, you’ll be much safer than if you just used Chrome, allowed it to save your passwords, and depended on its built-in password manager. Your passwords are the keys to many “realms” and you should treat them like valuable cargo. Take whatever steps you can to protect yourself, even if it means disrupting the workflow you’ve created.
Source: ZDNet.com