General discussion

Am I being stupid for saving my Web site log-in credentials in my browsers?


Am I being stupid for saving my Web site log-in credentials in my browsers?

I've been wondering about this for a while but haven't asked before.
For some Web sites like banks, online e-mail, and shopping sites that
I use frequently, my log-in and passwords are saved in the browser. It
saves me time and frustration, but is it risky? I have log-in names
and passwords saved in Firefox and on Internet Explorer, but only on
my computer at home. Some of these sites have my home address and
credit card information on them. Am I being careless and stupid by
using this feature in browsers? Are there other things I should do to
stay safe if I use this feature? Is this sensitive information easy
for others to retrieve, maybe in my history or cookies? If it's
unsafe, why would these Web browsers prompt people to save these
credentials for you anyway? Thanks for sharing any insight you may
have to my questions.

- Submitted by: Sarah C. of Atlanta, GA
Discussion is locked
Reply to: Am I being stupid for saving my Web site log-in credentials in my browsers?
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Am I being stupid for saving my Web site log-in credentials in my browsers?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Not exactly stupid, but you could do better

If you want to continue saving passwords and form fill info in Firefox, then at least protect them with a master password (under the security tab in the options menu). As for IE, I suspect most folk will tell you to avoid saving anything sensitive in that one.

My best advice to you would be to use LastPass and stop saving anything in any browser (other password/form fill managers are available) -

- Collapse -
For sure!!..

I can't speak for the latest version of Internet Explorer, but I found out that, at least for IE6 and maybe 7, form filling information was stored on the hard drive unencrypted!!!! The bad guys can get your credit cards, social security numbers, and other sensitive information like phone numbers, in about 5 seconds using special scanning malware to collect this and send it to their servers for future ID theft and other malicious activities.

I can't speak for modern developments for IE, Chrome, or FireFox, but I'd just as soon use LastPass and Keyscrambler to thwart the problems with this ID theft threat. I just keep reading too much about browser comprimise, and even if the information is in a lock box, are they using the latest encryption? I don't remember; so I'd sooner stick with a reliable solution as depend on MS or open source to protect that information.

If you are really wondering about it, do a trial on ID Finder to see if anything you may have entered in the keyboard is still resident in the hard drive. Remember, it is'nt only the browser that can store sensitive information. Word, PDF, or stored Outlook email anyone???

Check the user reviews here on CNET about Identity Finder and any new competitors that may have come on the scene! If you are worried about the browsers saving this information, just quit using that feature, and run CCleaner's form filing information check box and other best practices, and you will probably not have anything to worry about; unless you have a long forgotten document with this information still some where in the hard drive!!

- Collapse -
I Doesn't Matter

If someone does a burgalry and steals the computer, they can just plug it in and they have access to everything. Not everyone has a login screen with a password. Even if they did, there are tons of password killer programs out on the internet (including that will break that security. I can get into anyone's PC with one of these in about 5 minutes.

- Collapse -
Encryption level....

LastPass has an encryption that is still valid, according to an article I read on either Tech Republic or ZDNeT, the sister sites to CNET. The only thing I'd worry about is brute forcing my password to the console; but I have an exceedingly strong password on it, so I'd estimate it would take them 1000 years to crack it. Chip speed is ever increasing, so you never know - maybe tomorrow it will only take 500 years to crack it - HA!

LastPass would report the attempts to breach it to my alternate email address, and it would give away the ISP and IP address they were using too - That would be a big mistake on their part to even attempt using the plugin. Cool

- Collapse -
Last Pass

I agree with the Last Pass suggestion. I have been using it for some time now. I also added the Key Scrambler Personal program from QFX software. It encrypts your keystrokes while you type.

- Collapse -
Just a question

Hi Last Pass or anyone who wants to answer:

I admit, I have "Save Information" for every site I visit, simply because SO many sites require different passwords and I can't possibly remember them all! Some sites allow you to have a simple passworld such as "Florida". Other's require a number, such as 1Florida. Then, there's the bothersome ones that actually COUNT the amount of digits and require multiple ups/downs/symbols and numbers, such as #1933FloRiDa.

They are a PAIN IN THE ****!!!!! I just clicked onto your link (thank you!) and see that there is a FREE! version of QFX software. Is that good enough? And, before I download it, will it erase all of my log in information?

This is a great question and wonderful answers. I've learned a lot of solid information.

- Collapse -
(NT) Security is Supposed to be a Pain
- Collapse -
To your question about log in information...

LastPass will not mess with whatever you were using before installing LastPass. This tool keeps all information you enter with the plug-in encrypted on your drive and in the cloud. So as long as you have a secure password to the LastPass console, it is highly unlikely they can get to your information.

However - I would run CCleaner to get rid of all passwords used under any browser based system that may have been used in the past. I still read articles about compromise of the weak encryption that is used in the big three browsers, these may be old information, but I still prefer LastPass to any built in manager. For one thing, if you have a disaster, all your hundreds of passwords are still in the cloud an immediately available after recovery and re-installation of the plug-in.

Plus you can access it anywhere on anyone's computer by simply loading the plug-in. I wouldn't recommend that without Keyscrambler of other good anti-kellogger, but I think I made my point.

- Collapse -
I wouldn't do it.

I like to keep as little information about myself on the internet. I know it's tempting when they say "save this information for easier sign-in", but I never do. There's just too many ways for thieves to get your information. I'd be particularly cautious about storing this information in your browser for your bank and credit cards. There are better ways to do this. I'm not familiar with all the security measures off site of my computer. And actually I probably wouldn't even use that fearing the site could some day be hacked. I have my own secret file. Not telling.

Mrs. Parslow

- Collapse -
Log in Credentials in Browser

Most of the newer browser don't allow you to put your user ID and password for financial services such as CUs or Banks. I also do not have that Information saved for my brokerage. However you can save passwords and user IDs for non financial institutions. That way you can log on to Facebook and other sites you go to frequently so you don't have to remember all those passwords. I also do not save my VISA account number on the computer. I enter that kind of information manually each time I need it. It is pretty easy to maintain user id and password for a few sites like that and have the computer remember the non financial sites. I have Firefox 16, and it does not save passwords for financial sites. Not sure exactly how that is accomplished, but seems to work. I have an Excel spread sheet next to my computer that has the user name and password for all of my sites so I don't have to worry about remembering them. If you have Excel, it makes it easy to keep track of those things. Just remember to keep the list updated, and then you won't be be stumped when asked for a password. I have the following listings,

Web Site User Name Password

The Web site is the name of the company you are going to log on. Save the links to the web site in your Bookmarks and that way it is easy to actually connect to the site, and then if it automatically logs on, you just use the site normally. If it is a financial site, just get the log on information from your Excel Spreadsheet.

- Collapse -
The reason your financial site passwords are not

saved is probably because these are two-stage log-in sites. The browser password manager only works on the initial log-in screen, leaving you to enter the second stage details.

- Collapse -
No MS Office with Excel?

Just for this purpose Calc in Apache OpenOffice could do the trick. Best of all it's FREE! Cool

- Collapse -
You are keeping the Passwords Encrypted?

If someone steals your computer, will they have open access to your passwords?

- Collapse -
Not if...

Not if the resulting list of passwords is printed off and the 'document' containing them was never saved or if it has been "shredded" with the Gutman Method.

The printed off document should be stored completely separate place from the computer area and/or any documents (including credit/debit/bank cards). Use it - Stow it!

For protection from prying eyes should the document by found, the document should NOT be written in plain language (e.g.: or XYZ Bill) Hints that only you can understand should be given. As in "MY Bank" or "Utility #" where you assign each of your utilities a number. That way, while the password shows, the precise account is not.

IF one decides to store the document on a thumb drive - I, personally, think this is a BAD idea - then that document should be encrypted and the whole thumb drive should be encrypted and be password protected and be stowed just like the paper document described above.

I suppose I should have made this apparent.

- Collapse -
Yeah but..

We could all write down userid and password and leave it somewhere. But that is NOT the convenience the OP is looking for. You are correct that you can put it in a spreadsheet and print it without saving to disk. But then, where is the convenience of not having to type them in each time you login? Password managers make it so you just click and the userid and password is entered. They can handle when the website has the userid and the password on seperate pages. Just a bit more difficult to setup. I just didn't want to give the OP the idea that putting the passwords in an unencrypted files named "My Passwords.xls" would be a good idea. There is always a risk to doing everything and only the individual can decide if the risk is worth the convenience. That is, we are talking about the typical battle between security and convenience. Security usually is not 'convenient'.

Part of this is that the way the OP is asking the question in the first place is that she must already have had some idea wasn't safe. And I don't think a lot of people ask the question as to what happens if your house is burglarized (there was an attempt here at my house a few years back) and the PC is gone or you lose a laptop. Where I work, a lost laptop is a VERY big deal. The police, sheriff, FBI and department of homeland security gets called on even a lost jump drive and most of the employees don't understand that. Even if we ARE the government.

- Collapse -
Don't use an Excel spreadsheet.

An Excel spreadsheet is not secure, even if you password protect it. Use a program like LastPass or RoboForm. They will save all the log in information with strong security and when you want to log into a site, you can just click a button on the LastPass (or RoboForm) toolbar in your browser and they will direct the browser to the site and log you in automatically (in most cases). Some sites--especially financial sites--make it difficult to do a one click login, but it is still easy to do. I know there are other password programs out there, these are the two I am familiar with and two of the most secure ones around.

Ron, it sound like you have a print out by your computer. That is even less secure.

- Collapse -
i still save passwords

I have never heard of this. All browsers offer to save passwords because the idiot banks have the feature built into their website to allow people to save their login details.

I never store bank passwords but I do for other non financial accounts, I haven't had a problem yet. If I am on a public computer I always clear the cache before finishing.

- Collapse -
Not Yet?

Well, you might not do this for banking sites but, eventually someone will break in and steal your computer or an invited guest might use your computer. If you get automatically logged in to web sites, so will someone else who logs in as you. And, how do you know that you never had a problem? How would you know?

- Collapse -
I use a Vault in the cloud

My internet firewall/antivirus vendor has an online Vault service. I need a username and password to sign on the my vendor's account and a second password to access ALL my credentials AND form filling information. I can share this information on ALL my home PCs - I have 3.

If your information is securely stored with a strong password, you should have less trouble.

But you can NEVER be too careful - please read this article:"Mat Honan hacked" How Apple and Amazon Security Flaws Led to My Epic Hacking...

- Collapse -

I also use Norton 360 and the vault, accross my desktop, laptop and iPad3

- Collapse -
The Short Answer is "Yes"

But, by the way you asked that, you probably already knew that. Unless your computer is physically secure, in a room with multiple locks and no windows and there is always someone there carrying a firearm, I think you can imagine what will happen if someone broke into your home and stole your computer. I'm assuming that when you power up the machine, there is no login request for a user and password either.

It all boils down to how safe you really think you are and what you can afford to lose. Banks generally have some guarantee with their online service that, if you report a security issue right away, they will replace the money you have lost after an investigation. Credit Cards also have some limits as to what you can lose. The big issue would be Identity Theft. If you have enough information on your PC that someone can start opening bank accounts and get credit cards using your name, your social security number, your address and your telephone number, it could take a couple of years out of your life trying to piece your identity back together; not to mention your credit rating.

I've suggested this before. Either you or one of your friends should use your computer to see what damage can be done by getting into your account. At one point, I found that they could only move money from one account to another. But they there is bill pay and money transfers (on my bank, even to a foreign country). While the bank may send you an email to confirm, if your computer is gone and you have no easy way to check your email, whoever steals your computer can do a LOT if they can also access your email account.

There is always a teeter-totter effect with security on one side and ease-of-use/convenience on the other side. However, you really should NOT think of this as a "balancing act". You need to push down really hard on the security side of things as suddenly, your life will become VERY inconvenient if someone gets a hold of the information and cleans out your accounts and steals your identity.

What should you do? There are various password vaults out there. How good are they? How crackable are they? The answer varies. But think about this. If I were going to steal a car from the parking lot and all the cars were locked and alarmed except for one really nice one, guess which one I'd pick? Yes, the bait car! hehe

Really. Why would you need to ask this question if it doesn't take rocket science to figure out what would happen if someone broke into your home and stole your PC? Or if it was a laptop and you left it in a store or your iPhone in a cab. And you had all of the passwords right there..

So, if you think having your passwords right there and it will save you time, just remember. If the "unthinkable" happens you will be doing time. About 2 years of your life trying to straighten out the mess and get your identity back. Money would be the least of your worries.


- Collapse -
Safe ID and Passwords

Might not be too dangerous since even though they are in your browser they are still on your computer, so are at risk only when you are connected to the internet. (If DSL or Cable Modem is always connected)
Myself. I have all my ID and passwords on Word docs on a locked hard drive on my computer. So the drive is only accessible by me as user also Administrator and the doc is locked assigned to me only.

I do not trust anything on the web. When I travel I copy the info I need to a thumb drive and guard it as I do my wallet.

- Collapse -

Hi Sarah

This is probably my shortest response to a question posed in this forum to date as the regular members will most likely attest. The fact that you are asking your question indicates that you probably already know the answer but are looking for validation to support your suspicions. The short and only answer in my opinion (and I stress my opinion) is...DON'T DO IT AND YES...IT'S RISKY.

However, your question is twofold: There is a difference between allowing a browser (i.e. Internet Explorer, Firefox, Google Chrome, Safari or Opera) to REMEMBER information versus STORING information on a secure website such as one used for online banking.

Put simply ALL browsers are vulnerable to attack by hackers and/or malicious script. The majority of attacks that end users are made aware of on a most frequent basis are those targeted at security holes in an OS and/or web browser.

Secure sites (on the other hand) for online banking or similar activity by-enlarge are compromised via an all-out attack against specific security measures implemented by the hosting institution. Such an attack will have multiple victims. Typically if yours is the only personal information (be it financial or otherwise) compromised on a secure site it's probably due to a key logging episode or malware that was downloaded and installed on your computer to monitor your computing habits.

Nothing in the cyber-world is 100% safe. However, use of internet security suites and other practical measures can minimize the risk. In your case I would recommend following the instructions in the following link to clear your browser(s) of any personal information and passwords:

If you have a lot of different passwords you might consider RoBoForm or one of the other suggestions by forum members to make it easier to log into password protected sites. Also consider changing your password(s) every 6 months to a year. Never store User ID's and Passwords on your computer.

Cleaning your browsers cookies and history every so often is a good idea. You can set the cleaning to occur automatically at regular intervals or as soon as you exist the browser. Check the "Help" for your particular browser (or Google it) to learn how. Most browsers have a "Tools" link to click that will allow you to set the parameters.

This post could get very lengthy but I'll cut it short by suggesting you review the next link in addition to what I have written:

The following links are articles about browsers and their vulnerability. Some have good information and others I have included just to give you an indication of the amount of information being shared about browsers as to how safe they are. Additionally, some articles are dated but are still relevant:

Sarah, I hope the information I've provided is helpful....and don't forget to....SMILE. I just couldn't resist closing without tagging..."Hall and Oates"

Together Everyone Achieves More

- Collapse -
Easy answer

That's probably more about penguins than the questioner wanted to know. Easy answer--just use a password manager.

- Collapse -
Not a good idea to store any password in a browser.

Hi Sarah:

I just want to add my two cents on this subject. I have Roboform on my computer. I have been renewing it for years. By far, this is the best password protector of all I have encountered. The reason being is that all your passwords are encrypted. So then, even if you let the password generator which is part of Roboform do the selection, it seems that it is encrypted anyway. Once you have an account you always have to sign in before you use Roboform. The best part is that Roboform remembers every password where you don't have to. It is the best and safest password protector ever. Roboform lets you use the program for a trial run and if you like it, which you will, then you can pay a yearly fee. If you decide not to get the professional or full version, they let you store up to 10 passwords for free. Their link is Read their info and view their videos to get info. I hope that this helps.



- Collapse -
Stupid? That's questionable. Naive? Probably.

Asking this question? SMART!

I, personally, do NOT keep anything of a personal nature in digital form ANYWHERE that I do not absolutely HAVE to. I feel that this is the safest route. I don't do ANY bu$ine$$ on line. No bill paying, banking, buying, etc. I won't even fill out my SS # on digital forms on line. I have a shredding tool on my computer that I use to shred any of the very few documents [with it's maximum number of passes] that I have to save on my computer for any time at all. Say I have to print something out. I do so and then shred the digital copy of it after changing its name to a single numerical digit.

Call me paranoid, but, like someone else eluded to, "An ounce of prevention is a worth a ton of cure." In the case of computer safety, the more secure you keep things the harder it is to do. That's it in a nutshell. So, unless you're willing to suffer through any consequences that come to pass it's best to put in the extra effort now by choice rather than later by no choice.

I hope this helps. Good Luck!

- Collapse -
Keeping Passwords etc. in Browsers.

Of course it is unsafe, any adept Computer user who can get into your computer, either by Hacking, or you letting them use it, therefore has all this information at their fingertips

- Collapse -
Not for banks

Or other things that hold sensitive information, for that matter. If your computer gets hacked into, and you've saved all your passwords for your bank, then they will have easy access to your bank account and can start taking money out of it right away. You may have antivirus software, but antivirus software does not detect every virus in the world.
Use a bit of software like LastPass, which has all your passwords saved on it and to access them you only need to remember 1 master password. The downside of this is that if your computer got hacked, the hackers would only have to crack 1 password to have access to all your passwords. You'd just have to make it a really really strong password that would take years to crack. Use uppercase letters, lowercase letters, numbers and symbols.

Here are some very relevant links that would help you with making a secure password:
- Advice on creating a secure password - Random password generator. As these passwords are extremely long you would HAVE to use LastPass with them - Password tester. Type your password in here and it will say how long it will take to crack.

- Collapse -
online security

Like most of these post it is a good practice to not store fast-ease of use name and password login information.

Many financial institutions also encourage their members to use a program called Trusteer Rapport this program has many features such as keylogging block and page information block just to name a few.

Heres the link for more info:

I consider it an extra measure of online security as it serves as a firewall behind a firewall. Some may get past a security fence (firewall) and if they do then theres Trusteer right there to shut them Down-Out with a steel reinforced brick wall so to speak. Hope this helps Happy.

and a ^5 to Lee Koo for always keeping us members and the public more knowledgeable and better prepared.

- Collapse -
Not stupid, but LastPass is a better solution

I agree with the LastPass solution. I use the free edition on my desktops/laptops, and I coughed up the $12 for my tablet and phone. I use Chrome, Firefox, Waterfox, IE (three versions), Opera, Dolphin and the native Android browser (oddly named "Browser") in my work, and loading my passwords on all of them would be a horrendous task. I don't have my banking information in LastPass or anywhere else, though. I keep that information memorized. That means I only have two IDs and passwords to remember -- LastPass and my bank. Hey, maybe I'm old, but I can still remember two things!

CNET Forums