Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Am I being stupid for saving my Web site log-in credentials in my browsers?

Sep 21, 2012 9:20AM PDT
Question:

Am I being stupid for saving my Web site log-in credentials in my browsers?


I've been wondering about this for a while but haven't asked before.
For some Web sites like banks, online e-mail, and shopping sites that
I use frequently, my log-in and passwords are saved in the browser. It
saves me time and frustration, but is it risky? I have log-in names
and passwords saved in Firefox and on Internet Explorer, but only on
my computer at home. Some of these sites have my home address and
credit card information on them. Am I being careless and stupid by
using this feature in browsers? Are there other things I should do to
stay safe if I use this feature? Is this sensitive information easy
for others to retrieve, maybe in my history or cookies? If it's
unsafe, why would these Web browsers prompt people to save these
credentials for you anyway? Thanks for sharing any insight you may
have to my questions.

- Submitted by: Sarah C. of Atlanta, GA

Discussion is locked

- Collapse -
It's a definite... maybe.
Sep 22, 2012 3:56AM PDT

There are actually a couple factors to look at:

1) Does your computer go straight to a desktop when you turn it on, or do you have to enter a password?
a) Is that password something a little more complex than 'abc123'?
b) Is that password just written on a post-it stuck to your monitor?
c) Does your computer require you to RE log-in after you've walked away for a short period of time?

The less secure your computer itself is, then the more dangerous it is to use the browser to store your login credentials. That also has a bit of a caveat as well, as it also depends on what that particular website holds of your personal information. If it is a simple forum type site (such as this) or some other basic user based site with NO critical information about you, then using the browser to save the passwords isn't too bad of an option.

2) Do you use different and secure, non-post-it-noted passwords for your websites?

At a bare minimum I always recommend to my clients that they have 3 levels of passwords. The first "low-level" would be for sites where you are just a user, and the only purpose of logging in would be to keep track of your activity on that site. It has NO personal information (at least nothing too personal) about you and should someone gain access they wouldn't be able to do much than post messages as you or maybe change some settings to possibly harm your reputation on that site (and possibly others)

This would be followed by a slightly more complex (definitely not just plain dictionary words) "mid-level" password that you would use for sites that do hold a bit more personal information, email accounts that are just used to communicate with family, various shopping or bill payment sites possibly (only if you DON'T have payment info stored on them however), and websites that meet criteria such as that.

Finally, your mack-daddy-no-one-would-guess-this-in-a-million-years password. This is the one you use on your banking sites, and bill pay or shopping sites (Amazon?) where you have a credit card saved to enable 1-click shopping (that's a whole other discussion there). This password you would NEVER share with anyone (unless they are directly responsible for your birth, or you are sleeping with them, and both of those parameters should also be deeply considered before handing over this password).

Taking it one step further, would be having passwords that are unique to each and every website, this could only apply to the highest level as well, a standard "low-level" password I don't think is too worrisome an idea as long as it is used on the appropriate sites. Keeping unique passwords isn't as difficult as some might think, you can have a base password that is used in all of them, and then "salt" it with some other information.

For example, maybe I like cars, and my favorite is a 1957 Chevy, I could make my base password 5chev7, or any variation from there. I would then take the website I am at (forums.cnet.com) and use the first and last letter of the domain name 'ForumS.CneT.CoM' to add 'FSCTCM' to my list. I could then take it one step further and shift all letters to the right by one (or up/down a row) so to the right, 'FSCTCM' would become 'GDVYV<' I would add that to my base so my password for this website might be 'GDVYV<5chev7' or '5chev7GDVYV<' or any other variation. You would be able to recall it easily by just remembering your method, and any hacker that did manage to get their hands on it wouldn't know how to "decode" it.

Or you could use a service such as LastPass as others have recommended. I do a bit of both, I have some basic passwords for most websites such as this one, (though they are still stored in LastPass) but my banking, and ANY website that has any financial or highly personal information, is given a randomly generated password by LastPass so even if one of those sites is compromised, no other high level sites will be.

Hope that helps give you an idea of where to go with it!

Greg Hicks
Tekamba Computers, LLC
Prescott Valley, AZ

- Collapse -
Wow!
Sep 30, 2012 6:51AM PDT

You, Sir, are bloody brilliant!!!! I am changing all my $$$$ passwords immediately, using your system.

And, I really liked how you started this post! My computer DOES ask for a log on each time it hibernates and when it's opened so that at least helps.

Thanks so much for taking the time to write this spot on post. Happy

- Collapse -
Nice System
Sep 30, 2012 9:59AM PDT

Only problem is if the site has arbitrary rules like "at least one cap, at least one lower case, at least one special symbol", etc. that don't exactly fit your system. Just retrieving the rules you had to follow to create your password is often impossible, or a major pain (like attempting to create a new account). Or, if they make you periodically change it to something never used before.

But they really shouldn't be doing that unless it's critical, level 3 information. Doesn't mean they won't.

- Collapse -
Stupid? No Careless? Yes.
Sep 22, 2012 2:25PM PDT

I don't care what anyone says, storing account log-in information and especially bank and credit card information in one's browser, even with a "master password", is dangerous and reckless in the extreme in light of the types of malware that are being used by hackers and unscrupulous businesses these days.

By storing such sensitive information on your computer, you are essentially holding up a banner to the world that says, "Here I am! PLEASE steal my identity and rob me blind! Oh, and Merry Christmas!"

It's never a good idea to have such information on one's computer, let alone stored by the browser--the very weak spot in the computer's security armor.

At the very least, you should ONLY store such information on removable media, such as a CD, flash drive, or external hard drive just for that purpose; and you should remove that media whenever you're not using it. The best case scenario if you have several passwords is to get a Rolodex, write the log-in information for each account on separate Rolodex cards, and keep the Rolodex locked away in a file cabinet or safe, away from prying eyes--and OFF the computer.

I keep all such info on a flash drive inside a keyring carrying case on my keyring. I use PGP (Pretty Good Privacy) to encrypt all information, so if my keyring should fall into sinister hands, the information on the drive will be useless to them.

It isn't that complicated to take good security precautions. It isn't as easy as letting the browser do your remembering for you, but it isn't hard; and it doesn't take long at all to retrieve the information from a file or a Rolodex card. We've become too much an instant society with too little patience that insists upon instant gratification. Seconds seem like hours, and hours seem like forever. I blame it on the first instant thing in our lives--instant coffee! Nevertheless, we must force ourselves to take the time it takes to protect ourselves.

I don't think you quite grasp just how serious identity theft or just the theft of credit card information can be. I hope you never have to find out firsthand.

Thinking about it, isn't it odd how all the browser developers keep coming up with browser versions that are supposedly more and more secure, yet every version seems to offer more and more ways to dangle the carrot in front of the donkey, so to speak; with the carrot being the user's personal and financial info and the donkey being the one who longs to steal it from you? At least a donkey is too stupid to figure out a way of getting the carrot and actually eating it. The criminals that hack into people's computers to steal their information are smart enough to figure it out, and pdq, too.

Well, that's my two-cents-worth--for whatever it's worth.

Al. TN.

- Collapse -
I Wouldn't Use The Word Stupid
Sep 22, 2012 3:45PM PDT

but yes, it is unwise. Browsers are really easy to hack for any kind of stored data. I'm not going to be long winded like a lot of the posts that I see here, I'll just say that using a password manager app is far more secure than a browser, some more than others. After having some of my financial passwords hacked and a very serious issue concerning Pay Pal finally resolved I really seriously started looking at the vast number of password management apps, the one I settled on Last Pass. Once you have it installed and set up you won't be at nearly the risk that you are using your browser's. Some of it's features are that it not only stores log in credentials but it is also a form filler, password generator and auto log in feature. I know that a lot of posters are going to have all sorts of different apps to try, and no doubt a lot of posters are going to find fault with Last Pass, but it's the one that I use and have had absolutely no issues with it. And BTW it's free.

- Collapse -
If You Are Going to Use a PUBLIC Cloud Provider
Sep 23, 2012 4:17AM PDT

I would not keep passwords on any site that has a non-resposibilty term of service. You do know that some cloud providers read everything you post up there and that includes foreign workers as well. Always read the terms of service before assuming that any provider will keep your stuff private.

- Collapse -
As I've Mentioned Before
Sep 23, 2012 4:21AM PDT

Think outside the box. What if the computer is lost (laptop?) or stolen from the home? Anything just sitting in the browser or on the hard drive is not safe. Thumb drives get lost all of the time. I keep mine on a thumb drive but I use ROBOFORM portable which is encrypted and password protected.

- Collapse -
Some credentials shouldn't really be stored in your browser
Sep 23, 2012 5:17AM PDT

It is fine to store some credentials in your web browser as long as it is only you who uses the PC.

Other devices like smartphones, tablets and laptops that is another story.

If you regularly take your smartphone, tablet or laptop out and about I would highly recommend do NOT store login details in these, or if you do install some kind of software that can make the phone wipe itself if it gets lost or stolen. ESET Smart Security mobile edition has an option for phone and tablets to wipe the data when the device next connects to the internet should the device get stolen.

If you just keep your laptop or tablet at home then you should be fine but it is still worth considering an option to wipe it just in case it does get stolen.

The only few details you really shouldn't store though are things like login details for banks and credit cards. Most bank websites in the UK do not allow you to store this information anyway, and many have these security devices that require you to get a unique number that changes every so many seconds (HSBC give me one for my business, and one for my home use), I presume your in the US, and I presume they have similar things there.

As for storing your credit card details online when you go and pay for things, probably the best way to do it is to use PayPal or Google Checkout, that way your only storing your card details on two websites, rather than hundreds, and plus you get numerous guarantees against fraud from both these companies, and even the third party you are buying items off doesn't get to see your card details.

A few other things to ensure you are secure with your username and passwords

Do not use the same password for numerous accounts - my sister did this and when her facebook account was hacked she had someone buy loads of games on her Sony PS3 account and also gain access to her e-mail account, it took her a few months to sort the problem out.

and

When making a password do not use standard words that are in the dictionary, change their spelling, combine them with other words, or add numbers or symbols -

The reason for this is that many passwords are stored as hash codes and not as passwords, now from a hash code there is no way to go back to the original password - except if you build up a dictionary of words and their hash codes next to them (which is what hackers do) and then compare hacked hash codes to see if they can find a match (of course some businesses do also add a "salt" to the password to spice things up a bit for the hackers and in that case it's virtually impossible for them to get the password!)

- Collapse -
A password manager such as LastKey would be a better idea
Sep 28, 2012 10:39AM PDT

If you save your passwords in your browser then anyone who gains access to your browser has access to all the websites that have saved passwords. Many vulnerabilities and exploits allow attackers to gain access to local resources, including your password cache. There are several popular passwords managers such as LastPass, or KeyPass that will help you manage your passwords in more than one way.

Just as or more important is to make sure you don't use the same password for multiple unrelated websites and make sure your password is a "good" password. A good password is one that cannot be easily guessed. Google search "good password" and you'll find lots of help on choosing and managing passwords. Make sure the computer you use has all the latest O.S. updates installed along with a good virus/intrusion detection system.

Some of the above responses appear to be a bit on the paranoid-overblown side to me. You definitely should not save passwords to special sites such as banks, financial, personal health websites. My experience is that all of these high security sites do not allow you to store your password in the browser and have two stage login procedures.

- Collapse -
Some credentials shouldn't really be stored in your browser
Sep 29, 2012 12:40AM PDT

darrenforster99:
Please give example of: "add a "salt" to the password".

- Collapse -
Relax
Sep 28, 2012 10:46AM PDT

Sarah,
You've had lots of don't-do-it advice, but you should forgive them their, well, uh . . . paranoia.

Relax, let the browsers store your username and password. Without reading any technical manuals, I've observed that some sites allow the browser to store them. Other sites don't allow it. Some allow you to store one, but not the other. It is not the browser that is in charge here -- it is the website, e.g., using the same browser, BoA allows username but not password, Barclays allows password, but not username.

Everyone is really concerned about identity theft, but when you look at the annual figures compiled by the FBI you learn that "unauthorized use of credit card" comprises the biggest batch of "identity thefts" and that most of those are stolen by family members. Does that conjur up images of computer malware, etc., etc., for which you should disrupt your life? You might want to watch a teenager or bum of an uncle, though, if one of them gets near your wallet.

I've been online since the late 80s, and as financial companies came on line, I jumped at the chance to pay my bills and trade stock. On a couple of the older sites, I'm still using the same usernames and passwords that I set the account up with in the late 90s. Stored. No problems. Ever.

My only protection is a standard McAfee, sometimes Norton, program.

As for portable devices: I don't need to check my balances with a phone; you shouldn't need to either. I always wonder about folks who need to check their balance before making a large purchase. If you need to the answer is obvious -- you can't afford it. When traveling for weeks at a time, I use my tablet, but I don't store data on it since it is possible I could lose the tablet.

So, Sarah, relax. Use your head. Not a manual or some bloody website that drones on and on in unintelligible gibberish.

- Collapse -
never
Sep 28, 2012 10:49AM PDT

never store passwords in browsers. Use something like norton identity safe, and password protect the .dat file.

- Collapse -
I store my passwords in my browser. Here's why.
Sep 28, 2012 11:36AM PDT

I looked at several of the responses and it seems that people universally recommend against doing it. They probably are right, but I am one of those that does store them on my browser. I figure that someone for the most part someone will have to steal my computer, get into my password protected Windows account, get into my password protected password account, and then proceed to reek havock on my my accounts. Yes, that can happen, probably easier than I think, but it's a risk I'm willing to take.

In one case having my password in my browser helped protect me from a phishing site. I got a link from a friend (who's account had been hacked, but I didn't know at the time) that sent me to a phishing site that looked like Yahoo. I didn't pay attention to the URL and typed in my login and password and it sent me to some Yahoo site, but then immediately realized I shouldn't have had to type in my login info and went back and checked the URL and saw that it was a phishing site. I immediately logged into my Yahoo account the right way and changed my password and avoided whatever issues may have arisen from someone having my login information. I actually feel a little safer knowing that if my login information automatically pops up then I'm at the right site. If I expect it to pop up and it doesn't, which happens sometimes when they change the site, I know to be extra careful.

Another plus for storing your passwords is that if you somehow do get key logging spyware on you computer, you won't be typing in your login information so the key logger won't capture it.

- Collapse -
Odds are Good that Your PC Could Get Stolen
Oct 1, 2012 3:42AM PDT

My house maid service called and their keyring was stolen along with their GPS from their car (who leaves a GPS in a car?). Anyway, they are calling all of their customers asking to change the locks. I had an attempted break-in a few years ago.

Your "Windows" password is next to useless. If you go to CNET's download website you will see tools that will remove that password and expose the administrator user name (not that we don't know it is "administrator".

I have software that protects me from phishing sites. Even when I didn't, I never click on login links in an email, even if I'm pretty sure the link and the email is legit.

If you get keylogging spyware, it WILL deal with your passwords the first time you enter them. Why don't you have software that blocks that? If you can get a keylogger on your PC, you could probably also get malware that will send all of your clear text browser-stored passwords off to someone.

It may not have happened to you, yet, but all you need is once.

- Collapse -
I have no idea what you mean by storing this information in
Sep 28, 2012 1:51PM PDT

your browser. I use a special thing called Billeo which saves user names and passwords and automatically logs me in. I have been using this method for years without any problems. Without this terrific program I could never use my computer. It has been a God send. The only think I have to have written down is the user name and password that enables me to use it should it stop working and I have to download it again. Very efficient. You can even go into the tab that says passwords and use this way to log onto any web sites you have saved.

- Collapse -
Can you extract your own (or somebody else's passwords)
Sep 28, 2012 2:44PM PDT

Hi. Personally I don't store passwords except in my head. You could attempt to find and extract passwords from your PC and then realize that if you can do it - so can anybody with access to your machine. Obviously malware exists that can also extract your passwords and nobody can guarantee 100% of the time that their machine is protected against such threats.

Check out this list of software then consider using it to see what's possible.

http://www.osforensics.com/ - anyone who installs this on a USB key and plugs it into your machine might extract some passwords. See: http://www.osforensics.com/password-recovery.html

Here's a whole bunch of password recovery tools:

http://www.nirsoft.net/password_recovery_tools.html

Note: Some security software will flag this site and products as malicious. It's only undesirable software if it's installed without your knowledge - otherwise it's perfectly safe. A lot of the products available from Nirsoft could be described as hacking tools and this justifies the warnings given by some security products.

Other reading: http://www.labnol.org/internet/reveal-hidden-password/25600/

So the bottom line is does anyone else have access to your PC and do you trust them?

Here's a few password managers that you could consider using:

https://www.techsupportalert.com/best-free-web-form-filler-password-manager.htm

Obviously it goes without saying that it's safer to use a different password for every website, email account and so on. It's a pain but they should also be changed on a regular basis and shouldn't be easy to guess. Also consider password recovery options. If the question is something like "What is your mother's maiden name?" choose a reply that is totally unrelated to the question so that anyone who can determine your mother's maiden name cannot get access to your account by submitting the correct answer on the password reset link.

I hope you find something useful here!

- Collapse -
Thanks!
Sep 28, 2012 6:38PM PDT

I've been wondering the same thing. Thanks for posting the question and thanks to all for your suggestions. Had been relying on Firefox saved passwords with a Master Password, but realized this only protects me from someone using my computer and not from online hackers. I've learned a lot and will be employing some of the ideas to feel a little better about my online security.

- Collapse -
Do it by Levels
Sep 28, 2012 9:16PM PDT

It is a risk as usual risks you take every day in your life. Do you walk regularly across highways? No?? Then do not use or save credential in public computers. Office level: ID and Password are personal? Use credentials wisely, Activate "Screen Saver Settings" on "Control Panel" and make sure you mark the "On resume, display logon screen". It prevents a "bad" use of your computer in a "bad" hour by any stranger. When I leave my home, I always check if it has been activated in my personal desktop. In personal laptop use a strong access password; turn or shut down it always and do not let it unattended! Other point is to limit the sites that you regularly visit in your office as personal banks or social websites at your office, obey their rules because they "say" who can see what you "see", for example "The Administrator", be paranoid then!

- Collapse -
You should not be doing it
Sep 28, 2012 11:09PM PDT

I think shopping sites are OK as long as you're sure they are not storing your credit card information (some sites like Amazon helpfully make storing them the default).

Banking and email accounts should always be protected with strong passwords, preferably memorized, or else written down in a private place like your home. Data stored on the computer in 128 bit RSA encryption is probably OK (until someone builds a working quantum computer) but not storing it at all is even safer. You can't really assume anything stored on a computer connected to the Internet isn't available to some clever hacker.

It is fairly scary how a clever scammer with access to one piece of information can "root" you. For example, an email account gives access to many site's lost password feature.

Sites and browser makers are willing to make things convenient for you so you'll use their products. But they aren't the ones who have to deal with the consequences of your bank account or your identity being robbed.

- Collapse -
Just a Rehash
Sep 29, 2012 2:10AM PDT

There are two risks:

1. Someone hacking into your PC from the outside
2. Someone stealing your PC (burglary, lost laptop, etc.)

Testing your defense:

Have a freind try to access your computer from your house (pretend it was stolen). Can they check your browsing history to see where you've been? If so, can they open the browser to your critical sites and get access? If the answer is yes, then you need to find out what damage they can do. Is your PC password protected? Guess what! With simple tools you can download from CNET, anyone can get into your login password.

So, the though is that you need to figure out what the damage to your accounts and to your identity can really be all about. Then, you can weigh the risk vs. the benefit of storing your credentials the way that you do. In other words, it may make your life much easier now by using the browser to store the passwords. But what happens just ONCE if someone hacks in or steals your computer? It's one thing to possibly lose all your money but, if someone steals your identity and then goes on a spending spree, straightening that out can take years. Look up indentity theft. So, it is really up to you.

- Collapse -
Simple but important outake
Sep 29, 2012 2:18AM PDT

For very important sites like your Banking or Primary eMail the safest think to do is MANUALLY sign in EVERY time. The password then becomes saved in the SAFEST God--made place on earth-YOUR HEAD!

- Collapse -
Oh yeah?
Sep 30, 2012 7:29AM PDT

What about keyloggers? What about session riding into the site your logging into? It is a lot more complicated problem than just manually doing it. I've also read that crackers can break the encryption of the passwords that are automatically stored in the browser; if folks don't like that, they need to click "never" depending on what browser they are using(that is).

- Collapse -
Keyloggers and session hacking
Oct 1, 2012 4:31AM PDT

Well said JCitizen. You're pointing out that when using a wi-fi network it's possible using certain freely available tools for anyone on the same network to extract your login cookie and sign into any site that you've visited as you. No password or email address required as the login info is contained in the cookie. As for keyloggers I always use an anti-logger at all times. For online banking there's a simple way to protect your confidential information. Free software is available here:

http://www.trusteer.com/Products/Trusteer-Rapport-for-Online-Banking - it's free.

Personally I don't like it as it's too resource hungry but for those people browsing this forum who have no real idea of security issues it's a great solution. It can also be used to secure your logins to any other website. The main issue that I have with it is that it runs every time a browser is opened and there's no easy way to shut it off or disable it.

Best free anti-logger (in my opinion): http://www.qfxsoftware.com/ks-windows/which-keyscrambler.htm -free version is ok.

Best paid for anti-logger (in my opinion): http://www.zemana.com/

Best free VPN: http://www.spotflux.com/ - protects against tools like Firesheep, Wireshark and so on.

Alternative: http://www.anchorfree.com/hotspot-shield-VPN-download-windows.php

This was posted for the benefit of visitors to this page and thanks very much JCitizen for pointing out these problems.

- Collapse -
Good post!...
Oct 1, 2012 8:41AM PDT

Thanks for the links! Happy

And yes; I'm a big fan of QFX, I use the pro version because I don't want anyone knowing what I'm typing into my local documents, let alone what goes on the web! I know - I'm ultra paranoid - but if you saw what happens to some of my clients, you'd be paranoid too!

- Collapse -
Not a good idea!
Sep 29, 2012 6:56AM PDT

We all have so much data to protect and so many passwords and user id's that I can understand the desire to make life easier, but you only need to be the victim of identity theft once to realize it's not worth it. I have dozens of user id's and passwords and I keep them on a secure, encrypted password protected flash drive that I keep locked in my firesafe. It's a little inconvenient to access if I can't remember, but I never have to worry about anyone getting my information. I also use a Norton. And for those who say, "I do such-and-such and nothing has ever happened to me," we all can say that, until something happens!

- Collapse -
Further Considerations
Sep 29, 2012 1:35PM PDT

Assuming that you have different password for every login situations I suggest you create a file in Word or some text program to store your passwords on your computer and give that file a unique name that you and only you and your trusted computer consultant would be able to use.
There are numerous other situations presented by the website password:
Some require user names and/or passwords of a minimum length, some require alpha numeric characters only. Some generate a series of characters for your password on registration with no option to change it tor your great grandfather's name that only your family knows.
If you decide to put it on your computer do not name that directory or file PASSWORD or you will leave yourself open to hackers or spying family members access to your information.
In addition, print this file periodically so as to have a hard copy in case you have a computer disaster and have to reload everything from scratch.
The other scenario here is to use the login saving supplied by Firefox, Chrome or Explorer for the Non essential but frequently used Websites and again it's a balance between security and time savings here Obviously, a chat line is not a credit card from your online Banking information so in the long run, it boils down as Security versus quick access. .

- Collapse -
Beyond being fed up!
Sep 29, 2012 9:41PM PDT

I have been fed up, for years, with the ridiculous use of passwords. Please don't get me wrong, they have their place. However, I am sick and tired of having to enter a password to buy a stick of gum.

No, I am not stupid enough to buy gum online but I think you get my meaning.

Yes, I am careful to use passwords when banking or when I feel my personal information is nobody's business. I just feel that we have gone way to far in their use.

- Collapse -
A Lot of Us are Fed Up Too
Sep 30, 2012 6:14AM PDT

But what suggestion do you have for replacing them? Supposing you didn't need one for Amazon? Could someone sign on as you and change the shipping address of things you ordered. Yes. You already know about your bank. How about CNET? Why do you need a password? Could someone log in here as you and make really stupid posts in your name that could get you kicked off? Yes, we can! How about reading your email. How about sending email in your name. Sorry, but any time that my (or anyone's) personal identity is at risk, you need protection. None of us like passwords. At work, if I am on the Internet I have to enter an employee number and a complex password just to go to YAHOO. (Internet usage is tracked). Oh, and I need to login every 5 minutes in case I need to go to the bathroom or something. By the way, your stick of gum could turn into a disaster if someone could get into your account and look up your shipping address or use your credit card to buy 10 cases of gum.

How about coming up with a better idea to make sure a few hundred people don't jump on a website and order a case of gum each under your account? I use roboform. If convenience puts me at risk, I'll go with less convenience and more security any day. Your mileage may differ.

- Collapse -
Agree that it's gone too far
Sep 30, 2012 9:44AM PDT

Some of it no doubt arises from boilerplate "e-commerce" packages. I'm always grateful for the site that lets me make an occasional or one-time purchase without creating an account with a password.

"E-Z Pass", the company that is contracted to collect tolls on highways in the Northeast using an express tag system, requires you, if you lose your password, to fill out a Web form to have them snail mail you a new, random one that needs to be changed immediately, to the address they have on file for you. You have to log in with the random one, then log in again with the new one, each time going through one of those optical character recognition gatekeepers (at least it's one you can read unambiguously).

You deposit money into your account but it can't be withdrawn, only used to pay tolls. Worst case scenario, someone steals your physical tag from your vehicle, hacks into your account, changes the vehicle registered to the tag and runs your account dry before you notice it missing. You can have it connected to a credit card account (which I don't) but most cards are insured against fraudulent purchases. All the security in the world doesn't alter the relative ease with which authorities, if they chose, could track my movements--a privacy I sacrifice for convenience. There's no reason in the world standard e-commerce security shouldn't suffice for this particular use.

Despite my pretty good system for creating non-dictionary alphanumeric combinations I can remember by virtue of being meaningful to me yet not easily guessed, some sites have rules that don't fit my pattern, requiring me to write them down someplace, or they periodically make me change to another, never before used password--requiring me to make notations as to what they're for and when they're valid. Written passwords are less secure than memorized. The friendlier sites let me enter a password hint for which I can use an association that would probably be meaningless to most people.

I think Web site security precautions should be reasonably commensurate with what's at stake. Common sense precautions, yes, but not Fort Knox security for buying a stick of gum.

- Collapse -
Maybe but there are Better Options
Sep 30, 2012 4:11AM PDT

I would strongly recommend you not do this and remove the ones you have saved now. A better solution is using something protected to save those passwords. Personally, I am a big fan of LastPass which allows me to save all of these sites under a master password.