General discussion

Is it safe to store website login info in browsers?

Maybe a good question to ask your readers. For convenience, I often save my website login credential (username/email and password) in both browsers I use (Firefox and Chrome) and it has served me well over many years. However, recently my friend saw me do it and he told me that it wasn't a good idea to store any passwords in the browsers as I am just asking for my information to be compromised by hackers. Ever since then I have been scared to store anything in my browsers again. Is my friend correct that storing that information in my browser makes it easier for hackers to steal my login information? If that is the case, why do Firefox and Chrome offer such a feature? Shouldn't they look out for their customers if it is this vulnerable? What do you think? I'm sure others are using this feature and if it is a bad practice, maybe others should be warned too? Any information offered is appreciated.

--Submitted by Shiela P.

Post was last edited on December 14, 2018 5:12 PM PST

Discussion is locked

Reply
Follow
Reply to: Is it safe to store website login info in browsers?
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Is it safe to store website login info in browsers?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
There is a better way

Firefox, at least, by default stores your passwords only very lightly "encrypted" that can easily be seen by any hacker. You can get an extension to make them harder to see. But a better idea, imo, is to get a password manager. Several good ones are free and can be used on computer and phone. Several others are not free, but quite reasonably priced. These managers help you do several things better: Less guessable passwords, no passwords shared between sites, some of them even remind you when it's time to change passwords; many also make it easy to securely share your passwords between your browsers, your computers and your phones.

Look here: https://duckduckgo.com/?q=password+managers&t=h_&ia=web

- Collapse -
How is a 'password mngr' safe?

How is a 'password manager' any safer that anything else?

- Collapse -
Reputation

There are several secrets. For one thing, the entire list of user names and passwords must be encrypted using a strong master password. Not just using the password for access, but by using a strong encryption technique. The issue is also that many websites do not necessarily use proper techniques to store your password. So, if your bank reminds you of what your password is, stay away. I remember in one class, companies use a .TXT file to hold these and not encrypted. Credentials stored in your browser are not even password-protected, least of all, encrypted. So, what it all boils down to is that the product (password manager) should realize that a hacking of their data could be catastrophic to them. There are ways to program safety and many projects get people who are rushed for time and make mistakes or simply sacrifice security for time in the "rush to market".

Nothing is going to be 100% fool-proof. However, if it is going to take an expert two years to hack your information, there are other uses of their time. So, its a matter of reputation and trust but, storing passwords in a browser is just NOT cool if someone gets access to your computer by any means.

- Collapse -
How can anyone trust a 'password manager'?

It blows my mind that so many folks just trust these

- Collapse -
You know a better way?

Obviously, one must choose the software very carefully. I have around 250 accounts/passwords, some trivial, some vital. If I had to remember every one, I'd only use a couple of passwords or have to write them down. For your most important sites, where 'strong' passwords (random numbers, letters, symbols) are essential, they should deliberately be impossible to remember. So a trusted password manager, where you can also store many other important (to you) data, is the best solution I know. The right one can also help manage your digital legacy. Of course, the password for the password manager should be complex, unique and never stored in browser or anywhere else! A good password manager will also have a recovery method with a delay eg you will get notified for, say,14 days before anyone trying the recovery key (like your next of kin after death) can succeed if you don't intervene.

- Collapse -
Depends on which logins you're saving

I guess it depends on the website you're logging into. I don't store my login info for things like my banking account, but less crucial sites such as Cnet I have no problem saving. Otherwise I would spend half my day just logging in.

Post was last edited on December 15, 2018 3:50 PM PST

- Collapse -
Also Make Sure You Don't Use the Same Password

If you use the same password for some, most or even ALL of your websites, it is NOT a good idea to store that password anywhere. The only exception would be a tried-and-true password manager.

- Collapse -
Saved Logins

I agree. I use one password manager for websites that I visit and have logged into on a regular basis and don't store banking info in the cloud.

- Collapse -
Banking Info

My bank does banking in person, through the web and through an app. My Banking Inormation is not stored in a cloud (I hope) but on one of the banks dervers. Even if I didn't connect to my account, the information would STILL be on their servers. So, my security is up to them. You really don't have a choice.Same with any company, really. The data is on their backend.

- Collapse -
Use A Password Manager

I never save logins in the browser. I use Roboform Everywhere. Many folks use LastPass or other password managers. I simply suggest that you get one and use it instead of saving it in the browsers.

- Collapse -
Agree with password managers

Another good reason to not let the browser remember your passwords is if your machine ever gets stolen, or some other way someone not worthy of trust gets access to it. If your machine automagically fills in the passwords then that makes it easy for someone to log in to your important sites.

I let my browsers remember sites like forums and other places that nobody could really hurt me with. But, I always type in or copy from a password manager for email, banks, Amazon and any shopping site, logins to control and maintain my website, etc. All of my important passwords are unique and at least 20+ characters long.

Yes, it can be a pain to type in a long password, especially on a phone. But, usually Copy&Paste from the password manager works around that.

I've been using a paid product, SplashID, since the late '90s. I like its flexibility. Every once in a while they offer their online service for a one-time fee. I consider it very much worth the price. But, as griswolf says, there are free alternatives that are very popular.

- Collapse -
Extremely Good Point

Too many computer users are so into ease-of-use and convenience, that they wish they didn't need passwords at all and would rather not have security (yes, I've seen posts by some that want to get rid of logins). I ask these people the same question. What happens if you lose your laptop or, most likely, it gets stolen out of a car or someone has a break-in at their home or at work and a computer is stolen. At least with a password manager, you still have to login to that. I use Roboform (paid for version).

- Collapse -
Tip for using any password manager

I forgot to include this. A rule I have enforced on myself that I find has saved me frustration several times.

Rule: When creating an new account, always stop and add it to your password manager before typing the password into the website form. If all on the same device (phone, computer) then Copy&Paste the password from your password manager into the form. That way you're certain that the passwords match.

Multiple times, I've been in a bit of a hurry, and it's a site I don't think I'll need to log into again. And I considered just plowing on without bothering to save it. Or, "I'll do that in a minute." But, I'll stop myself and put it in my password manager, and it turns out it was useful that I had disciplined myself to save it. I also include any other unique info, like security questions and answers, account numbers, etc. I also use mine to record serial numbers for software and hardware. My password manager can store an attachment, so sometimes I'll take a picture to store the serial number.

But, the main thing is: Always create the record in your password manager prior to moving on to creating the new account.

- Collapse -
Good reminder. However ...

Some sites won't allow copy/paste. IMO that's a good thing because BFBI attacks will use c/p if available. So, best practice is to type each time.

Also, make sure that the site will accept your special characters. E.g. some won't take the up-caret, so I never use it.

- Collapse -
Interesting.

All my passwords are long and in Welsh. Wait! Damn you Patagonia. Laugh
Dafydd.

Post was last edited on December 21, 2018 4:54 PM PST

- Collapse -
That's unfair. You guys got no vowels!

Patagonia?

You may know of US TV program Jeopardy.
Yesterday the Final Jeopardy was 'a poet, born 1914, born at such and such street address.' I got it: Thomas! How? The street name was clearly Welsh.

- Collapse -
Doug,Doug, Doug.

I 'splained to you years ago. We have two more than you.
Dafydd.

- Collapse -
(NT) LOL!
- Collapse -
CTRL + V

To Paste a password when signing into a website try using Ctrl + v together.

- Collapse -
Yes, Ctrl-V is paste.

However, the more secure [IMO] sites won't allow that. It makes the automated crackers work that much easier.

- Collapse -
yes, but..

The odd thing is that sometimes ctrl-v will work when selecting paste from the right click menu does not. I have no idea why that is.

- Collapse -
what browser

What browser are you using when you say" when selecting paste from the right click menu does not"

- Collapse -
Firefox

I use Firefox. Maybe an extension is interfering someway?

- Collapse -
I'm as lazy as the next guy, so I think I've tried both

over the years. In the event, I'm more confident in a site that doesn't allow it.

- Collapse -
Roboform Has Copy/Paste

You can use copy and paste but, at least with Roboform, it directs the userid and password into the login form (called "form filling"). But you can do what you want with it, I guess. Direct form-filling is easiest without compromising safety.

- Collapse -
(NT) Yeah, that's Roboform's selling point, isn't it?
- Collapse -
Preventing Paste is annoying and useless

A site not allowing paste "for security reasons" is dumb, in my miniscule opinion. If a hacker can intercept Copy&Paste then you have a much bigger problem. That can only be accomplished by software actually running on your computer. If they have that access, then you're completely compromised. They can just watch you type, too.

- Collapse -
If I can copy/paste so can a bot,

so trying many passwords just got easier, right? If I gotta work, the bot's gotta work, is my view. Happy

- Collapse -
Not unless you you're infected with malware

No, they can't steal your password from the clipboard unless you have malware running on your machine. In which case, they can watch you type, too. There is no security advantage for a website to not allow paste. In fact, except for maybe a game, I can think of no instance where preventing paste is useful.

- Collapse -
LastPass Has Worked Well For Us

LastPass is a very good free password manager. It comes as an add-on or "extension" to Chrome, IE, Edge, Firefox, etc. Make up a good, long, strong password you can remember as the "master" password for signing into LastPass, then let LastPass remember your username and password for all other websites that you OK. It can also generate passwords for new websites you visit or existing websites where you want to change/update your password. I can go from laptop to phone to PC and use LastPass on each of them, so that's very convenient.
AVAST free anti-virus (and the premium paid version) has its own Chrome-based AVAST Secure Browser. Basically, it's a security-enhanced version of Chrome browser and it includes what AVAST claims is a very safe and secure password manager. Maybe worth a look.

CNET Forums

Forum Info