Storing Passwords In Your Browser? Time to Stop.

The latest controversy to make the rounds on tech news outlets and social networks surrounds the lack of security features built into Google’s Chrome browser, leaving user passwords and form fill data at risk.

Web developer Elliot Kember questioned Google’s security practices after showing that anyone with physical access to the computer will have immediate access to the passwords, which can easily be toggled to plain text. Someone can simply go to the URL chrome://settings/passwords or visit a user’s password page in the browser Settings menu to easily view the data. There is no master password or even a generic prompt – essentially, there is no added security for the passwords.

The main concern that Kember raises is the fact that the mass market doesn’t expect it to be that easy for others to get to their data. In his blog post, he calls for Google to either clarify the security policy so users can make a more informed decision, or to add a master password option (as Mozilla Firefox has done).

This “flaw” in Google Chrome is old news to many. However, the fact that Chrome is now one of the three most widely-used browsers in the world means that more and more of the general population is utilizing Chrome and saving their data to the browser, with little information regarding how that data is protected.

Ultimately, the most secure way to store your data is to not store it in a browser at all, where there are minimal security options and a host of possible threats. By storing your data in a password manager, you’re adding at least one authentication layer with your master password, not to mention the encryption technology built into the software itself.

There is also the added benefit of utilizing multifactor authentication and other features to control where and how your data can be accessed. These features include the ability to restrict logins to specific countries or to enable master password reprompts on more sensitive logins. It also ensures that should one computer or browser crash, or be lost or stolen, your data remains securely accessible on your other devices.

While we agree it would be wonderful if Chrome would increase their security options or offer better warnings for users, Chrome users can be proactive today by downloading a password manager like LastPass and migrating their data out of their browsers. LastPass will even help you with that process by automatically importing your passwords for you as you get started – so don’t wait until it’s too late.

Were you aware of this shortcoming in Google Chrome? What other steps are you taking to protect your data?

30 Comments

  • SSSputnik says:

    Given the NSA is apparently requesting user passwords and password salts from a variety of US companies I will probably be shutting down my Lastpass account soon. Its a shame as its a great service, but it looks like the all seeing eye of the USA either probably now has access to all my passwords stored with companies like Lastpass, or will shortly.

  • Charm Weber says:

    I have been using Last Pass for over five years now and am quite happy with it. As someone mentioned before you do need to configure it properly so it logs you off after a certain time of inactivity or after you close your browser otherwise it gives access to anyone who has your computer. I love the Generate new password feature as I hate trying to create new secure passwords. A program like this is essential if you have many passwords you need to remember as it takes the hassle out of it all. It does have it’s own hassles that I’ve had to work through but once you understand how to use it it isn’t a problem.

  • balshetzer says:

    This article is disingenuous coming from a security firm. First it implies that lastpass behaves differently. This is not the case. Lastpass browser plugin allows the same access to cleartext passwords by default. Second, as a security firm it is incumbent upon you to know and communicate that there is no security model for handing over your computer to another person while you are logged in. Any attempt to claim to have created something that is “secure” against an attacker who has access to the computer while you are already logged in would be misleading at best.

    • Amber Gott says:

      Thanks for the comments, it’s true that with physical access and without taking the necessary steps, someone could still access your data. LastPass does offer “master password reprompt” options, though, which ensures they can’t “edit” or even “fill” logins without first re-entering the master password. There are also autologoff features so your session can end if you walk away – or forget you’re logged in. It’s all about mitigating risk, and making it as difficult as possible. Thanks again for bringing up these points, though.

  • Vikram says:

    Have been using lastpass for years now and haven’t looked back. Mocked a lot of friends using browser to store their passwords and seen a lot of people eventually moving to lastpass.

  • Anonymous says:

    Dan makes a valid point. In comparison, 1password is based in Canada, so might see surge in business.

    • Please see my comment to Dan.

      Hush Mail was based in Canada, and they caved into pressure to compromise their crypto.

      The bottom line is if you want absolute trust in your crypto, you have to run it locally with open-source code that you have verified, or an expert has verified and that you can confirm it hasn’t changed since then.

  • Dan says:

    I used to use Lastpass as my primary password manager. Then the whole Edward Snowden fiasco has colored my views of ALL cloud service providers. As a US-based cloud company, I can’t help but worry that you are susceptible to secret subpoenas and national security letters that can compel you to divulge “foreign” data with absolutely no legal restraint. As a non-American, this worries me a lot.

    As such, I have been scaling back onusing US cloud providers, and I am thinking of canceling my LP account. I just don’t feel secure trusting you with my most intimate passwords.

    • Thomas says:

      This is also true for me. As a non-US i can not trust LP.

    • Amber Gott says:

      Thanks for bringing this up, Dan. You have some valid concerns – but LastPass has minimal access to data to begin with. We’ve built it so that your key is not shared with LastPass, which means your sensitive data is encrypted and decrypted locally, and synced securely. We’re happy to address any follow-up questions or concerns: security[at]lastpass.com – thanks for reaching out.

    • Dan, really the issue existed long before Snowden. The paradigm is host-based security.

      You’re trusting the host with your crypto. When you go to LastPass’s website, you have no guarantee that the JavaScript they serve you this time to handle the crypto is the same as what they gave you last time. So, under a US government order, they could change their encryption to send your password up to the cloud so they can decrypt your data. This happened to Hush Mail in Canada.

      I do believe that LastPass is very secure, especially against non-government hackers. And the cloud brings convenience. But I wouldn’t recommend it if you’re planning on overthrowing government regimes ;)