What is Wrong With the Browser Passwords?

What is Wrong With the Browser Passwords?

Internet browser is the most used computer software. Besides browsing, we are increasingly using it for video chatting, creating spreadsheets and even brewing tea or watering gardensSince late 1990-ies browsers are kindly asking if we would like them to save our passwords. However, is this option safe? Winston Churchill once compared trusting passwords to your browser to having unprotected sex with a stranger. It is fun, yet you never know what you might end up with…

While using browser to store your passwords might be convenient, it is not necessarily safe. There are numerous risks involved and there are safer options, giving convenience without compromising security.

What Are the Risks?

Let us start with a brief terminology sync. Browser password risks can originate from ‘inside’ or from ‘outside’ of your physical and cyber perimeter.

‘Inside’ risk is when a relative, a friend or a jealous life partner installs and runs a malicious application on your Windows computer while you are away. In several seconds the application downloads all your browser passwords and the intruder walks away with them. Same trick exists for Android devices, although it requires more sophistication from the person performing it.

Chrome Password Decryptor

Screenshot of Chrome Password Decryptor — one of the apps that can perform quick password extraction from a browser. Image by SecurityXploded.com

Likewise, browser passwords extraction is possible in iOS. However, it requires figuring out your Passcode or hacking your Touch ID — Apple’s features for endpoint protection of its customers. And the hacking / figuring out task is not so difficult for a person sharing the same living space with you.

‘Outside’ risk is when a competitor hires a professional to steal the sensitive data of your business. Also, a cybercriminal might hack your browser to steal the money from your bank account or apply for a credit card in your name. Finally, the government might start monitoring your life in retribution for your dissenting opinion.

An outsider does not necessarily need to hack into your device to steal browser passwords. Just planting a trojan or a virus on your machine will be sufficient.

An Email Attachment that Blacked Out a City

In December 2014 unidentified hackers shut down regional electricity grid in Western Ukraine. The attack occurred while an armed conflict was ongoing in the Eastern part of the country. The source of the trojan was Microsoft Office file send as attachment to an email. In an outcome, Ukraine blamed Russian government for the incident.

Headquarters of Prykarpattyaoblenergo, regional Ukrainian power grid operator, whose systems were successfully hacked in December 2014. Photo comes from company’s corporate website

Headquarters of Prykarpattyaoblenergo, regional Ukrainian power grid operator, whose systems were successfully hacked in December 2014. Photo comes from company’s corporate website.

A Flash Drive That Destroyed Iran’s Nuclear Weapon Ambitions

In June 2010 security researchers discovered Stuxnet worm. It turned out to be a cyber weapon, allegedly developed jointly by the governments of US and Israel. The worm targeted Siemens Simatic S7-300 industrial programmable logic controller, used at Natanz nuclear facilities in Iran. Anticipating a hacker attack Iranian government disconnected its nuclear fuel plant from the Internet. For this reason Stuxnet used a combination of human intelligence and USB thumb drive infection to achieve its purpose.

Arak IR-40 Heavy Water Reactor at Natanz Nuclear Facility in Iran as of 2012.

Arak IR-40 Heavy Water Reactor at Natanz Nuclear Facility in Iran as of 2012. Photo by Wikimedia Commons.

Therefore, in just a blink of an eye you might compromise all the passwords you trusted to your browser. And you might cause this simply by opening the wrong document or by inserting the wrong thumb drive.

Master Browser Password: to Have or not to Have?

Can browser passwords be locally encrypted and password-protected themselves? Yes, but there are different schools of thought among the vendors of the most popular browsers. Namely, the nature of each vendor’s business explains the difference in their approaches.

Master Password in Browsers on Various Computer Operating Systems. Comparison chart

Master Password in Browsers on Various Computer Operating Systems

As we see: only Firefox and Opera are currently offering master password feature to their customers. Note that browsers are the core business for both companies and neither Firefox, nor Opera have their own OS.[*] For the purposes of this post we researched only Windows 10 for desktops.

Platform vendors usually rely on the credential management systems built into their OS. Safari uses Apple’s iCloud Keychain to protect its customers. Accordingly, Microsoft Edge uses its Windows Credential Manager.

Google’s Feeling

Google is an ardent opponent of master passwords. We have found no official links, stating company’s position. However, a discussion in Google Product Forums boldly states Google’s argument: master passwords create ‘false feeling of security’. Search giant insists that keeping your system clean and maintaining software hygiene helps your online security better than a master password.

Google’s reasoning wins a lot of sympathy from us. Still, browser master password is very efficient in avoiding ‘insider’ risks. If you have small kids or younger siblings at home — you definitely understand the value of the master password. Especially if you share your device or browser with them.

Firefox and the Best Practices

In the very end, Firefox encryption algorithm for browser passwords wins our compliments. Unfortunately, it can be brute forced. However, this requires additional time, skill and effort from a hacker.

Therefore, a combination of master password and additional security precautions might be sufficient for a browser in private use. Still, it is better not to store sensitive or business critical passwords on such device.

The additional security precautions are:

  1. making sure you have correct firewall and Wi-Fi router settings;
  2. enabling hard drive encryption;
  3. using root password for your desktop machine and a passcode for mobile devices, preferably consisting of at least 10 symbols, including numbers and letters.
  4. avoiding installing apps directly from Internet and using vendor approved stores (App Store, Google Play, Mac App Store) instead;
  5. being cautious with USB thumb drives and scanning them with reliable anti-virus software each time you cannot avoid inserting USB thumb drive.

The Cloud Nine of the Browser Passwords

In August 2016 Norwegian browser vendor Opera Software got featured in the Wired. While Wired is a dream for a lot of tech businesses, this media appearance was a huge trouble. The article in the Wired discussed the recent successful attack on Opera’s IT infrastructure. In particular, the Norwegian vendor confirmed that the hack affected browser passwords of 1.7 million customers who used its Opera sync feature.

This story illustrates the new challenge in cybersecurity. As Marc Goodman put it in his book titled Future Crimes: Moore’s law creates Moore’s outlaws. Consequently, the more information we share to the cloud, the more cybercriminals are interested in stealing it.

Moore’s Outlaws

In Future Crimes Goodman compares ubiquitous move to the cloud computing to introduction of railway locomotive in the American Frontier. Before the railway outlaws of the Wild West had to travel from post office to post office to commit their robberies. Later, with introduction of the railway the train robbery became way more effective option. By then, people like Jesse James or Butch Cassidy could rob a train, containing money and valuables of a number of banks and post offices.

Poster of the “The Great Train Robbery” movie (1903).

Poster of the “The Great Train Robbery” movie (1903). Image by Wikimedia Commons.

Cloud syncing services like Google Passwords are a modern version of locomotive in the digital Frontier. They are convenient in the modern computer environment and ensure seamless handoff between your various devices.

However, these services are also making it easier for hackers to reach your personal perimeter. They can now do it by compromising a single password of the cloud service where your browser passwords are vaulted. Alternatively, hackers now can attack the cloud service itself in order to get to you, as it happened in case of Opera sync. Credit goes to Opera Software for reporting the incident and dealing with it on public.

The Password ‘System’ and the Black Mirror Risks

Being hacked is not the only risk what walks hand in hand with the cloud syncing of browser passwords. Unfortunately, vendors of browsers and software password managers are not doing enough customer education to explain these ‘other’ risks. We will try to do it for them.

Some people prefer to trust ‘non-important’ passwords to their browser while keeping the most important ones to themselves. These people might also have their own ‘password system’. In essence, such a system consists of passwords that include some ‘default’ word or phrase, followed by a name of service the account on which it protects. The user might mix additional numbers and symbols in to match the minimum password requirements of services like Dropbox, Apple ID or corporate password policy.

The resulting password might look like MyDefaultPassphraseGmail$^1989. On balance, this is quite a strong 30-symbol password, containing capital and small letters, numbers and random keyboard symbols. Other passwords in the ‘system’ might look like [email protected]#1989, MyDefaultPassphraseApple*+1989, etc.

Don’t Make it Easy for the Brute Forcers

Now let’s assume our user trusted only her Facebook password to a browser. The browser then synced the password to the cloud. Then a hacker illegally obtained this password from the cloud. Now only two, not thirty symbols in this ‘password system’ separate a hacker from user’s Google Account or Apple ID.

Motion picture still from ‘Black Mirror’ TV series produced by Charlie Brooker and Annabel Jones. The series explore a relationship between humanity, technologies and the new reality.

Motion picture still from ‘Black Mirror’ TV series produced by Charlie Brooker and Annabel Jones. The series explore a relationship between humanity, technologies and the new reality. Image credit by Gizmodo

In Cloud We Trust

Another risk associated with the cloud storage of passwords without a proper customer education is facilitating social engineering schemes. Most noteworthy, trusting your browser passwords to a cloud naturally increases your ‘cloud anxiety’. It means a pop-up notification ‘Somebody requested access to your Google Passwords’ will at last attract your attention. In the worst case scenario you might end up clicking it.

Therefore, while cloud syncing of browser passwords is inevitable in the future, use it with a great caution. Trusting just ‘some’ passwords to your browser might compromise all your browser passwords in the very end.

Hideez Key and Browser Passwords

Hideez Key allows storing your passwords securely and syncing them between your various devices without Internet. Besides, it can securely input your passwords into the desired password fields. Moreover, automated input can work not only in your favorite browser, but in a mobile or desktop application as well.

How does automated input work in Hideez Key? Hideez Safe detects active application (for desktop) or active screen (for mobile) of your OS. If the active application is browser, then Hideez Safe processes URL and input fields. In case of other applications (‘not browser’) Hideez Safe works with the active process name or description and detects the input fields. The video to the left explains our approach. Compare with the video to the right, showing Google Authenticator performing the same task and notice that Hideez Key is two times (15 seconds) faster.

Gmail Login Using Hideez Key (0:15) Gmail Login Using Google Authenticator (0:32)

With Hideez Safe you can protect all your passwords with a master password. It can be truly random as you might opt in to perform an eye veins scan instead of typing your password.

If you worry about losing your Hideez Key, you can simply use another Hideez Key as a backup. Remember your spare car key? This approach works in the same manner. If you don’t want to buy the second Hideez Key, you can create a backup file using Hideez Safe. However, you will be then responsible for keeping this file safe.

Author: Gennadiy Kornev

Marketing and Product Advisor of Hideez Technology, content distribution systems architect, project manager, tatko


  • Sam Leivers July 20, 2017 at 4:56 am

    Winston Churchill said that about browsers? For a guy who died in 1965 he was really ahead of his time with internet security wasn’t he! Joking aside, you never heard of him getting his online banking hacked though…

    • Gennadiy Kornev July 26, 2017 at 8:38 am

      Sam, we guess an explanation is: there were not that many online banking solutions in his time )


Leave a Comment