Recently, a bank in South Africa (FNB) drew the ire of the security and privacy communities when they disabled the use of password managers on their online banking system – resulting in people having to remember much shorter and less secure passwords as opposed to highly secure passwords generated in password managers. From their press releases, it would seem that their intention was to disable the saving of passwords in a browser, which inadvertently disabled the use of password managers too. They have since retracted the code that disabled this so that password managers can remain in use, while issuing a stern warning against saving your passwords in a browser. They are correct in recommending this but the articles do not discuss the differences or why one is better than the other – this is where I’m coming in.
Saving in a Browser
Most, if not all, modern web browsers have the functionality to save passwords, credit card information and various form fields in the browser. This is meant to speed things up when you are browsing and to be for your convenience. While auto-filling of forms is really handy, I cringe at having my passwords remembered by a browser. You can tell if your browser is remembering passwords if you go to a website, and you see your password is already filled in (often the boxes will be highlighted in a different colour like yellow, green or blue).
This database of passwords is built up while you are browsing. Each time you log into a site, your browser will pop up a message asking whether you want it to remember the password. If you select “yes”, it is stored in the browser (and to whatever online account is linked to your browser – like a Gmail account for Chrome).
Why it’s bad
The most glaringly obvious problem with this is the fact that once passwords are saved like this, you no longer need to type your password in on the computer, resulting in anyone with access to your keyboard and mouse being able to log in to your online banking portfolio.
The next reason this is bad is that all these passwords are easily retrieved and viewed if someone has access to your computer. In recent versions of browsers you do get asked to enter your Windows password or PIN before being able to reveal them, but this is hardly secure if someone in your household knows your password. I have an old lab computer that still syncs with a Google account that has not yet been wiped, and if I open settings in Chrome I can view everything saved in the browser.
The first risk here is that even without any additional protection, all my usernames are exposed for any services I used. Coupled with this, if I click on the little eye to the right of the line, it reveals any password by just requiring my Windows login or PIN, as shown below.
With saving passwords in the browser, anyone with access to the browser can simply log in to ANY service I use, and my browser provides them with a full list of every service available to exploit. A VERY. Bad. Situation.
Saving in a Password Manager
A password manager offers a similar service, but in a much more secure manner. Decent password hygiene means that you should have a different password for every service that you use online, however, this becomes incredibly difficult to remember. A password manager is an extension to your browser that requires a secure master password before completing the passwords on a form for you – already a vast improvement on the above.
Why it’s good
If I look at my password manager that I’ve been using for the last few years, I have over 300 services that I am registered for online (you will be amazed at how many passwords you collect online). Your password manager remembers all your passwords for you, stores them in an incredibly secure manner, allows you to generate incredibly secure and long passwords on the fly, and in the case of 1Password (the product I use), checks that your passwords have not been compromised in recent breaches.
You still have the functionality in the browser of automatically filling in passwords – remembering 300 24-digit long random passwords would be impossible – but it takes a much more secure approach. For any password that needs to be filled in, you get asked for a master password, something easy for you to remember. This then unlocks a secure, encrypted vault of passwords that can be used to log into websites.
You’ll see that in my browser the fields are not auto-populated on the webpage, but instead that 1Password is listing a matched password for the site I’m looking to log in to, in this case Facebook. Selecting that login then automatically fills in the page.
Depending on the tool you use, this vault may be encrypted and stored in the cloud (like 1Password and LastPass), or it could be stored on your own computer (like KeePass). In all cases, the mechanisms that these managers use to store passwords is exponentially more secure than that of saving to the browser. When you log into a new site for the first time, you can store the password in your secure vault in much the same way that you would retrieve it.
To manage your passwords and other information it secures, you can simply open the manager. I am partial to the functionality of 1Password, but you can find the manager that works for you. You’ll see in the below example that the manager will even point out weak and reused passwords.
Where to from here?
Get yourself a password manager and disable the browser functionality for storing passwords – this can be done in the settings section of any reputable browser. I am partial to 1Password, but there are others out there too. The way they work differs slightly from one to the next, so you’ll need to find a fit for you. 1Password, Dashlane and LastPass also work on your mobile devices, which is a great plus, while KeePass has ports to mobile too (I have not used KeePass).
Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.