DEV Community

Ajay Neman
Ajay Neman

Posted on

Are You Saving The Passwords On Browsers?

Today I visited one website in chrome browser and after making the process of registration and login on that web site. The browser prompts me that "Hey man, can I get the permission to remember (save) your login details". And as usual, my cerebrum has got activated and started thinking of whether I have to click on allow button or not.

The browser whose major job is to do browsing only and not like the password manager, is really capable to save my password? I asked the question to my brain.

My brain gives reply back to me that hey duffer you have seated in front of a computer screen and on that computer, the browser is there to solve your query so go ahead and search for it.

After exploring this topic I get the following information.

Password managers built into browsers are primarily there for convenience, and security plays a lesser role. The reason for this decision is that regular users are more easily convinced to use a system that is convenient for them, rather than a system that is more secure, but harder to use.

Pros of using it:

You already have it. Everyone uses a browser these days, and all major browsers come with built-in password managers. This means that from a regular user's point of view, the barrier to entry is incredibly low.
It discourages password reuse. People dislike remembering passwords, so they certainly won't remember one password per site. If the browser automatically suggests a strong password upon registering, then the user will not be tempted to reuse an existing password for it. Furthermore, the passwords suggested by the password manager will likely not be cracked by any attackers, should hashes ever be stolen.

Cons of using it:

It doesn't defend against local attacks. Attackers which may have access to the computer of the user (think jealous girlfriend, not government agency) may be able to get the passwords rather easily. With access to the browser, for example when a user forgot to lock their computer, all passwords can be read out in a matter of minutes.
It should be noted that local attacks are not something every user is concerned with.

Someone could potentially hack into your Google account, sign into Chrome, and also get access to all your passwords.

There's no "master password" (outside of your OS password) to protect them if someone should get logged in access to your computer.

On Linux, chrome will allow users to view saved logins, even without requiring a user password (unlike on Windows and macOS, where a user password is required). Firefox, on the other hand, gives instant access to those passwords, without authentication, regardless of platform (unless a master password is set). Like Chrome, Safari at least hides passwords behind a user's password.

How to get the browser saved passwords without knowing the os password of the device.
However, even on the Windows and macOS operating systems, there are ways around the password prompt. For example, using the Inspect Element window of a browser, you can edit the code of a page in such a way that it will un-hash a user password. To do this:

  1. Right-click the password field on a website.
  2. Select Inspect Element.
  3. Double-click on type="password", and replace password with text.
  4. Hit Enter, and close the Element Inspector. The password will be unhashed, revealed for all.

Saving the passwords of the website which is less important, will be ok but saving the passwords of banking websites, social media websites and all such important websites will be dangerous for you.

BeSafeBeAware

:<)

Top comments (12)

Collapse
 
mileswatson profile image
Miles Watson • Edited

If anyone wants to know what they should use instead, I recommend Bitwarden. It is open source, has a good free tier, and premium is only £10 a year (a lot cheaper than the alternatives).

Collapse
 
cfvescovo profile image
Carlo Federico Vescovo

I use a self-hosted version of Bitwarden: github.com/dani-garcia/bitwarden_rs.
It's open source, written in Rust (one of my favourite languages), really fast and it has all the features you would get with the paid version.

Collapse
 
cfvescovo profile image
Carlo Federico Vescovo

(it is also compatible with upstream Bitwarden clients)

Collapse
 
nemanajay profile image
Ajay Neman

Yes Bitwarden is very nice and cost effective than keeper , Dashlane and many others. LastPass is also good password manger.

Collapse
 
_hs_ profile image
HS

Fun thing about Windows and probably macOS: although it requires OS password to see stored credentials you can use Dev tools on each page either by console and do something like document.getElementById('password').value or change type to text on element on the page you want to login. So I don't really see the point of that main pass

Collapse
 
nemanajay profile image
Ajay Neman

I couldn't know this. Thanks for your information.

Collapse
 
surajondev profile image
Suraj Vishwakarma

Nice article to get started with saving passwords on the browser. Google chrome does not only store to chrome but to your account too. You can access those passwords by searching on Google irrespective of platform.

I think having a good password is necessary as you can't remember the password of hundreds of websites and can't take the risk to use the same password.

Collapse
 
nemanajay profile image
Ajay Neman

Yes you are right suraj

Collapse
 
mindninjax profile image
Rishabh Singh ⚡

I personally like to use LastPass to save my passwords which can be easily accessed through extensions and mobile app. Also as you just mentioned, I don't prefer using my browser to store my important passwords simply because I don't trust my browser. But when it comes to passwords of websites which I don't really much care about but I visit often then it's ok for me to store it in the browser for faster access because in such a case I don't really care if my password got stolen.

Collapse
 
nemanajay profile image
Ajay Neman

Yes rishabh you are very correct . its totally depend on how much important the website for us.

Collapse
 
jibudeh01 profile image
jibudeh01

Great article. I hope this garners lot of readership. Simple security measures we all take for granted. Thanks for sharing.

Collapse
 
nemanajay profile image
Ajay Neman

Thanks a lot man. Your comment excites me to write some more amazing articles.