The internet has become an indispensable aspect of modern life, weaving its significance into every facet of our existence. Its importance stems from its unparalleled ability to connect people, ideas, and information across the globe in mere seconds. From communication and education to commerce and entertainment, the internet has revolutionized the way we interact, learn, work, and play. We do a lot of online activities whether it is engaging with social media, online banking, shopping, etc, and leaving invisible footprints as we travel along. Most of the online services require us to create or signup for an account to facilitate tailored service based on individual needs as well as to protect our personal information when provided from unauthorised access.
As we signup for accounts in many online platforms and services, it becomes so difficult to remember the passwords. I always struggle to remember the passwords when try to login into my account for online shopping or social media accounts. Fortunately, mobile apps make this job easier as they hold the login information and we don’t have to enter a second time for a while until the session kicked out. Now to make this remembering password job easier, modern browsers offer to save your password whenever you signup or login to a website. This enables users to choose a random password most possibly the hard one to remember since the browser takes care of remembering it and we don’t even have to try counting the characters. It’s now so convenient for internet users since they don’t even need to manually type, the browser does the hard work for you including auto-filling your login information.
The process is pretty much the same for all modern browsers, however, I am just showing Chrome and Microsoft Edge in this article. When you save a password in Chrome or Edge browser it stores in the password manager that can be accessed from the browser settings like below. There are some other benefits of saving passwords in browsers like it tells you if any of your saved passwords are in the compromised list or pawned list. Google and Microsoft will also store your passwords in their secured cloud space if you enable sync. Enabling sync
When you use Chrome to sign in to a website, Chrome encrypts your username and password with a secret key known only to your device. Then it sends an obscured copy of your data to Google. So there is nothing wrong with how storing and protecting the password. The security concern is in different places. Let me explain.
Retrieving saved passwords from a Browser
Retrieving a saved password from your internet browser is quite easy. You can just go to the settings of the browser and search for passwords in the top search box, see the screenshot below. As soon as you try to access any of your saved passwords, it will prompt for the computer password or pin to prevent unauthorised access. This will probably work well when you leave your computer unlocked and unattended then someone tries to sneak in to steal your passwords.
Security Concern One
Here is my first security concern, say your computer login has been compromised or your computer is stolen what can potentially happen? The first case I mean when your computer login is compromised is a bit worrying because there might be a bad intention to it. Hackers or bad guys usually steal computer login information so that they can access their information and cause more damage and bleeding that we don’t see quickly. Your computer is probably a top range high specs expensive computer with antivirus, firewall, and anti-malware installed but their interest is not in your expensive hardware. It’s more than that. The second case is probably not worrying too much. The thief probably sell your expensive computer at a very cheap bargain to someone who will probably wipe it off and make a fresh start.
So what can happen with the first case –
- Hackers or bad guys can login to your computer and steal your sensitive information through cloud transfer. They don’t need to be physically present to do this.
- They can remotely login to your computer and export all your saved passwords from the browsers. As usual, the browser may prompt for a computer password but he already has it. So bingo.
- The passwords can be shared in the darkweb and made available to other bad guys
The most concerning security issue for me is the exported password in CSV format with plain text which means you can read them. There is no further protection.
Another key point I want to mention, this can also happen when you give your device to someone for repair with your login details. So, keep this in mind. There are tools like Trinity Rescue Kit that are used to reset or clear computer admin passwords.
TIPS: Never ever export your browser passwords and save on the computer disks. If you have exported for whatever reason, delete the file immediately.
Security Concern Two
Say you work for a company XYZ for a long time. The company gave you a laptop to do your job. Now and then you browse the internet during the break and you try to check your emails, do a bit of online shopping, browse social media sites, etc. Now most of these services require signup or login. So as usual we struggle to remember the password since it was probably set using the home computer and we don’t bother to remember it since the browser remembers it for us. Now you can turn on the Sync on the browser of the work computer and bingo, all your bookmarks, settings, and saved passwords are now available on the work computer browser. This is very convenient that’s how most of us think. Now I don’t have to remember any passwords whether I am using the home or work computer. Most of the large companies these days control the settings of the browsers so that end-users cannot install any extension or enable browser sync due to security reasons. This is a great security practice, I in fact support this idea even though at one stage I was really annoyed when I couldn’t sync my passwords in the past.
Now imagine you left the company because probably got a better exciting opportunity somewhere else or in the worst case you have been kicked out from the company. You need to return the device to IT and they need to do a bit of scanning and cleaning up on the device. I may think, the IT guy cannot login to my account since no one knows my secret password so I am safe. He needs to login to my account (profile) to see all my files and saved passwords in the browsers so I don’t have to delete them. WRONG! the IT guy can reset your password within 5 sec in Active Directory (AD) and access your profile and everything you leave behind. Imagine, the IT guy is a bit naughty and curious about all the good work you have done. But most of the time they don’t bother to go through your stuff unless being requested for whatever reasons. Anyway, since he reset your password and login to your computer profile. He can pretty much access everything. He can export your browser passwords and then do whatever he likes to do with this.
So, how can we be more cyber-safe and keep ourselves away from these kinds of vulnerabilities?
Enable MFA/TFA:
Most of the good websites offer Multifactor Authentication (MFA) or Two Factor Authentication (TFA) which means as soon as you try to login to a website, this extra layer of security will send an authentication code through SMS or an Authenticator app to ensure it’s a legitimate request. I strongly recommend enabling this feature wherever possible. There is a downside to it which means if you don’t have the registered device with you for the SMS or to use the Authenticator app this may prevent you from login. It can be a bit inconvenient however, this little inconvenience can play a vital role for your account security and safety.
Sharing a story of mine with MFA experience, for the last few months I was getting SMS from Twitter infrequently with authorisation code. I know my very secret password for my Twitter account is on the password leaked list. I am not a big fan of Twitter or X, so I didn’t bother because I know that they can successfully login to my account even though they got my login details. Just recently I changed my password to get relief from these SMSs.
Some websites offer OTP (One Time Password). This is also a good security practice. So, you just enter your login username or email to proceed. The website will send the OTP either by SMS on your mobile phone or email. This can be a bit inconvenient again when you don’t have access to your phone or email. Again, this little inconvenience is worth a lot when it comes to cyber security and safety.
Other websites offer passwordless entry with a JIT (Just In Time) security token link with an expiry date and time. So, a user can login to the site by clicking on the link within a specific window.
It’s a bit shame that most of the big banks in Australia like ANZ, Commonwealth, NAB, etc don’t offer MFA or TFA. You just need the username and password to login. I know probably they have some intrusion detection and geo-restrictions in place for Internet banking. It is out of my understanding how they can offer plain login for clients.
Some Cyber Security and Safety Tips
These tips are mainly focused on Internet browsers.
- Never save your Internet banking, Credit card logins, and other financial portal logins to Internet browsers.
- Never save your credit card details on the browser
- You can save passwords for those websites that offer MFA, TFA, SSO, OTP, etc.
- Regularly clean your browser history and remove sensitive stored passwords
- Try different passwords for different websites, this is practically difficult but never use the same passwords for Internet banking
There are some paid password management tools that you can use like LastPass even though I am not a big fan of these tools either. The good thing with these kinds of paid tools, they provide an extra layer of security by storing your password on rest on the cloud by using different encryption mechanisms. Again the concern is that you handing over your secret information to them and trusting them. Even though I think your information will be protected due to encryptions etc when a hacker compromises their platform. Again, some people are not comfortable using third-party paid services. I use LastPass and it offers a few good functionalities, like auto signin, etc. The good thing I like about LastPass is that you need to have a master password to login to your password manager, unlike Internet browsers. It prompts if you want to save password when you login to a website.
You can also generate random password when signing up to a new website. There is browser extension for LastPass which is handy to use.
BE CYBER SMART AND STAY SAFE