Using browser to remember passwords?

Discussion in 'privacy general' started by Peekaboo92, Sep 18, 2017.

  1. Peekaboo92

    Peekaboo92 Registered Member

    Joined:
    Sep 18, 2017
    Posts:
    2
    Location:
    United kingdom
    Hi. I'm wondering how safe it is to store passwords in a web browser to auto log into websites. I've been wondering this for a while but recently installed Avast internet security which has a password manager. Their password manager asks to scan your browser for "unsafe" passwords. To my surprise it found all the passwords I have stored in Firefox and asked me to save them with Avast.

    I read that the browser encrypts these passwords and they are safe but Avast seems to make a mockery of that and tell you they aren't safe. So my question is: should I store my passwords in the browser or use the Avast password manager, though I'm not sure if it's cloud based or stored on my computer. I'm assuming it's cloud based which makes me a bit uneasy too.

    Thanks.
     
  2. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    That certainly does make a mockery of the Firefox password store, is that the latest version of Firefox?
     
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Lastpass does the same. I think the "safety" means from external attackers, not from applications "on" your machine.

    I've never trusted the browser password stores and switch them off. I only partially trust Lastpass too (including 2FA), and don't use it for financial institutions.

    Mind you, I only access online banking from a dedicated usb-Live linux distro dedicated for that purpose.
     
  4. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,892
    Location:
    US
    I trust Lastpass but only with the Yubikey. I specifically do not have any other recovery method except for email which is also Yubikey secured. I wouldn't use anything else unless it's offline.
     
  5. Peekaboo92

    Peekaboo92 Registered Member

    Joined:
    Sep 18, 2017
    Posts:
    2
    Location:
    United kingdom
    Yes it's the latest version. The passwords do seem to be encrypted by Firefox but myself, or anyone with access to my computer can see them in the firefox privacy settings.

    I'm going to look into this further as it seems very dangerous that a third party application can read the passwords.

    I really don't want to use a cloud based password manager either. To me that's actually worse because it's entirely out of the users control.
     
  6. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I would not trust FF at all with anything security critical. My personal opinion is there are people in the FF development who have been deliberately undermining its security featutes for years and are still doing it.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Well, we put our qualified trust in a chain of things when we access the cloud which are entirely outside our control, and I think I mistrust the other things more! My take is that for access to "normal" websites, cloud-based password management is OK, particularly if backed by 2FA (Yubikey for Lastpass), and you don't have to give Lastpass the full password either, you can decorate it manually.

    In addition, where you're talking sharing with family for example, it simply isn't realistic to expect them to use anything that's not pretty transparent.

    Of course, local password managers such as KeePass or Password Safe are likely better (and I use them too), again, these can be backed by Yubikey HMAC.

    The real bugbear though, is that most websites are pathetic when it comes to supporting 2FA directly, particularly since there's a cheap option available - U2F. It's my opinion that website should be compelled by regulation to do something of this kind if they handle any kind of data which falls under Data Protection legislation or GPDR. But our Beloved Representative won't act on that kind of thing.
     
  8. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    If it was designed properly a browser password manager should be the most secure way of doing it and I can tell you this with 200% certainty. If it is not, it is deliberate.
    Non developers don't realize how the application is created in a modular fashion. The code for password management could almost be considered a standalone device
    The developers first decide on, the logic. A plain description of what it will do exactly, and how it will work exactly. When I say exactly, I mean exactly. All the finer points are discussed and gone over so everyone one involved knows exactly what they need to do before they start coding.
    Then when you start writing the code it has to be perfect for it to run, the slightest error will make it crash.
    So if developers create a password manager claiming it is encrypted and safe, when in fact any third party applications can extract those passwords it is deliberate and by design and the coding community, those of us left who have not already been bought and paid for needs to quit being polite and politically correct and calling them "security flaws" and start saying it how it Is.
    They are dispicable liars and they have been selling out our security on a daily basis. That is what they are there for and that is all they do.
     
    Last edited: Sep 22, 2017
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It's not recommended because for some reason browsers don't use strong encryption when storing passwords. Also, it's sometimes possible for websites to steal passwords via certain browser bugs. That's why I decided to switch to KeePass years ago, even though it's convenient to use the browser for auto-fill.
     
  10. assersegsten

    assersegsten Registered Member

    Joined:
    Sep 13, 2016
    Posts:
    73
    Location:
    denmark
    I use LastPass(paid version), and I am very fond of the way they handle things, and I feel very secure:)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.