RedLine malware shows why passwords shouldn't be saved in browsers December 28, 2021 AhnLab ASEC: Redline Stealer Targeting Accounts Saved to Web Browser with Automatic Login Feature Included
Have I Been Pwned adds 441K accounts stolen by RedLine malware December 30, 2021 Data has been added to Have I Been Pwned: RedLine Stealer – 441,657 breached accounts
I read yesterday article from some popular, but non-english website about security, pentesting etc. They completely disagree with this headline. Theirs line of thinking is that from infected computer passwords or other credentials will be stolen eventually whether you store password in browser, KeePass or type it in. There is probably more nuance to this (some people use anti-keylogger software, KeePass can protect master password by asking for it on secure screen), but I tend to lean on "passwords will be stolen eventually" side. Precautions may buy some time and limit damage, but infection will probably steal at least one credential at vast majority of users computers.
What I don't understand is why browser developers are not doing more to keep passwords safe. It's a fact that browsers are still using weak encryption, that's why password recovery tools don't have any problems whatsoever accessing passwords stored by the browser. Luckily there are certain tools that you can use to stop malware from getting access to passwords like HitmanPro.Alert and Secure Folders. But I'm not sure how they would perform against this RedLine malware.
I don't think encryption is weak. It is just easy to intercept master password while it is typed or later extract it from process memory. Even if passwords would be somewhat protected (it won't be perfect) then malware can still steal cookies with session information thus you are still in danger. Best advice is to prevent malware installation or stop malware at early stages when it still does not have privileges and do not use malware infested computers. Also use some kind of 2FA whatever you can so other people won't be able to do that much even if passwords will be stolen.
Why I call encryption ''weak'' is because I could recover passwords stored by the browser with password recovery tools from Nirsoft. I tested this with Vivaldi, I'm not sure if this will also work on Firefox. Now that I think of it, when I want to see those passwords from within Vivaldi, it will ask for the PC login password, but this isn't the same as a master password right? Is this even possible with Chromium based browsers, so perhaps passwords are not encrypted at all? BTW, HitmanPro.Alert can now also protect session cookies.
I dont use any password managers, simple as that. I use my brain for that. Even that, i really recommend of freeware keystroke encryptition and third-party firewall software that not rely on the basic windows own firewall. So many malwares targets to stupid windows firewall. Comodo Firewall, especially its Firewall component is great, because it works on the itself kernel side. Own driver. Neve ever use windows fw sofwares, ever.
I don't know much about Chrome or vanilla Chromium regarding passwords. I don't use them. I think Firefox encrypts passwords reliably only if you set master password (it is called primary password now). https://support.mozilla.org/en-US/kb/use-primary-password-protect-stored-logins Problem is that malware can still see Firefox process memory on Windows and extract that. Just do use 2FA and don't use browsers on malware infested computers.
I believe this is the problem, Chromium based browsers use weak encryption. Like I said, I would like to see more password security built-in into the browser itself. They really dropped the ball on this.
