Saving Your Passwords In Your Browser? Bad Idea!

I just read an interesting article in Sophos about the rather insecure method that the Google Chrome browser saves passwords.  If you click on the click on the “Customize and Control” icon at the far right of the address bar, choose “settings” from the menu, click “Advanced Settings from the link at the bottom of that window, then scroll down to “Passwords and Forms”

Chrome example

Chrome password settings

Click on the “Manage saved passwords” link.  You will be shown a list of the websites where you have stored a saved password, and clicking on the “Show” button will show your passwords in plain text.

This is NOT secure.  Anyone sitting at your computer can view your passwords.

Firefox has a similar feature.  You are able to protect them with a master password, but you have to set it up.  Click on the “Tools” menu, select “Options” then click on the “Security” tab.  Check the “Use a master password” box and set up your password.  Without the master password in place anyone sitting at your computer can harvest your passwords.

Firefox example


Internet Explorer saved passwords are a bit more difficult to find, as you have to open the Control Panel, User Accounts, and click on the “Manage your credentials” link to find them, but they are not shown in plain text.

A determined hacker who has tricked you into installing a Trojan horse is, for all intents and purposes, sitting in front of your computer.  Even the IE passwords that are obscured can be downloaded in their encrypted form and revealed in short order (a couple minutes to a day or two generally) using password cracking software.

We advise our clients and those people who take our computer security class, “The Bulletproof Computer,” never to let the operating system or browser store your online passwords.  We are now offering you the same advice.  Protecting yourself from online exposure is more important than ever, since the tools the bad guys use make it trivial to break most passwords shorter than 8 characters.  Do what you can to make it as difficult as possible.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.