August 23, 2012, 3:38 PM — Having your Web browser remember your passwords and/or credit card details can be convenient, but it poses some security risks. How much of a risk depends on which browser youre using, whether you sync with other devices, and whether youre using any of the browser's extra security features. Here are the main vulnerabilities in some of the most popular browsersInternet Explorer, Google Chrome, and Mozilla Firefoxand ways you can protect against those weak spots.
[ FREE DOWNLOAD: 68 great ideas for running a security department ]
Common Security Risks
The biggest problem with having your browser save your passwords involves prying eyes. Not only can other users who have access to your computer log in to your accounts and see your actual passwords or credit card details, but so can a thief if your computer, smartphone, or tablet gets lost or stolen. And the same risk applies if you havent properly erased your data from your PC when you get rid of it; whoever ends up with it next might be able to recover your information. Also, some viruses and malware can steal your saved passwords or credit card details.
As youve may have noticed, banking sitesand many others that deal with highly sensitive informationdont let your browser save your password. However, if you use the same or a similar password on sensitive sites that you do on less-secure sites, someone else may be able to easily guess your banking password, for example.
Some browsers let you (or, potentially, thieves) view a list of your saved login credentials, including the site, username, and password. And for those that dont, utilities like WebBrowserPassView can easily let you compile a list of them. This is handy if you forget a password or you want to evaluate all your passwords, but it's problematic if an intruder uses such software on your computer. Another way you (or thieves) can recover saved passwords is by using a utility like BulletsPassView to reveal the password behind a masked password field on a webpage or window.
In the next sections, well take a look at three popular browsersInternet Explorer 9, Chrome, and Firefox to evaluate their credential-saving features, and discuss some tips for better securing them.
Internet Explorer 9
Internet Explorer 9 offers the most basic password-saving functionality of the three browsers were covering. Its AutoComplete feature can also remember your name, address, and other data you type into Web forms or search fields. It doesnt provide a way for you to view saved passwords from within the browser settings: It only allows you to change the main settings and delete all AutoComplete history.
Not being able to view a list of the passwords can help prevent casual snooping. And even though you can still log in to sites the browser saved the password for, you cant by default view the password itself. As mentioned before, however, a determined hacker can use a utility to see a list of all your saved passwords or to reveal the actual characters behind the password field on a login page.
Unfortunately, Internet Explorer 9 doesnt offer a native synchronization feature to keep your settings and saved data synced across multiple computers or devices, but, from a security standpoint, at least thats one less security risk you have to worry about.
Internet Explorer 10 in Windows 8 will provide new password saving and syncing features, but its not yet clear if they will be available when you use Windows 7. When I tested the Release Previews of Internet Explorer 10 and Windows 8, I found that you can view and manage saved browser passwords using the improved Credential Manager in the Control Panel. And for security, before you can view the actual saved passwords you must reenter your Windows account password, which can help prevent casual snooping by others.
Windows 8 will also offer a new synchronization feature that lets you sync passwords for apps, websites, and networksin addition to Windows settings and preferencesacross your other Windows 8 computers and tablets. For security reasons, before you sync your passwords with a new computer or tablet, you must log in to a Microsoft site and approve the new device. And if youve specified a mobile number on your Microsoft account beforehand, you'll get a confirmation code texted to your mobile phone that you must enter on the Microsoft site before the trust is granted and passwords are synced.
Google Chrome 21
Google Chrome provides a more feature-rich password-saving feature than Internet Explorer does, as well as an autofill feature that can also keep track of your credit card details. But while these can be great time-saving features, they also pose more security risks.
Chrome lets youor a thief for that matterbrowse through the list of saved usernames and passwords (alphabetized by site name) or enter the site name into the search field to filter the list.
For privacy, Chrome masks each saved password with asterisks, but you can click the entry and press the Show button to reveal the actual password. You can also change the password, but unfortunately Chrome doesnt sense password changes, so it won't prompt you when you log in to a site with a new password. You must go to the saved password entry and update it manually.
You can view a list of all saved addresses and credit card details, including the name on card, the account number, and the expiration date. Chrome partially masks your credit card numbers with asterisks, but you can click the entry and then click Edit to reveal the full number. The only card detail not saved is the card's security code, which is oftenbut not alwaysrequired to make purchases.
Unfortunately, Chrome doesnt offer a master password feature like Firefox does in order to protect all your passwords and credit card details. Thus, anyone whos logged on to your Windows account can view all the saved passwords and credit card details.
Chrome offers a syncing feature to keep most of your settings and saved data (including passwords, but not credit card details) synced across multiple computers and devices, but this creates another security vulnerability. By default, Chrome only requires you to enter your Google account password to set up a new computer or device to sync your browsing data. This is a great convenience; but if your Google account password is hacked, the intruder can potentially access a list of all your passwords unless you set a syncing passphrase, as well discuss.
To keep your saved passwords secured during syncing, Chrome encrypts them when they travel from your computers or devices to Google's servers (and vice-versa). You can also set the browser to encrypt all other synced data.
By default, Chrome uses your Google account password to encrypt and decrypt the synced data, but you can enter another passphrase if you want to add an extra layer of protection to your synced data. When you set up Chrome to sync on a new computer or device, you'll need to sign in with your Google account password and then also enter your encryption passphrase.