Passwords are often all that stands between a cybercriminal and your sensitive personal information. If the password for an online account is guessed, all information in that account can be obtained and misused. This is why it is important to add multifactor authentication to all online accounts to improve security. This Cybersecurity Awareness Month, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) said adding MFA is the most important step people can take for improving security. Another important step that people can take to improve security is to stop storing passwords in their web browsers, and instead start using a password manager.
If you set a unique password for all accounts and ensure your passwords are 12+ characters long, you will be well protected against brute force attacks against your accounts, and credential stuffing attacks will not succeed. The problem comes with remembering passwords. Given the number of passwords that everyone needs to create across the digital spectrum, it is simply not possible to remember all of those passwords without writing them down. Writing passwords down is never a good idea – If someone finds your password book, they will have access to everything. Most people instead store them in a document on their computer or mobile, use a password manager, or store their passwords in their browsers. Many browsers prompt users to store their passwords when they create a new account on a website and will autofill them when required, so storing passwords in browsers is very convenient. In these respects, the browser is similar to a password manager, but that is where the similarities end. Browsers are great for convenience, but they are not so good for security, at least not as good as a dedicated password management solution.
The developers of web browsers take security seriously and encrypt stored passwords; however, there are security risks. For instance, most people remain logged into their web browser and rarely log out. If anyone accesses your device – computer, mobile phone, etc – they will be able to log in to all of your accounts. Physical access to your devices is not necessary, as if you are infected with malware, the malware provides remote access, and an attacker will be able to obtain all your passwords. RedLine malware is a good example. RedLine malware is one of the most commonly used malware variants and it is capable of stealing passwords from all major browsers along with autocomplete data and much more. Browser-stored passwords can also be accessed by some browser extensions and security researchers have shown on multiple occasions how easy it is to gain access to passwords stored in browser password vaults, even when the passwords are encrypted.
With a password manager, you are required to provide a master password before your passwords can be accessed so you will be better protected if someone gains access to your device. Passwords are stored securely in the cloud, so in the event of a ransomware attack, your passwords will not be encrypted – With browser-stored passwords that is not the case. For businesses, there is an added advantage of a password manager, and that is it provides the IT team with oversight of passwords and accounts. With browser-stored passwords, the IT team will not be aware of all accounts their employees have, which can be a problem when an employee suddenly leaves employment.
Password managers mostly operate under the zero-knowledge model, so the password manager developer has no access to any information in password vaults. The same cannot be said for all browsers. Further, password managers offer many more features than simply saving and autofilling passwords. They allow passwords to be shared securely, allow much more than passwords to be stored, such as notes, files, financial information, and scans of important documents. There are also great options available for free – Bitwarden, for example, has a great free tier and LastPass is also good, although somewhat restricted on the free tier. That said, the cost of password managers is very low for the full versions with all the features. Bitwarden, for example, is only $10 per year, which is a small price to pay for all the features and bulletproof security.