Don’t store passwords in your web browser | information age


After years of warning users to create strong, unique passwords, security analysts are also warning against relying on web browsers’ built-in password managers to store them.

Although browsers can now store your passwords – and use them to automatically log you into websites – experts warn that cybercriminals are targeting this feature with great success.

Stored passwords can be viewed by anyone with physical access to your computer, while many browser plug-ins have direct access to system data, and specially crafted malware can infiltrate password repositories secure browsers. Some malware can even grab details from password fields as they are automatically filled in by browsers.

“If your computer is infected with malware, an attacker can gain decrypted access to browser storage areas,” explains a recent discussion from Microsoft about the security of its Microsoft Edge password manager.

“Internet browsers are not equipped with defenses to protect against threats where the entire device is compromised due to malware running as a user on the computer… The attacker’s code , running as your user account, can do anything you can do.”

This warning turned out to be more than academic for a recently hacked company who called on AhnLab ASEC’s security analysis team to solve the incident.

This team discovered that the network had been hacked after a remote employee used his web browser to store the password for the company VPN used to securely access company systems from home .

After the teleworker’s computer was infected with credential-stealing malware, the company’s VPN password was stolen and used by cybercriminals to log in and steal the company’s network. business.

This malware is more common than you might think: Check Point Research, for its part, recently warned that more than 2% of all Australian cyber incidents were caused by infection with Formbook, a long-established information stealer which extracts passwords from the web. browsers, screenshots user activity, monitors and logs keystrokes, and can install malware on the instruction of cyber criminals.

A new updated version of Formbook was discovered last month, while in March researchers discovered hackers selling new data-stealing malware called BlackGuard that targets crypto wallets, VPN services, information browser identification, email clients, instant messaging services and file transfer services.

Last year, NordLocker security researchers uncovered a 1.2 terabyte database of data extracted from victims’ web browsers, which included 26 million login credentials, 1.1 million email addresses, mail and more than 2 billion web browser cookies stolen from 3.25 million compromised computers.

The burden of convenience

The warnings come as World Password Day, celebrated every May 5, sees security specialists once again warn users not to choose convenience over security.

57% of consumers admit to using the same password for multiple online accounts, according to new data from Cisco Duo which also revealed that 51% of Australians admit they reset forgotten passwords once or twice a week.

It happens so regularly that tech support staff are tired of helping users who keep forgetting their passwords, with 51% calling security issues related to compromised credentials most frustrating or worrying part of password administration.

The problem has been compounded by the pandemic-era rush to online services and the associated security exposure.

“As organizations go digital, many are taking a reactive approach to authentication,” said Robert de Nicolo, Cisco’s director of cybersecurity for Australia.

“They end up piling authentication systems on top of each other, which not only creates complexity for the organization and the technical teams, but also for the users, ultimately creating more security holes than necessary. ‘ solves it.”

“When it comes to password hygiene, we still have a long way to go,” agreed Jacqueline Jayne, an APAC security awareness advocate with security training company KnowBe4, who recently found that 34% of office workers always use the same password for more than one account.

“The average person has between 70 and 100 passwords,” Jayne continued, “and it’s just not possible to remember them all – especially considering that passwords need to be unique, complex, and , depending on where you read them, anywhere between 8 and 20 characters.

A multi-factor defense

Jayne recommends thinking of a sentence – say, a favorite line from a movie – then extrapolating the first few letters of each word, varying the case of the letters, changing at least one letter to a number, and changing a other letter to a special character like $ or &.

Using this method, for example, the famous line of Network – “I’m mad with rage and I’m not going to put up with this anymore!” – would become IMAHAINGTTTA, then IMAHAiNgTtTa, then IMAHA1NG2tTa, and finally IMAHA1NG2tT@.

Or, of course, you can always use the automatic password generators built into commercial password managers, which work separately from web browsers and therefore don’t suffer from the same security issues.

Ultimately, the adoption of Multi-Factor Authentication (MFA) solves the password problem by requiring users to enter their password along with a time-limited code that hackers cannot easily access. .

Yet companies also shouldn’t believe that MFA makes them bulletproof, warns Nathan Wenzler, chief security strategist at Tenable, who recommends companies use privileged account management tools ( PAM) and better security for Active Directory systems that store user and device credentials.

“We’ve made great strides in the information security community to explain to users why strong passwords are still needed and get them to take advantage of MFA,” Wenzler said, “but we still have a long way to go to harden our passwords against attackers and compromise.”


Comments are closed.