Storing Passwords in the Browser Isn’t the Real Problem

If you follow tech news, it happens about every other day when some blog post goes viral which says, “why you shouldn’t store passwords in Chrome”, “why you should dump Chrome”, etc. And when I say “viral”, by that I mean it gets picked up by news aggregator sites like Google News, and then posted on the newsfeeds of millions.

Today I am here to formally disagree and tell you what the real problem is.

But before we get into that, a small shout-out to Kaspersky Internet Security’s pop-up that says, “storing passwords in the browser is risky”. I somewhat agree, but I would say using a password manager from your company is also risky — maybe even riskier.

Security Management

Managing security pretty much boils down to managing the balance between the competing concerns of security versus convenience. By that, I mean that anything you do to increase user convenience will most likely decrease the security posture, and vice versa.

In today’s example, clearly, it is a convenience to have your passwords stored in your browser, so the credentials are typed in automatically. It actually does improve your security posture in a few ways:

• A keylogger won’t scrape your credentials if you aren’t physically typing them in.
• Using a password manager — browser or not — enables you to follow good password practices: passwords should be long, complex in character set, be unique to each site, and be hard to remember. Anyone that doesn’t need a password manager cannot possibly be following good password practices.

So, if you landed here today because you are using a browser-based password manager, the good news is you are already ahead of the majority and doing the right thing.

But then an article tells you that you are making a huge mistake. So what gives?

Downsides of Using a Password Manager

When you use a password manager, you are inherently trusting that software. You are literally storing the keys to your life in that software — your identity, your bank accounts, etc. The point is, if anyone were able to breach your password manager, they would be able to get all your credentials, right?

So, you are not just trusting your password manager to not be malicious, you are trusting the maker of that password manager that they will develop it with world-class convenience under the hood and that as a company they will be diligent in keeping cyber criminals at bay — and the company manages its supply chain for security.

Trusts

This gets to the dig I took at Kaspersky earlier — who do you think is better equipped and capable of protecting your secrets — Google or Kaspersky? Clearly, that is an opinionated thing, and I am of the opinion that Google is going to do a better job protecting my secrets.

It actually goes beyond which company you trust more, but the number of companies you already trust. Let me explain.

Trust is a key concept in the field of Cyber Security, and managing your security effectively requires an understanding of this concept.

If you use an Android device, you are already trusting Google to a very large extent. If you log into your bank account on that device, etc. using apps from the Google Play store, you are already tightly dependent upon Google and your personal security already is coupled to that of Google or Apple, if you use an iPhone.

So, if you already are tightly coupled to either Apple or Google and already inherently trusting one of those, what happens if you heed the advice of a blog that says storing passwords in the browser is a no-no?

The answer is, you would retire that practice and start using a password manager product. In doing so, you have expanded the number of companies you trust and added another to the mix.

If you do that understanding how it changes your security posture and assessing that your new posture is in fact above your old posture, then that is proper security management. But if you changed your way of managing passwords just because an article told you that you were doing it wrong, then there is a good chance that you just lowered your security posture.

Password Manager Attacks

Whether you use a password manager like KeePass, LastPass, Kaspersky, etc. or you use Chrome or Firefox’s password manager, there is always a risk that cyber criminals will breach that product, and if they do it can lead to your credentials being leaked to criminals.

You can guess, and you would be right, that cyber criminals really, really want to breach the various password managers and browsers, and that they are spending time and resources trying. Because if they strike gold and breach a product that holds the keys to a billion users’ passwords, the pay-off is huge.

So, whether you are using a browser password manager or some third-party’s app, you face the same risks.

The User is Always the Weakest Link in the Security Chain

The chance is very slim that criminals will be successful in breaching the company that makes your password manager, or Google, Apple, Firefox, and their browser password managers. Cybercriminals know this, and hence why they attack the user. Because their chance of being successful is a lot higher because the user is always the weakest link in the security chain.

While criminals can’t get a billion credentials in one shot since they will never breach big tech, they can get your credentials if they can successfully attack you.

The number one way that criminals get your credentials is by fooling you into giving them access to your credentials. Let’s talk about that now.

Your Individual Ability to Not Fall for Attacks Is the Biggest Thing that Determines Your Security Posture

The only way your passwords are going to be breached by your password manager, or browser, is if you allow an attack to be successful. What does an attack look like?

Google Chrome Password Stealing

I recently researched how to steal passwords from Google Chrome. I was pleasantly surprised to learn that you cannot just copy from the user’s PC their Chrome profile files and then use SQLite to bring up the logins and passwords. Because the passwords are encrypted, and they are encrypted well. By that, I mean the encryption is as strong as possible in 2023.

The bottom line is this — in order to steal your passwords from Google Chrome, copying the files is not enough. To unencrypt the passwords, they need to be on the same PC that you use, and they need to be logged in as you.

The only way an attacker can get your credentials out of Google Chrome’s password manager is if they can get you to run an executable or script.

Because the only way that an executable program or script can decrypt your passwords is if it is run in the security context of you.

Bottom Line: Stealing Your Passwords from Google Chrome Requires You to Run Something You Shouldn’t

Here is how an attacker gets your passwords out of Google Chrome. They send you an email with a malicious link that, when you click said link, will download the password stealer and run it.

This is called “phishing”. When an attacker sends you an email, text, etc. pretending to be someone they are not, in order to fool you into clicking a link, that is called phishing. The word comes from “fishing” but a few decades ago someone decided it’s cooler to use “ph”. By the, it’s also cooler to just stick a “p” in front of a word, e.g. “powned” instead of “owned”. Even better is “pnwed”, and the act of defeating someone is known as “pwnage”.

That concludes our brief foray into underground netspeak, and we will now get back on point.

Key Point: Only You Can Prevent Forest Fires

As Smokey used to say, only you can allow bad guys to run a program under your user context. Therefore, if you know how to not do that then you are good.

Is it really that simple? It sure is.

How Might I be Fooled to Run Something Malicious?

A very well-known password stealer — which targets browser-based password managers as well as other things, sells for about $200 in the digital underworld, and for it to be successful requires successful phishing of a person.

Specifically, almost always via email, a fake email is sent pretending to be someone else — usually a company you likely already do business with, which alerts you of something that needs your action and includes a button or link.

It could be an email from Amazon, your bank, Facebook, Google, Apple, Microsoft etc. and it might refer to a transaction which doesn’t really exist. I recently wasted about 30 minutes of scammers’ time. They sent an email saying they were PayPal support and that a TV had been ordered and would be paid out of my account and it had a phone number. I called that phone number, and a professional-sounding guy answered pretending to be PayPal.

I pretended to be a clueless user and he walked me through how to install a remote access app and give him access to my PC. Except, I didn’t actually do it. LOL. What he really wanted was for me to give my PayPal credentials to him over the phone. That is what the attack was really about — trying to harvest PayPal credentials.

Phishing Emails Are Hard to Spot These Days

Gone are the days when phishing emails had spelling and grammatical errors. Well, some do, and those won’t fool 90% of the people.

These days, phishing emails will be formatted professionally using the corporate logos of whomever they are impersonating, buttons in that style, etc. The email footer might even have the copyright and registered trademark of the company they are forging.

Treat All Unexpected Emails as Un-Authentic

The bottom line is this: if you are not expecting an email from a person or company, and you get one, you should always first treat it as not authentic.

Do not click any buttons or links in the email. If the email content seems to indicate a matter which requires your attention and action, still do not click the link or button in the email, and do not call the phone number in the email.

Instead, close the email and open your browser and navigate to the company and find their support number, and call to inquire. If they do not know what matter you are referring to, then presume that email was faked and move on with your day.

Identifying Faked Emails

Not too long ago, I wrote this blog to talk about fake emails: https://blog.carlisleprojectpro.com/fake-emails-small-businesses

In that article, I talk about fake emails and I do cover how to identify a fake email. But to summarize here, in order to determine the authenticity of an email requires a close examination of the mail headers. As of 2022, legitimate emails should be using three specific technologies so that recipients know the email is legit:

• DKIM – Domain Key Identified Mail is an encryption scheme that mail systems use to determine if an email has been modified in transit, or completely spoofed (faked). Within the mail headers, you would look for DKIM being used, and DKIM passing. Or, the mail headers might indicate DKIM is not present, or DKIM failed — emails of that nature should be treated as faked.
• SPF – Sender Policy Framework is a scheme that a mail system can use to tell all the other mail systems in the world “do not consider emails from my domain as being real unless it comes from these IP addresses”. In the mail headers, you would look for SPF being present and passing, if SPF is not present or fails, then it is a faked email.
• DMARC – Domain Messaging Authority & Reporting is a scheme where an email domain tells the world “you should throw away emails from my domain if DKIM and SPF fail.” In the mail headers, you would look for evidence that a DMARC record exists for the domain and that DMARC passed. If DMARC doesn’t exist or fails, the email should be treated as fake.

It can happen where email headers indicate DKIM, SPF, & DMARC are present and passing, but the email is still fake.

Faked Domains

One way this can happen is if the domain is entirely faked. What’s a domain? In the context of email, it’s the @companyname.com part from the email sender’s email address.

If an attacker stands up an entire email domain, and they implement DKIM, SPF, and DMARC on that domain, the emails they send will look legit. The problem is, they can’t do it with goolge.com, apple.com, amazon.com, etc.

So always look at how the domain ends. If it ends in google.com, and DKIM, SPF, DMARC pass, then it is probably an authentic email from google.

On the other hand, an email from support@gooogle.com can have DKIM, SPF, and DMARC setup and passing, but it’s a fake email. Because if you look closely, there is an additional “o” in gooogle.com.

To be most correct, one wouldn’t likely be able to do that because Google probably already has bought up all forms of fake domains like gooogle.com, goolge.com, etc.

That brings us to this next important point regarding faked domains: just because the word “google” appears somewhere in the email senders’ address, that doesn’t mean it is an authentic email from google.

As mentioned above, an attacker can’t use anything that actually ends in google.com, and they can’t get gooogle.com, etc. So, what do they do next?

They buy a domain and put the word “google” somewhere in the domain. For example, if one buys a domain called “emailsecurityscanner.com” (it’s probably already taken), then they could use a domain google.com.emailsecurityscanner.com.

Many people, when looking at that domain, might think it is a legitimate google email that has been sent through a third party for security scanning. But no, that is not what is going on.

Links in Emails or Web Pages

Everything I have said about email domains can be applied to URLs, and it would be a great practice if one paused before clicking any link to see if the URL it points to is a real company or a fake site by a bad actor.

But as I said in the beginning, security management is about balancing convenience with security, and it is unrealistic to expect a person to check the URL of every link on every page.

That said, it is realistic and should be done when clicking a link from an email, or from a page whose authenticity you cannot presume are authentic. What does that mean?

Well, you should always pause and think hard before clicking a link or button in an email. That’s the easy part…. but I also said, “from page(s) you can’t presume are authentic”.

What I mean by that, is if you are on Amazon’s site, you can presume buttons and links are safe and legit. On the other hand, if you are on a page called “Sal’s Blog”, and it is your first time ever visiting that site, you really should consider it potentially unsafe. Especially if you landed on that site because you clicked a link in an email, or a text, or from a site that was talking about how to pirate movies

Context matters — how you got to a site should be considered when judging the safety of the site.

Endpoint Security

In our discussion, we have wandered into an entire topic of “how to determine if the site I am on is safe”. I am going to reel this in a little, and this is a good time to say that in 2021 you really, really need to be running a quality endpoint security product.

One of the things a good endpoint security product will do is keep you away from fake & malicious sites.

I hadn’t even talked about SSL/TLS certificates and how that play into determining if a site is real or if it is unsafe. It just isn’t possible to talk about everything, and more importantly, it isn’t possible for non-experts to understand everything. This is why endpoint security products exist.

What is an endpoint security product? Well, most call them “antivirus” apps, but that is a bit of a misnomer because viruses are just a small slither of the security threatscape, and you need more than “anti-virus”.

Kaspersky, McAfee, Symantec, Trend Micro, Avira, Avast, and the other big hitters in the industry are “endpoint security” products.

These products will do a very good job of keeping you off malicious sites, and even scanning your emails and quarantining malicious emails.

So Why Not Mention Endpoint Security First?

That is a fair point because the bottom line I am about to make is that in 2022 endpoint security products are necessary. Even if you are a technical expert and you know how to do all the things I talked about to this point, it is unrealistic to expect you will vet every URL you click before you click it.

That would be inconvenient, right? But leveraging a good endpoint security product, it will evaluate every URL you click — before you click it — and it will evaluate the legitimacy/safety of a site before the site appears in your browser.

What are the Downsides to Leveraging Endpoint Security Products?

The really smart reader is now recalling that earlier I said any time you increase user convenience, you are likely reducing your security posture. Based on that, wouldn’t using an endpoint security product be an example of where that rule doesn’t hold true?

Well, yes and no. Using an endpoint security product does make using the Internet and your computer more convenient for you. And in general, using an endpoint security product will increase your security posture.

Based on that, the answer is “it breaks the rule — convenience and increased security can happen in one swoop”.

Except, when you consider that using an endpoint security product does a few things that degrade your security posture:

• It introduces another company that you inherently trust with a very high level of trust extended. Not a bad thing, so long as you realize it.
• Your endpoint security product has admin access to your device, files on it, etc. and it can sniff the credentials and other personal data you enter on any site. In short, if the maker of your endpoint security product gets breached, you might be “epically powned” as well.

As you might guess, the criminal world puts forth the time and resources trying to breach endpoint security product companies because if they do, the payoff is huge.

Are these reasons enough to not use endpoint security? Not in my view. But you do need to realize the exposure it creates.

All things considered, endpoint security is a lot more beneficial to the average user than it is a liability. I said before and will say again that in my view endpoint security is necessary for 2023.

What About Microsoft Defender?

Microsoft Defender, now known as Windows Security, is security built into the Windows operating system. It includes virus scanning, download scanning, URL checking, and even ransomware protection.

Windows Security is certainly better than none, but it will not provide the level of protection that third-party products provide. In addition, Windows Security is not as performance optimized as third-party products will be.

Free Versions?

Most of the top providers of endpoint security provide a “free” version. This is almost always going to be a step above Windows Security and a step below their paid versions.

Bottom Line: Password Management Using Browser-Based Password Management

In the sections above, we talked about the critical concepts in cyber security, and we talked about the role password managers play, and that a password manager is really a necessity. Then we talked about how browser-based password managers can be breached, and that stealing your stored credentials from your browser requires that you be fooled into running something malicious.

Then we talked about a few of the ways one might attempt to fool you into running something malicious, and then we landed on endpoint security being necessary. This is because the kinds of attacks out there are highly sophisticated and very plentiful, making it not feasible to operate under an “I just won’t click malicious links” mantra.

The overall bottom line is this:

• If you are not using a password manager, it is highly unlikely that you are following good password practices, e.g., you have easy-to-memorize, easy-to-guess passwords or use the same password all over the place. This is just bad.
• If you are using a password manager, that is good, but it is very important that you protect yourself from being fooled into running malicious stuff, and endpoint security is important in 2022.
• If you are using a password manager, and not using your browser’s password manager, that is good. But you still can’t assume there isn’t, or won’t ever be, a password stealer that targets your password manager. Thus, you still have to be diligent and not run stuff from malicious links, etc.
• Lastly, no matter what password manager you use, that involves inherently trusting one company with your master key to all your credentials.

Even though I did not go off on this tangent, I can’t close without mentioning two-factor authentication. You should always enable two-factor authentication on sites that offer it. At a minimum, any site that has your payment card details stored, carried out financial transactions, or can be used to embarrass you and ultimately extort you.

Most importantly, whatever password manager you use, the master password should be truly strong AND two-factor authentication must be enabled on that account.