Pinterest Stumbleupon Whatsapp
Ads by Google

It’s nice that we can just fill out a form with one click and get things done. It really makes things simple. Thank goodness that modern web browsers have that capability. Oh, sure it makes it easier for you to get things done, but did you know it also makes it easier for the bad guys to get things done too?

Although all major web browsers have the same features, this is going to focus on Google’s Chrome browser. There is no intent to single Chrome out, it just happens to be my browser of choice and the one I’m most familiar with. Keep in mind, the same issues exist for any web browser that will save your information for you.

Don’t Save Your Address or Credit Card Number

Online shopping has gone from something people were scared to do, to being a major part of the world economy. With all that shopping, and forms to fill out, it’s nice to just have your browser remember the info and pop it in for you. Efficient even. So why would it be a bad thing to save such basic information?

Let’s say you get up from your desk for a coffee. Your browser is open. Along comes the bad guy and in a second they have your address and maybe credit card info. In Chrome, all they have to do is type chrome://settings/autofill in the address bar and up pops the following window.

autofill-settings

It doesn’t seem like much, and part of the credit card number is hidden. That is, until they click on Edit next to the name or credit card. Then they get the following windows:

Ads by Google

edit-autofill

edit-credit-card

“I won’t save my credit card info then, but knowing my address isn’t a big deal, right?”

Depends. Maybe someone has a grudge against you, or is an opportunistic thief. Did you order an iPad on the web? If someone knew that and had your address, they might just swing by to see if it is left inside your door, or if your mailbox isn’t quite closed or easy to unlock.

The best solution is to simply not save this information, ever. As easy as it is for someone to get the info from Chrome, it’s even easier for you to turn that feature off. Go into Chrome’s Settings. Scroll down until you see Show advanced settings… Click that browse down the page for the heading Passwords and forms.

passwords-and-forms

Before you simply uncheck the box next to Enable Autofill to fill out web forms in a single click you need to go into Manage Autofill settings and delete all the information there. If you don’t, your information will remain available to anyone who puts the chrome://settings/autofill command in your address bar.

Don’t Save Passwords or Usernames

“Surely I can save my passwords. They must be hard to get at. You can’t even read them when they’re on the web page. Just dots.”

When you enter a password into a website, you do see a dot, or an asterisk, for each character in the password. That’s a great concept, at least to prevent people who might be looking over your shoulder from seeing it. But don’t expect this to protect your password if you leave your computer for even a minute.

gmail-login-screen

Today’s web browsers come with a lot of tools that web developers can use to help them make the websites you know and love. Unfortunately, those tools can be also be used for evil. For example, in Chrome all a person has to do is highlight the password field, right-click on it and then select Inspect Element.

Once the Element Inspector is open, they can change the type of field from password to text. Boom! Password revealed. Don’t believe me? Look at the picture below. Still don’t believe it? Check out the video, too.

password-revealed

Whoa, 32 seconds, and that was with slowing down to make sure you could see what was happening. It’s not just Chrome either. See the same thing done in Internet Explorer:

“That’s only one password. How bad could that be?”

It depends on what that password is protecting. However, if someone knows your Windows password, they can get all of your saved passwords almost as quickly. Does anyone else know your Windows password? Kids, spouse, friend, computer repair person, system administrator? Even if you think they don’t, there’s a good chance someone does know it.

In Chrome, someone who knows your Windows password only needs to enter chrome://settings/passwords in the address bar.

Once they enter that, they’ll see a list of the sites and usernames you have saved for your sites.

password-storage

Let’s see how quickly a person could steal your passwords with that information.

This could also be done with Internet Explorer or Firefox, it just would take slightly longer. They could do it even quicker with screenshot software on a USB flash drive.

“Alright! I won’t save my address or credit card number. But what harm could saving the username bring?”

If the bad guy got your username and he knows what website it is for, he only has to come up with the password. You’ve just done two-thirds of the work for the bad guy! Or, they could start searching the web with your username in a method of learning much about a person called doxing What Is Doxing & How Does It Affect Your Privacy? [MakeUseOf Explains] What Is Doxing & How Does It Affect Your Privacy? [MakeUseOf Explains] Internet privacy is a huge deal. One of the stated perks of the Internet is that you can remain anonymous behind your monitor as you browse, chat, and do whatever it is that you do.... Read More , and learn things about you that you might think you’ve hidden behind an anonymous username. For some, that’s no big deal. But for some, that could lead to public embarrassment.

doxing-comment
Not really.

The fix for this issue is simple as well. Don’t let your browser save your usernames or passwords. To stop that from happening go into Chrome’s Settings. Scroll down until you see Show advanced settings…. Click on that and scroll down until you see the heading Passwords and forms.

passwords-and-forms-2

Before you simply uncheck the box next to Offer to save your web password you need to go into Manage passwords settings and delete all the information there. If you don’t, your information will remain available to anyone who puts the chrome://settings/passwords command in your address bar.

Another Way

There are several password manager apps 9 Password Managers to Make Use Of [We Ask You Results] 9 Password Managers to Make Use Of [We Ask You Results] Creating and remembering passwords for every website you interact with is a real pain in the ass. Unfortunately, it's also essential. Read More available that will keep all of your information separate from your browser, but almost as handy to use as the browser’s autofill. If you use a well designed passphrase Password Management Guide Password Management Guide Don't feel overwhelmed by passwords, or simply use the same one on every site just so you'll remember them: design your own password management strategy. Read More to access your password manger, you’re making a lot of work for the bad guys. For most bad guys, it just isn’t worth their time.

The Main Point

Browsers are built for viewing websites, not for securely storing personal information. So why let them? Keep the information safely tucked away in your brain, or in a password manager, and rest assured that you can surf safely, shop safely, and sleep safely.

Do you use your browser’s autocomplete function? Has this article opened your eyes to this weakness? Perhaps you’ve had an issue with someone getting your information this way? Let’s talk about it in the comments. That’s the place where we can all learn more.

Featured Image Credit: Man in a balaclava via Shutterstock

  1. Guy
    November 26, 2014 at 6:24 pm

    Hi Yair,

    You can get an official answer by e-mailing justinpot@makeuseof.com.

    Personally, I'm honoured you'd like to do that. Yet it all needs to go through the Editor. :)

  2. Yair
    November 25, 2014 at 9:35 pm

    Hi Guy,
    Thanx for the usefull tips.
    may I translate this into Hebrew with your credit?

  3. Sam
    November 25, 2014 at 3:23 pm

    Mozilla's video above pretty much nails it. Just use something at least twice that long if you also want to be relatively secure vs brute-forcing. It may seem like a lot of characters, but you'll be typing them in under a second with practice.

    • Guy
      November 26, 2014 at 6:26 pm

      Hi Sam,

      Very true. It seems like such a pain to do, but within a day most people will be typing the longer, stronger password without even thinking about it.

  4. Luke
    November 25, 2014 at 10:23 am

    Oh,thanks for reminding that I have chosen the right way going out of the browsers several years ago and starting using a password manager. In my case Sticky Password (http://www.stickypassword.com) - do you have any personal tip for a password manager?
    Anyway, seems like browser are still insecure and password managers will be aroudn for another couple years at least, right?

    • Guy
      November 30, 2014 at 6:22 pm

      My only tip for using a password manager is to make sure that the personal key you choose is absolutely nothing like any of your other passwords, yet sufficiently easy to remember.

      Some people will choose a phrase or lyrics from a song and use the first letter of each word. For example:
      Baa baa black sheep have you any wool?
      Might become:
      Bbbshyaw?

      I think at some point browsers will start integrating password managers to maintain convenience of use AND solid security.

  5. Vampie
    November 24, 2014 at 3:05 pm

    Now thats an eye opener.

    I really need to rethink my data and settings.
    I'm already using a password manager, but the rest makes a lot of sense as well.

    Thank you.

    • Guy
      November 24, 2014 at 6:57 pm

      My pleasure. Don't worry too much, it's just simple fixes.

  6. Dann Albright
    November 23, 2014 at 8:49 am

    Great explanation, Guy. I think these points are especially true with Chrome, as it's in Google's interest to create as detailed a profile about you as possible; so who knows what information they'll use to add to it? Obviously, these are great points for all browsers, but I'm wary of Google and their information-collecting policies.

    Also, your point about making it easy for someone to get at your usernames and passwords if you've left your computer also applies to password management apps. If you leave your computer, and you're signed into LastPass, it's just as easy to get your information. I suppose the best way to deal with that is to sign out of LastPass (or have it automatically sign out when you leave) and lock your computer. At least then the information is behind two passwords.

    • Guy
      November 24, 2014 at 12:38 pm

      Hi Dann,

      Thank you for the compliment. Having read your articles and knowing the high quality of them, this is, indeed, an appreciated compliment.

      You're completely correct about leaving password managers open. It just doesn't do to get a safe that's harder to break into, only to always leave the door open.

      The password manager I use is set to lock after 15 seconds of inactivity, or if I minimize it to the task bar. Maybe there's an article in this for you - password manager security tips. Might already be done somewhere on our site, but it might need a refreshing too.

    • Dann Albright
      November 25, 2014 at 12:02 pm

      I should probably set my password manager to do the same . . . seems like a pretty big oversight for the small gain in convenience. I think you're right about the article—time to do some research!

  7. Sam
    November 23, 2014 at 6:17 am

    Hmm, I was already aware of how to do all these, but it was disconcerting to see nonetheless. Thanks for the article! Also, I currently use LastPass as my password manager. How safe are password managers, in general, assuming you have a good master password?

    • Guy
      November 24, 2014 at 12:33 pm

      Hi Sam,

      Thank you for your compliment.

      Password managers are safer than having everything stored in the browser. It's that extra degree of separation that helps. Ideally a person will use the strongest password that they can remember as the key for the password manager, making things reasonably secure for most people.

      Nonetheless, I just read about an exploit that uses a Man In The Middle type attack on password managers. It grabs the key password that you use. Of course, the attacker would then have access to your entire password list.

      But here's the thing. Coming up with the exploit, deploying it on a persons computer, and then retrieving the passwords is a fair amount of work. Most bad guys like the low hanging fruit. No computer is 100% secure. We just have to accept a certain amount of risk.

  8. Hildy J
    November 22, 2014 at 7:58 pm

    Thanks for the tip on passwords. I tried it in Firefox and it's just as easy to reveal the actual password. You can learn something every day. I'll have to think about this and look into cross platform password managers.

    What also needs to be emphasized, especially for those that value convenience, is that security starts with securing your devices. Lock them when you leave them and require passwords/PINs to unlock.

    • Guy
      November 24, 2014 at 12:34 pm

      Hildy,

      Completely correct. Security is much more than just passwords. Good computing habits make the bad guy's job so much harder.

  9. Michael Gersh
    November 22, 2014 at 6:45 pm

    The issue is the tension between security and convenience. These days, most people seem to have traded in their security for the sake of convenience.

    • eric jay
      November 23, 2014 at 1:58 am

      im guilty of that.
      gotta change.

    • Guy
      November 24, 2014 at 12:35 pm

      Hi Michael,

      You're right. I think that's been the case through history though. I've said this about money management and it applies here as well; Convenience Kills.

Leave a Reply

Your email address will not be published. Required fields are marked *