It’s nice that we can just fill out a form with one click and get things done. It really makes things simple. Thank goodness that modern web browsers have that capability. Oh, sure it makes it easier for you to get things done, but did you know it also makes it easier for the bad guys to get things done too?
Although all major web browsers have the same features, this is going to focus on Google’s Chrome browser. There is no intent to single Chrome out, it just happens to be my browser of choice and the one I’m most familiar with. Keep in mind, the same issues exist for any web browser that will save your information for you.
Don’t Save Your Address or Credit Card Number
Online shopping has gone from something people were scared to do, to being a major part of the world economy. With all that shopping, and forms to fill out, it’s nice to just have your browser remember the info and pop it in for you. Efficient even. So why would it be a bad thing to save such basic information?
Let’s say you get up from your desk for a coffee. Your browser is open. Along comes the bad guy and in a second they have your address and maybe credit card info. In Chrome, all they have to do is type chrome://settings/autofill in the address bar and up pops the following window.
It doesn’t seem like much, and part of the credit card number is hidden. That is, until they click on Edit next to the name or credit card. Then they get the following windows:
“I won’t save my credit card info then, but knowing my address isn’t a big deal, right?”
Depends. Maybe someone has a grudge against you, or is an opportunistic thief. Did you order an iPad on the web? If someone knew that and had your address, they might just swing by to see if it is left inside your door, or if your mailbox isn’t quite closed or easy to unlock.
The best solution is to simply not save this information, ever. As easy as it is for someone to get the info from Chrome, it’s even easier for you to turn that feature off. Go into Chrome’s Settings. Scroll down until you see Show advanced settings… Click that browse down the page for the heading Passwords and forms.
Before you simply uncheck the box next to Enable Autofill to fill out web forms in a single click you need to go into Manage Autofill settings and delete all the information there. If you don’t, your information will remain available to anyone who puts the chrome://settings/autofill command in your address bar.
Don’t Save Passwords or Usernames
“Surely I can save my passwords. They must be hard to get at. You can’t even read them when they’re on the web page. Just dots.”
When you enter a password into a website, you do see a dot, or an asterisk, for each character in the password. That’s a great concept, at least to prevent people who might be looking over your shoulder from seeing it. But don’t expect this to protect your password if you leave your computer for even a minute.
Today’s web browsers come with a lot of tools that web developers can use to help them make the websites you know and love. Unfortunately, those tools can be also be used for evil. For example, in Chrome all a person has to do is highlight the password field, right-click on it and then select Inspect Element.
Once the Element Inspector is open, they can change the type of field from password to text. Boom! Password revealed. Don’t believe me? Look at the picture below. Still don’t believe it? Check out the video, too.
Whoa, 32 seconds, and that was with slowing down to make sure you could see what was happening. It’s not just Chrome either. See the same thing done in Internet Explorer:
“That’s only one password. How bad could that be?”
It depends on what that password is protecting. However, if someone knows your Windows password, they can get all of your saved passwords almost as quickly. Does anyone else know your Windows password? Kids, spouse, friend, computer repair person, system administrator? Even if you think they don’t, there’s a good chance someone does know it.
In Chrome, someone who knows your Windows password only needs to enter chrome://settings/passwords in the address bar.
Once they enter that, they’ll see a list of the sites and usernames you have saved for your sites.
Let’s see how quickly a person could steal your passwords with that information.
This could also be done with Internet Explorer or Firefox, it just would take slightly longer. They could do it even quicker with screenshot software on a USB flash drive.
“Alright! I won’t save my address or credit card number. But what harm could saving the username bring?”
If the bad guy got your username and he knows what website it is for, he only has to come up with the password. You’ve just done two-thirds of the work for the bad guy! Or, they could start searching the web with your username in a method of learning much about a person called doxing, and learn things about you that you might think you’ve hidden behind an anonymous username. For some, that’s no big deal. But for some, that could lead to public embarrassment.
The fix for this issue is simple as well. Don’t let your browser save your usernames or passwords. To stop that from happening go into Chrome’s Settings. Scroll down until you see Show advanced settings…. Click on that and scroll down until you see the heading Passwords and forms.
Before you simply uncheck the box next to Offer to save your web password you need to go into Manage passwords settings and delete all the information there. If you don’t, your information will remain available to anyone who puts the chrome://settings/passwords command in your address bar.
There are several password manager apps available that will keep all of your information separate from your browser, but almost as handy to use as the browser’s autofill. If you use a well designed passphrase to access your password manger, you’re making a lot of work for the bad guys. For most bad guys, it just isn’t worth their time.
The Main Point
Browsers are built for viewing websites, not for securely storing personal information. So why let them? Keep the information safely tucked away in your brain, or in a password manager, and rest assured that you can surf safely, shop safely, and sleep safely.
Do you use your browser’s autocomplete function? Has this article opened your eyes to this weakness? Perhaps you’ve had an issue with someone getting your information this way? Let’s talk about it in the comments. That’s the place where we can all learn more.
Featured Image Credit: Man in a balaclava via Shutterstock