Can we give the password to the browser with confidence?

Source: Internet
Author: User

BKJIA quick translation] at present, most mainstream browsers have a certain degree of password management mechanism, but do you really have no worries about handing over passwords to them? Let's take a look.

It is convenient for Web browsers to save their passwords and credit card account information, but there are also great security risks. The severity of the risk depends on the type of browser we use, whether we synchronize the content to other devices, and whether we use the additional security features provided by the browser. In this article, I will show you a series of security vulnerabilities in the most popular mainstream browsers, including IE, Google Chrome, and Mozilla Firefox, and explore how to make up for these weak links.

Common Security Risks

The biggest problem with saving passwords in a browser is that the eyes are everywhere, except for other users who can log on to our computer account and view password or credit card data, there are also a lot of malicious people who are hiding in the dark and planning to steal sensitive information from our computers, smartphones, or tablets. In addition, if we discard old computers and do not clear the disk content in time, the same risk will occur again; no matter who these devices are in, once the information is restored to its original state, our security will be threatened. At the same time, some viruses and malware will occupy our devices and hijack password or credit card information.

I believe you have noticed that many banking websites and other websites that process highly sensitive information do not recommend that you keep your passwords in your browsers. However, this is far from enough. If we use the same or similar password in each account to save trouble, therefore, login from other non-critical accounts on high-risk websites also threatens data and even economic security. For example, if the account on our social networking platform is the same as the bank password, once the account is stolen, it is believed that funds in the credit card will be quickly transferred away.

Some browsers allow users, of course, potential criminals, to view the list of logon information stored in them, including the target website, user name, and password. Even if your browser does not support this function, tools like WebBroswerPassView can easily generate such a list based on cookie data. Of course, if we accidentally forget the password or intend to organize the passwords of all accounts, this type of function makes sense. However, once Intruders use the software on our computers, the trouble is coming. In addition, we and criminals can use tools such as BulletsPassView to display the hidden password characters originally displayed as "asterisks" or "dots" in the browser logon interface or window, I hope everyone will be highly vigilant.

In the next chapter, let's take a look at the three mainstream browsers with the largest installation capacity-IE 9, Chrome, and Firefox-and evaluate their information storage functions, discusses how to improve data security.

IE 9

Among the three mainstream browsers we mentioned, IE 9 only provides the most basic password saving function. It automatically saves our user names, URLs, and other content that we have entered on the webpage or search bar. The browser itself does not allow users to view all the stored passwords. We only have the permission to change the Master Settings and delete the Automatic completion history.

Internet Explorer 9 prohibits users from viewing the list of passwords stored in it at will, so it can prevent malicious spying to some extent. Even so, we can still log on to all kinds of accounts without having to enter the password again. The only difference is that the password content is not displayed during the login process. However, as mentioned above, malicious users can use some tools to force the browser to display the password list or restore the hidden passwords under the protection mechanism to readable characters.

Unfortunately, Internet Explorer 9 does not provide the local data synchronization function. In other words, we cannot synchronize the data set and saved by the browser to multiple computers or mobile devices. However, although there is a lack of convenience, this limitation is a good way to reduce security risks.

The New Password Storage and synchronization feature will be provided for IE 10, which will be launched together with Windows 8. However, it is not clear whether the changes made on the new browser can be correctly applied to Windows 7. When I tested IE 10 and Windows 8 release previews, I found that users can use the Certificate Manager function of the evolutionary version in the control panel to display and manage the passwords saved in the browser. In terms of security, I found that to view the content of the password in the browser, the user must re-enter the password of the Windows system account, which effectively prevents malicious users from using Trojans to snoop on privacy information.

Windows 8 also provides a new synchronization function, allow us to synchronize passwords of applications, websites, and networks to other environments-except Windows Settings and preference settings-for example, other Windows 8 computers or tablets. For security reasons, we must log on to the Microsoft website and pass the new device review before synchronizing the password to another computer or tablet device. If you have already bound a mobile phone number to your Microsoft account, you will receive a confirmation code. You can enter the text message code on your mobile phone to approve the permission and synchronize the password.

Google Chrome 21

Compared with IE, Google Chrome has a wide range of password saving functions, but the automatic recording of input content still threatens credit card accounts and other information. Yes, this can greatly save processing time and improve execution efficiency, but it also pushes personal funds to risks.

Chrome allows us-or malicious users-to view saved user names and passwords in alphabetical order. You can also enter a site name in the search box to quickly filter the target site.

To protect privacy, Chrome hides the password content with an asterisk, but you can click the corresponding entry and select "show" to view its actual characters. Of course, we will change these passwords on a regular basis, but unfortunately Chrome cannot detect password changes. Therefore, when accessing the corresponding website, the browser will still try to log on with the wrong old password. To solve this problem, you must click the Save Password option and manually update it.

You can view all the saved URLs and credit card information, including the name, account number, and valid date on the card. Chrome masks some credit card numbers with star numbers, but we can still obtain the complete number content by clicking this entry and selecting "edit. The only information that is not stored in a credit card is the security code, which is the last barrier. After all, many online transactions are not all.) enter this code.

Let's talk about the disadvantages. Chrome does not provide the primary password function like Firefox, so we cannot use the primary password to strictly control the password and credit card information stored. Therefore, anyone who can log on to our Windows account can easily view all the above sensitive data.

Chrome provides a synchronization function to save most of the user's settings and data including passwords on multiple computers and devices, but does not record credit card information ), however, this brings about another security vulnerability. By default, you only need to log on to your Google account to synchronize data in Chrome on other computers or mobile devices. This is of course very convenient, but in case the password of our Google account is obtained by malicious people, these intruders may access all the passwords saved in the list. To solve this problem, we must set an additional synchronization password, which is the key topic to be discussed next.

Synchronization settings in Chrome

To prevent password information from being Snoop during synchronization, Chrome encrypts all data transmitted from Google servers to computers or other devices, and vice versa. We can also change the browser settings to encrypt all data that may be synchronized.

By default, Chrome encrypts and decrypts the synchronized data through the password of our Google account. However, if you think this is not safe enough, you can also enter another set of passwords. After creating a data synchronization task for Chrome to the new computer or other devices, we also need to log on to our Google account and set an additional encryption password.

Firefox 14

In today's competition, Firefox is undoubtedly the most brilliant, and its password saving function is still unique in front of the most popular Chrome. Firefox does not support saving credit card information locally, but it also reduces the chances of security problems. Like Chrome, you can view, search, and delete saved passwords in Firefox.

Password Saved in Firefox

Although we cannot change the password in the browser settings, Firefox will automatically detect the difference between the password of the target website and the password saved on the local computer, we also asked if we needed to change the password when logging on to the website.

Different from Chrome, Firefox requires you to set a master password to encrypt and protect the list of passwords stored locally.

Firefox allows users to set a "master password" to further improve security

In each browser session, we need to enter the primary password when saving the password locally for the first time. In addition, even if you have entered the primary password correctly, you can also set it in Firefox options to make sure that each subsequent operation related to saving the password locally will require you to enter the primary password again. This is a great function that can effectively help users avoid malicious attacks on passwords, and even escape the step of third-party tools.

Firefox can also synchronize our passwords, settings, and other stored data to multiple computers and other devices.

This is similar to Chrome's functions, but Firefox encrypts all data by default, not just password-type synchronization data. In addition, the Firefox synchronization account can make information more secure during transmission to computers or other devices. You can either enter the password you have set on the new device, or extract the password from an old device and enter it into the new device after logging on to the Firefox synchronization account.

Summary

The features of IE 9 help prevent malicious attacks-Setting the root does not have the list of saved passwords-but it also does not provide any advanced security features. In this case, attackers have the opportunity to use our Windows account and third-party tools to obtain passwords.

Google Chrome 21 allows anyone logging on to a Windows Account to view our saved password list and credit card information, so be careful. If you have to synchronize data browsing on multiple computers and other devices, you must strictly encrypt the information and set a custom password for dual protection.

Firefox 14 allows anyone who can log on to a Windows Account to view our saved password list by default. However, you can create a master password to encrypt and protect this sensitive information. In addition, if you need to use the data synchronization function in the browser, Firefox is undoubtedly the best choice for security.

Among the three mainstream browsers evaluated in this article, I personally choose Firefox with the best password security. Its primary password control mechanism is commendable. However, I am eager to see the final version of IE 10 on Windows 7 and Windows 8, hoping that everything will become more rigorous.

At the end of the article, I have prepared some additional tips to help you improve your password security:

  • Never save passwords or synchronize browser data on others' computers.
  • Try to use different passwords on each website-at least for online banking and other accounts involving sensitive information.
  • Use a password to protect your Windows account.
  • Create an independent Windows account for each user-if not, at least set limits for those you don't trust.
  • If your family or friends want to use our computer, ask them to log in through the Guest account.
  • Select an excellent anti-virus software and keep it updated in time.
  • Be sure to perform full encryption on your laptop, netbook, and mobile devices.
  • Introduce a third-party password management service in daily work, such as LastPass or KeePass.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.