I’m just scared that they’re saved with reversible encryption on the disk, then malware could steal them

  • /home/pineapplelover
    link
    fedilink
    279 months ago

    Please don’t save stuff in your browser. It’s very easy to rip those passwords and logins. If you must, keep it in a proper password manager like bitwarden or keepass.

    • @[email protected]
      link
      fedilink
      39 months ago

      Yup, I only store testing creds for work use. My actual credentials are in a proper password manager.

      • @[email protected]
        link
        fedilink
        59 months ago

        Historically, I’ve seen more “proper” password managers with breaches than browser storage.

        • @[email protected]
          link
          fedilink
          59 months ago

          Well yeah, if you breach a password manager, you get tons of credentials. If you breach a person’s computer, you get one set of credentials. And most of those breaches are low impact, such as Okta:

          For 99.6% of customers, hackers accessed only full names and email addresses, according to Okta, though in some cases they may also have accessed phone numbers, usernames and details of some employee roles.

          Here’s an example of a browser attack (not necessarily password management, but related):

          These scams have been going on for months, and one YouTuber claims they work through fake sponsors reaching out to creators. The YouTubers are then convinced to download a file related to the sponsorship, which is just malware designed to steal cookies, remotely control PCs, and ultimately hijack YouTube accounts.

          Basically, any script that can run on your machine can compromise stored passwords and credit cards if there’s no master password set (typically the default behavior). If there is a master password, it could be brute forced (I’m guessing most attackers don’t bother). It’s just a lot harder to detect this kind of breach since it happens on end-user machines instead of an audited web service. I’m guessing a lot of people get hacked this way, but it doesn’t make the news because individuals don’t dig into the breach to find the cause.

          My understanding is that password managers are still way more secure than using your browser’s built-in PW management, and you can take it a step further and self-host (e.g. Bitwarden offers this) to require attackers to actually target you.

          • /home/pineapplelover
            link
            fedilink
            09 months ago

            The thing with built in browser password manager like in chrome or firefox is even if it’s password peotected, you can still get those very easily.

            • @[email protected]
              link
              fedilink
              19 months ago

              Sure, but it requires a more sophisticated attack, so risks are a bit lower. There are tons of easier targets, so an attacker will probably just go after them instead.

              But when it comes to a proper password manager, there are a ton of similarly protected accounts, so an attacker will either go for all the data or not bother. You’re more likely to get corporate accounts and whatnot than by hacking a built-in browser PW manager, which is a lot more lucrative than someone’s credit card info.

              But the core point I’m trying to make is that we won’t know how many people get hacked with built-in browser password managers because nobody is monitoring them. We do know about proper password manager breaches because someone is watching for them. In other words, absence of evidence is not evidence of absence, so the number of publicly reported breaches won’t tell you which is safer, it just tells you which are high profile.

              • @[email protected]
                link
                fedilink
                19 months ago

                I guess I feel somewhat safer as relatively anonymous target of spearphishing as I have been for 20 years without incident, instead of as part of a much more valuable collective target, even though that data is probably better protected.

                • @[email protected]
                  link
                  fedilink
                  29 months ago

                  I’m guessing you practice relatively secure computing, meaning you don’t download suspicious stuff, keep your system updated, etc. But that’s not true security, you could always run into a browser vulnerability on a random website.

                  Also, there’s no guarantee that you haven’t been hacked, all we know is that you haven’t noticed your private information being used. Usually what happens is attackers get a bunch of data then sell it on the black market. Buyers of that data will probably only use a subset of that data, so your data could be sold, just not used. You can check if your passwords have been leaked by examining data sets of leaked latest ([e.g. Have I Been Owned; I recommend not actually sending important info here).

                  There are two routes to go here:

                  1. Use proper security - high quality password manager, self-host your data (Bitwarden allows this)
                  2. Reduce the impact of a breach (don’t use debit cards online, monitor credit card statements, etc)

                  The second is probably sufficient for most people though.

                  One important thing to note is that the main reason to go with a password manager is to have really secure passwords that are unique for each site. That way if one service gets breached, attackers can’t just use the same credentials on other sites. Browser password managers don’t do that, so you’re opening yourself up to that if you’re not careful in constructing good, unique passwords. I have >100 accounts, each with their own password, and that just wouldn’t be feasible without a password manager.

                  • @[email protected]
                    link
                    fedilink
                    19 months ago

                    I was with you right up until the unique passwords. I do use a different randomly generated password for each site.