However, there is a very good reason why security experts constantly warn users to stay away from the built-in password manager of their browsers. And the latest research conducted by Princeton’s Center for Information Technology Policy might as well be the final nail in the coffin of browser password managers, since all that is needed for advertisers (and hackers) to get your details is a login stored into the browser’s own password manager to use for autofill later.
The invisible hand that mugs you without you knowing it
Everybody knows how autofill works: you access a website that you have already visited a couple of times and, once the login information is saved to the browser’s built-in password manager, the browser will automatically fill out the necessary boxes without any intervention on your part. In normal cases the password manager only does this when the web developer specifies certain input boxes for the login form – and that’s the weakness that has been exploited by two tracking scripts, AdThink and OnAudience.
These scripts plant invisible login forms in an advert of the website, fooling the password manager into thinking that it’s a legitimate login form that needs to be filled out. So, every time you visit another page on the same website, the browser’s password manager falls for the same trick again and again, while the scripts sniff out your email data and send it in a hashed form to third parties to be used for targeted advertising – and you wouldn’t even notice this happen until it’s too late.
Today your emails, tomorrow your passwords
Advertisers following us everywhere and shoving unwanted ads in our faces based on the information gathered about us in such a dubious way is already a creepy thought in itself, but what’s more frightening is that there is no guarantee that these companies will stop at just email addresses. The next target could easily be your passwords and credentials.
From that point on, it’s only a matter of time before the scripts that could sniff out emails and passwords are exploited by hackers. Just imagining the effects it’d have on the world’s internet users is enough to send shivers down anybody’s spine.
Princeton’s demo showing how password could be sniffed
Fighting fire with third party password managers
This case proves once and for all that no matter how convenient their use may be and how fast this vulnerability will be fixed, built-in browser password managers should be ditched by users as soon as possible in favor of third party solutions like the ones tested by our experts.
These password management programs need to import the necessary data from browsers only once, after which all sensitive information will be locked behind a vault that is encrypted by military-grade encryption and is protected by a strong master password. This master password, in fact, is the only thing you need to keep in mind, since all the other passwords can be changed to something truly unbreakable without the need to remember them.
To make things better, password managers are also capable of autofilling the necessary information into login forms via their handy browser extensions but, unlike the browser’s own built-in password management solution, the login information always stays encrypted and therefore prevents advertisers and hackers from ever knowing anything about you.
User feedback