Which Browser Offers the Most Secure Password Storage?

Considering the availability of browser-based password management and auto-fill systems and the intuition that you should never put all your eggs in one basket, do the three major browsers offer robust enough security features to justify trusting them with your passwords and, in some cases, credit card information? 

Considering the availability of browser-based password management and auto-fill systems and the intuition that you should never put all your eggs in one basket, do the three major browsers offer robust enough security features to justify trusting them with your passwords and, in some cases, credit card information? 

Both Google Chrome and Mozilla Firefox’s latest iterations store viewable lists of all stored passwords. By default, anyone signed into your Windows account will be able to view passwords or other auto-fill data stored on Firefox and Google’s operating systems, according to Eric Geier in PC World.  If you are going to use browser-based password storage, Firefox is the most secure option due in large part to a built in master password feature, Geier said. The feature is not enabled by default, but once it’s turned on, it encrypts any passwords stored on Firefox and makes it so those signed into your Windows account will need a password to view saved passwords in the Firefox settings.

Furthermore, and perhaps even more securely, if the master password setting is enabled, users will be required to provide that password the first time they use a saved password each browsing session.

Unlike Firefox, Chrome offers no master password protection. Passwords are obscured by asterisks in Chrome’s settings, if a user highlights any given password and clicks show, then they can view that password in plaintext. Unlike the other two browsers, users can change passwords from within the settings page, which is a neat feature, but doesn’t do much in the way of security. Chrome, Geier points out, will not sense password changes on its own, so if you do change a password, then you’ll have to change it in the settings. Also problematic for Chrome is that it, unlike Firefox, will store credit card details, including full card name, numbers, and expiration dates.

Internet Explorer 9, Geier writes, offers the most basic password storage. Unlike the other two browsers, there is no way to view or edit passwords in the settings. In fact, all you can do in the settings is regulate which general information is being stored (usernames, passwords, forms, etc.) or delete all autocomplete history altogether. While its features pale in comparison to those of its primary competitors, the default autocomplete settings provide ample protection to the passwords themselves, although users on your Windows account will still be able to access any online accounts stored by autofill if they know where to look on the web.

Suggested articles

Discussion

  • Daniele on

    And what about Safari?

    It uses Apple's Keychain to store passwords, which requires a master password to display them.

  • Pat on

    Whose side are the browsers on?  Nowhere else in this country is such an invasion of a client's privacy permitted.  The Net has gone too far.  It's time to start regulating its practices at least as far as the Federal Pivacy Act goes.  Good grief, Charlie Brown. Thanks, Threadpost!!!

  • Anonymous on

    Hey, Google Chrome, get your act together and make my passwords more secure!

  • Anonymous on

    Firefox could still be better. Once the user has entered his/her master password, the individual passwords are accessible to site owners through Javascript. Bad enough for me to revert back to Keepass.

  • Muhammad Badi on

    Actually I just moved from Chrome to Firefox before I even read this article. Checking the available options and seeing "saved passwords" was so scary to me and when I clicked it and my passwords were shown, I felt electricity going through my body!

    Enabling a master password with Firefox is a must and I think Mozilla should send users move awareness articles on that. This is a serious dangerous feature if left just like that.

  • Jan van Niekerk on

    Nobody seems to have thought of protecting different security levels with different passwords. I'm quite happy to store my bank password, but why must I store it with my twitter sock puppet password which I don't care for? Who says twitter is not going to eat or expose my bank password?
  • Joshua on

    Google Chrome on Mac OS X uses the Macintosh Keychain for password storage.

     

  • Opera Fanboy on

    Opera has a "Master Password" feature...

  • Anonymous on

    One way to address the issue is to programmatically insure that passwords are wiped upon completeion of browser session or idle-time. SonicWall, Microsoft, and Array Networks offer such features through their secure remote access agateways, supporting the leading browsers on Mac and Windows. OPSWAT has a Windows-only solution called Secure Virtual Desktop, which supports any browser (the solution upon instantiation redirects all activity both browser and file system, to secure space, deleting same on session termination).

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.