Considering the availability of browser-based password management and auto-fill systems and the intuition that you should never put all your eggs in one basket, do the three major browsers offer robust enough security features to justify trusting them with your passwords and, in some cases, credit card information?
Both Google Chrome and Mozilla Firefox’s latest iterations store viewable lists of all stored passwords. By default, anyone signed into your Windows account will be able to view passwords or other auto-fill data stored on Firefox and Google’s operating systems, according to Eric Geier in PC World. If you are going to use browser-based password storage, Firefox is the most secure option due in large part to a built in master password feature, Geier said. The feature is not enabled by default, but once it’s turned on, it encrypts any passwords stored on Firefox and makes it so those signed into your Windows account will need a password to view saved passwords in the Firefox settings.
Furthermore, and perhaps even more securely, if the master password setting is enabled, users will be required to provide that password the first time they use a saved password each browsing session.
Unlike Firefox, Chrome offers no master password protection. Passwords are obscured by asterisks in Chrome’s settings, if a user highlights any given password and clicks show, then they can view that password in plaintext. Unlike the other two browsers, users can change passwords from within the settings page, which is a neat feature, but doesn’t do much in the way of security. Chrome, Geier points out, will not sense password changes on its own, so if you do change a password, then you’ll have to change it in the settings. Also problematic for Chrome is that it, unlike Firefox, will store credit card details, including full card name, numbers, and expiration dates.
Internet Explorer 9, Geier writes, offers the most basic password storage. Unlike the other two browsers, there is no way to view or edit passwords in the settings. In fact, all you can do in the settings is regulate which general information is being stored (usernames, passwords, forms, etc.) or delete all autocomplete history altogether. While its features pale in comparison to those of its primary competitors, the default autocomplete settings provide ample protection to the passwords themselves, although users on your Windows account will still be able to access any online accounts stored by autofill if they know where to look on the web.
