Saving passwords in the browser vs chance of keyloggers listening for keystrokes

Opinions:  Better to allow passwords to be stored in the browser or not allow but risk a keylogger capturing input data in the future by not storing passwords?
LVL 55
Scott Fell, EE MVEDeveloper & EE ModeratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
You should make sure your computer is very secure. Mine is and keyloggers are a non-issue. That does not happen to me.

And yes, I do store passwords via Internet Explorer in Windows Credentials.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
I'm not worried about keyloggers either and I allow all my browsers to store passwords for me.  I'm pretty sure that all the browsers encrypt the usernames and passwords that they store.

The main security issue about letting the browser save your credentials is when other people can use your computer and can login to your accounts without your permission.  Since I'm the only one here, that's not a problem for me.
0
dgrafxCommented:
I don't believe one can detect commercial key-loggers with programs such as Malwarebytes but can detect "bad" key-loggers. So keep your computer secure - don't let unauthorized people on them - routine updates - scan for malware - et cetera ...

I too am not worried about them ...
But at the same time I wouldn't completely ignore the potential threat.

And I also let browsers save this info for me - very handy and I "trust" that the info is secure enough.

Not the greatest answer in the world but just trying to help!
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Scott Fell, EE MVEDeveloper & EE ModeratorAuthor Commented:
This came up because I suggested not to let the browser store passwords.   I typically don't and am a glutton for punishment, plus on some sites I used obscure passwords that I have to look up.   But somebody mentioned they were hacked because of a keylogger they didn't know about and felt it was more secure to not have to type in a password all the time.  

I thought that was a valid point.  

The use would not be of your experience.
0
Dave BaldwinFixer of ProblemsCommented:
A side note:  Chrome will 'auto-populate' fields even when the page says not to.
0
dgrafxCommented:
>>A side note:  Chrome will 'auto-populate' fields even when the page says not to.<<

Not sure what is meant by "even when the page says not to".

When you specify on an input autocomplete="off" then chrome will not fill it in.
i.e. <input type="text" name="x" autocomplete="off">
0
Thomas Zucker-ScharffSolution GuideCommented:
Browsers are the first place malware  will look for passwords. It is generally not a secure practice, IMHO, to allow any browser to remember passwords.  I use a password manager for that.   Since the password manager uses encryption,  there is less need to worry.  Key loggers cannot capture,  AFAIK, passwords if they are entered by a password manager.
0
JohnBusiness Consultant (Owner)Commented:
I think Credential Manager is encrypted as well, altough entering may not be encrypted. But key loggers need to be installed and that is easy to thwart.
0
Dave BaldwinFixer of ProblemsCommented:
0
Thomas Zucker-ScharffSolution GuideCommented:
Firefox is probably the mossy secure.  But I have learned not to trust anything I don't completely understand.
0
Rich RumbleSecurity SamuraiCommented:
Unless you set a master password, none of your stored passwords are secure, they may be encrypted, but it's with a default string, which is no encryption at all really. You should not in my opinion trust the browser to store your passwords, and should use a password manager like PasswordSafe. PWD managers use harder to crack (rather SLOWER) algorithms for the master password than most browsers do. There are viri that steal direct from your browser's saved passwords, and if you've ever tried to recover even a master password protected browser password, you wouldn't trust the browser either.
Have a look at some of my articles around password choice and speed vs complexity.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
http://www.experts-exchange.com/Security/Misc/A_15519-How-to-make-stronger-and-longer-passwords.html
http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
IE has no master password. Chrome and Firefox don't offer to set a master password by default, however "null" is used as an encryption for the database, so technically they are encrypted by default. Please try to recover your own pass and see for yourself :) Nirsoft, securityxploded and even JohnTheRipper can recover the passwords with ease, JtR can do so against most popular password mangers, but it will take longer because of password "stretching" techniques.
-rich
0
BillDLCommented:
Coincidentally I was recovering some passwords last night on somebody else's computer using some of the free programs by Nir Sofer (Nirsoft) as suggested by richrumble.

I did read that he had had to remove the command line options from many of his programs in an effort to prevent Google from flagging his site as malicious because they own the online malware scanning site VirusTotal.  His programs are frequently flagged as potentially unwanted programs because they dig deep into the system, mimic some malware activity, and could potentially be used from the command line for malicious purposes.

As an example, the password for a configured POP3 email account in Windows Live Mail is stored in an XML-tagged plain text file as an encrypted string that is easily and instantly decrypted by Mail Pass View (http://www.nirsoft.net/utils/mailpv.html).

Password "vaults" like KeyPass allow you to copy out a password and paste into a field outwith the program, don't they?
I wonder whether the Windows clipboard is used, in which case it would be easy to grab the contents of the clipboard using fairly standard scripted methods.

I do not allow passwords to be cached by the browser for sensitive sites, but for the likes of EE I have no problem as the password is quite unique from the general pattern that I use for some of my other more secure passwords, and I have no really personal info available to steal.
0
Rich RumbleSecurity SamuraiCommented:
The windows clipboard is used, and there are Viri for password managers too:
https://www.schneier.com/blog/archives/2014/11/citadel_malware.html
http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-master-passwords/
Copy and Paste is easily grabbed by a keylogger, and it's not hard to target specific pages or applications, but copy and paste in my experience is far less targeted.
I still use the password manager over the browser storage. I have my favorites, and I use private or incognito browsing for every session, but I'm a tin-foil-hat type. Also it being the holidays, buy gift cards with cash at a brick and mortar, then go online and make your purchases with the gift cards ;p
-rich
0
Scott Fell, EE MVEDeveloper & EE ModeratorAuthor Commented:
Thank you everybody for your insight.
0
Thomas Zucker-ScharffSolution GuideCommented:
Hope we helped some.
0
BillDLCommented:
Thank you Scott
0
JohnBusiness Consultant (Owner)Commented:
Thanks Scott, and I was happy to help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.