Hello everyone, this time a post about something not specially related to Second Life. Today’s topic: how your browser can show your saved passwords.
In this article I use several internet browsers for Mac OS X Mavericks as an example. While most of you will be using Windows, there will be little to no differences between the browsers per operating system. At this moment I am unable to check the exact differences however, nor can I check out Internet Explorer.
Before we start
Before we start, I would like to encourage you to start changing some passwords as well, since a recent security bug called Heartbleed possibly allowed the exposure of passwords and other personal data of millions of accounts. At the bottom of this article you’ll find several useful links regarding passwords and Heartbleed.
Your passwords can be shown to anyone
Browsers save your password together with the link to the page on which to use the password and the username that goes with it; they store this in an internal password manager.
Password managers don’t only save your password to automatically fill in forms, they can also be accessed from your browser and optionally show your password. Let this sink in for a moment: browsers can show your saved passwords in plain text.
Ok, now get back in your chair, as now you’re going to view some of your saved passwords. Firstly, find your browser in the list below and follow the instructions to get to the password manager. If you’re using another browser, try to find it yourself. Usually the manager is located somewhere under security, forms or autofill settings in the browser’s preferences.
- Chrome (Google)
- Go to the following link: chrome://settings/passwords
- Or go to: Preferences/Settings → Show advanced settings… → Manage saved passwords (under Passwords and forms)
- Firefox (Mozilla)
- Go to: Preferences → Security → Saved passwords…
- Opera (Opera Software)
- Go to: Preferences → Forms → Password Manager…
- Safari (Apple)
- Go to: Preferences → Passwords
I’ve found my browser’s password manager
So you’ve found your password manager. Likely you’ll see a list of websites, user names and passwords. The password characters are replaced with bullets on default, just like a password field in a form.
To show a password, you can general click or double-click it. If that doesn’t work, you’ll probably quickly spot a button or checkbox or something else suggesting you can show the password. You might not get to see your password immediately, as browser manufacturers have often built in extra security features.
One security feature for browsers on Mac is that the browser prompts you for your operating system user account details (including password) before allowing you to view the password. Chrome and Safari for example, store passwords in Mac’s Keychain rather than in application files. Firefox allows you to use a master password to protect your saved passwords.*
That’s showing passwords 101, it’s rather easy when you know where to look, isn’t it?
*I cannot with certainty tell you exactly how each browser saves and protects passwords, so I will not judge the level of protection each of these applications offers.
So now what?
You may wonder what to do next. First and foremost I recommend: don’t panic! There are many people who are not aware of this functionality in browsers and not everyone who does is out to get your passwords.
One thing I always keep in mind is that if someone gets access to my browser, (s)he can do a lot more harm than just open the password manager.
A user can visit websites you’re logged into (Facebook and Twitter for example) and even worse: open up your e-mail client. Usually when you have access to someone’s e-mail account, you can pretty much take over their digital life. So my main tip would be: don’t lend out your computer to people you don’t trust and don’t leave it out of sight or unlocked.
There are also external password managers. These often have desktop and mobile applications and browser extensions which allow you to sort account information, autofill form data, automatically login to websites, etc. These managers allow you to generate super complicated and long random passwords and save them for you, without binding them to a specific browser.
I use a paid password manager which suits my taste. There are many of these around; you could try LastPass—which is free—to see if a manager like this is something for you.
To break in an open door: don’t use the same password for every account. Also, try to make a password more than eight characters long (I use between 16 and 24 characters mostly). Use special characters mixed with uppercase and lowercase letters. The best password is one you cannot remember.
Also remember to change your passwords to services that have been recently hacked. If you use the same password for multiple services, change your password for each of these services, as hackers try out stolen passwords on multiple websites.
To break in an another open door, also don’t use simple passwords. Once you’ve read this article, visit a search engine and search for term like “most popular passwords” and “most used passwords” and you’ll see exactly what I mean by simple.
While even long passwords with special characters can be cracked, there is an extra authentication method which takes most of that risk away: two-factor authentication AKA two-step verification AKA multi-factor authentication. Hereafter referred to as TFA.
TFA combines something you know (a password) with something you have. Something you have can be a smartphone or a security token like a YubiKey. CMSes like (but not limited to) WordPress and Joomla! already have this baked into their core, while there are several third-party modules for Drupal offering this functionality.
Not only is TFA one way to prevent unauthorised access to your accounts, it might also contribute to the downfall of passwords. More and more security experts have concluded that passwords are obsolete or are not the best security measure. For now however, we’re still stuck with these, so don’t use this as an excuse to not manage your passwords properly!
Like I mentioned before, I don’t think you should panic about this much. For as long as you are aware of your browser’s capabilities, you can handle accordingly.
Thus far, the browsers I’ve used have not thrown passwords out in the open, which is good. I am quite protective of my laptop however and don’t allows others behind it unless I’m sitting right next to them. Of course, you can go as paranoid as you want on this topic, but that’s up to you to decide.
So before you go off to search for the most popular passwords on the internet and then change your existing passwords, I’d like to leave you with some general internet wisdom: privacy does not exist on the internet. Anything you post is publicly available and can be used against you.
That’s it folks, don’t forget to check out the links below. Until later!
Links to other articles
About password managers:
- Chrome: Password Manager
- Firefox: Password manager
- Mac OS X Mountain Lion: Keychain password
- Opera: Password Manager
- Windows 7: Credential Manager
- Heartbleed: What’s up with that? (by Sei Lisa)
- The Heartbleed Hit List: The Passwords You Need to Change Right Now
- LastPass Password generator
- Two-step verification