Most current Web browsers include some kind of password management. But can you trust your browser? We take a look.
For privacy, Chrome masks each saved password with asterisks, but you can click the entry and press the Show button to reveal the actual password. You can also change the password, but unfortunately Chrome doesn’t sense password changes, so it won't prompt you when you log in to a site with a new password. You must go to the saved password entry and update it manually.
You can view a list of all saved addresses and credit card details, including the name on card, the account number, and the expiration date. Chrome partially masks your credit card numbers with asterisks, but you can click the entry and then click Edit to reveal the full number. The only card detail not saved is the card's security code, which is often—but not always—required to make purchases.
Unfortunately, Chrome doesn’t offer a master password feature like Firefox does in order to protect all your passwords and credit card details. Thus, anyone who’s logged on to your Windows account can view all the saved passwords and credit card details.
Chrome offers a syncing feature to keep most of your settings and saved data (including passwords, but not credit card details) synced across multiple computers and devices, but this creates another security vulnerability. By default, Chrome only requires you to enter your Google account password to set up a new computer or device to sync your browsing data. This is a great convenience; but if your Google account password is hacked, the intruder can potentially access a list of all your passwords unless you set a syncing passphrase, as we’ll discuss.
Chrome's sync settings.To keep your saved passwords secured during syncing, Chrome encrypts them when they travel from your computers or devices to Google's servers (and vice-versa). You can also set the browser to encrypt all other synced data.
By default, Chrome uses your Google account password to encrypt and decrypt the synced data, but you can enter another passphrase if you want to add an extra layer of protection to your synced data. When you set up Chrome to sync on a new computer or device, you'll need to sign in with your Google account password and then also enter your encryption passphrase.
Firefox offers advanced password-saving features that are even better than Chrome's. But while Firefox doesn’t natively support saving credit card details, at least that's one less security issue you need to worry about. As with Chrome, you can browse, search, and remove saved passwords via the Firefox settings.
Saved passwords in Firefox.
Though you can’t change the passwords in the settings, Firefox automatically senses password changes you've made elsewhere and asks if you want to update your password when you log on to a site with a password that’s different than what’s saved on your PC.
Unlike Chrome, Firefox lets you set a master password to encrypt and password-protect the saved password list.
Firefox lets you set a "master password" to add an extra layer of security.
You must enter the master password the first time you use a saved password, once per browser session. Additionally, even though you enter the master password the first time, you must always enter it before you can view saved passwords via the list in the Firefox settings. This is a great feature to help prevent casual snooping of your passwords, and it even prevents most third-party utilities from recovering them.
Firefox can also sync your passwords, settings, and other saved data among multiple computers and devices.
This is similar to what Chrome provides, but by default Firefox encrypts all synced data instead of just your saved passwords. Additionally, there’s more security when you add a new computer or device to your Firefox Sync account. You can either enter a passcode from the new device into one that you've already set up, or take the recovery key from a device you've already set up and input it into the new device after logging in to your Firefox Sync account.
Internet Explorer 9 helps prevent casual snooping—there’s no list of saved passwords in the settings—but it doesn’t provide any advanced security features to prevent someone on your Windows account from using third-party utilities to recover your passwords.
Google Chrome 21 allows anyone on your Windows account to view your list of saved passwords and credit card details, so be careful who you let on. And if you sync your browsing data across multiple computers and devices, consider turning on encryption of all data and setting a custom passphrase for double-protection.
Firefox 14 also by default allows anyone on your Windows account to view your list of saved passwords, but you can create a master password to encrypt and protect them. And if you use the browser syncing feature, Firefox offers great security.
Of the three browsers we reviewed, I’d choose Firefox for the best password security thanks to its master-password feature, but I’m also eager to see the final version of Internet Explorer 10 for both Windows 7 and 8.
I’ll leave you with some additional tips to help you boost the security of your passwords:
- Never save passwords or sync browser data on other people’s computers.
- Try to use different passwords for each site—at least for banking and other sensitive accounts.
- Password-protect your Windows account.
- Create separate Windows accounts for each user, or at least for those you don’t fully trust.
- For extended family or friends, utilize the Guest Windows account.
- Use a good antivirus program and keep it updated.
- Think about fully encrypting laptops, netbooks, and mobile devices.
- Look into third-party password-management services like LastPass or KeePass.
Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity, which provides a cloud-based Wi-Fi security service for businesses, and On Spot Techs, which provides on-site computer services.