Don't let your web browser save your passwords — here's what to do instead
Browsers just aren't safe enough to hold that kind of information
Sometimes you shouldn't use a password manager — if that password manager happens to be the one built into your desktop web browser.
That's because desktop web browsers, despite their best efforts, tend to do a lousy job of safeguarding your passwords, credit-card numbers and personal details, such as your name and address.
Web browsers are fairly easy to break into, and lots of malware, browser extensions and even honest software can extract sensitive information from them.
Instead, you should save passwords in a stand-alone password manager, or even just write them down in a book. You should then purge at least all your passwords for sensitive accounts — anything to do with money, shopping, webmail or social media — from your web browsers. We'll show you how below.
Reader Offer: Save 68% on Aura identity theft protection
Aura provides everything you need to protect your identity, data and devices online with malware protection, a password manager and a VPN all included. Tom's Guide readers can save up to 68% when they sign up.
Preferred partner (What does this mean?)
Top password managers
1. LastPass is our favorite password manager
LastPass is our choice for best password manager because of its ease of use, its support for all major platforms and its wide range of features.
2. 1Password is a strong runner-up
1Password has gone from being primarily for Apple users to being one of the best, most full-featured passwords managers available today.
Crossing a red line
For the past couple of years, for example, a particularly nasty piece of malware has been making the rounds. It's called RedLine and it steals passwords and other sensitive data from most browsers on Windows, including Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and Brave.
As security firm Proofpoint observed in its initial writeup of RedLine in March 2020, the malware "steals information from browsers such as login, autocomplete, passwords, and credit cards."
"It also collects information about the user and their system such as the username, their location, hardware configuration, and installed security software," the report added. "A recent update to RedLine Stealer also added the ability to steal cryptocurrency cold wallets."
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Most recently, RedLine has been spotted posing as a bogus Windows program that tracks the spread of the Omicron variant of the COVID-19 virus. Like earlier versions of RedLine, this strain is likely being distributed via email.
Password stealers are not uncommon
RedLine runs on Windows, but Mac browsers aren't immune to password stealers. Cross-platform malware called XLoader steals passwords from Macs and PCs alike. Hacks exist for Apple's Keychain password manager, which is used by Apple's Safari browser if you log into Keychain across multiple Macs.
Because Chromium-based browsers such as Chrome, Edge, Brave and Opera share the same underpinnings, you can download and run free software to get information from them on macOS, Windows or Linux. Free software to extract passwords from Windows browsers has been around for at least a decade.
You don't even need to have malware or a malicious browser extension running to have your passwords stolen. If your desktop web browser automatically fills in form fields with saved passwords — and several do by default — then websites can read those auto-filled passwords without having to do anything devious to your machine.
How to deal with passwords saved in your web browser
So what should you do with all those passwords and other information you've been letting your browser remember and save?
The most obvious step is to use a stand-alone password manager. You have to pay for some of the best password managers, but others are free to use. They're not totally immune to malware, but they're a lot safer to use than web browsers for saving your passwords.
Like web browsers, most stand-alone password managers will offer to save passwords as you enter them. They also let you save credit-card numbers and address information as well as passwords. It's also easy to export passwords saved on your browser in a form that can be imported by a password manager.
You could also write down passwords and other sensitive information on a piece of paper or in a notebook and keep that locked up at home. There's no shame or harm in taking that route, and there's no risk of malware stealing the pages.
How to stop your web browser from saving your passwords
Following are further steps you need to take to purge your passwords from your web browser.
In most cases, the Settings menu is found by clicking on the three dots or lines in the top right corner of the browser window. In Opera, you access Settings by clicking the Opera icon in the top left. As for Safari, it does things its own way.
Brave: Settings > Advanced > Autofill. Toggle off "Offer to save passwords."
Chrome: Settings > Autofill. Toggle off "Offer to save passwords."
Edge: Settings > Profiles > Passwords. Toggle off "Offer to save passwords."
Firefox: Settings > Privacy & Security. Scroll down to Logins and Passwords and uncheck "Ask to save logins and passwords for websites."
Firefox also gives you the option of designating websites for which the passwords will never be saved.
Opera: Settings > Advanced Settings > Autofill > Passwords. Toggle off "Offer to save passwords."
Safari doesn't have a specific setting to stop password saving, but it will stop asking if you take the steps below to stop auto-filling passwords.
How to make sure your web browser doesn't autofill your passwords
Brave: Settings > Advanced > Autofill. Toggle off "Auto Sign-in."
Chrome: Settings > Autofill. Toggle off "Auto Sign-in."
Edge: Settings > Profiles > Passwords. Edge won't let you turn off autofill, but it lets you choose whether to automatically fill in passwords or to first prompt you for the device password (your Windows account login) before autofilling. If you select the latter option, you can further choose whether to always ask for the device password or to ask only once per browsing session.
Firefox: Settings > Privacy & Security. Scroll down to Logins and Passwords and uncheck "Autofill logins and passwords."
Opera: Settings > Advanced Settings > Autofill > Passwords. Toggle off "Auto Sign-in."
Safari: Safari (in menu bar) > Preferences > select Autofill tab. Uncheck "User names and passwords" and "Credit cards." You can also go to Preferences > select Passwords tab and uncheck "AutoFill usernames and passwords," but that won't affect saved credit-card numbers.
How to export your browser passwords
Your browser can export a list of saved passwords as a comma-separated-values (CSV) file, which you can open with Excel or another spreadsheet program. Stand-alone password managers can also import CSV files.
Brave: Settings > Advanced > Autofill. Click the three stacked dots opposite "Saved Passwords," then select "Export passwords."
Chrome: Settings > Autofill. Click the three stacked dots opposite "Saved Passwords," then select "Export passwords."
Edge: Settings > Profiles > Passwords. Click the three horizontal dots opposite "Saved passwords," then select "Export passwords."
Firefox: Settings > Privacy & Security. Scroll down to Logins and Passwords and click "Saved Logins." You'll be taken to a new tab entitled "Firefox Lockwise" that will list all your saved passwords. In the upper right of the tab, click the three horizontal dots and select "Export Logins."
Opera: Settings > Advanced Settings > Autofill > Passwords. Click the three horizontal dots opposite "Saved passwords," then select "Export passwords."
Safari: File > Export > Passwords, then click "Export Passwords." You'll have to enter the password you use to log into the Mac to save the CSV file. (Note: This works only on macOS Catalina 10.15 and later.)
How to delete your browser's saved passwords
Finally, you'll want to delete the passwords saved in your web browser.
Brave: Settings > Advanced > Autofill. Click the three stacked dots next to each password entry, then select "Remove."
Chrome: Settings > Autofill. Click the three stacked dots next to each password entry, then select "Remove."
Edge: Settings > Profiles > Passwords. Click the three stacked dots next to each password entry, then select "Remove."
Firefox: Settings > Privacy & Security. Scroll down to Logins and Passwords and click "Saved Logins." You'll be taken to a new tab entitled "Firefox Lockwise" that will list all your saved passwords. In the upper right of the tab, click the three horizontal dots and select "Remove All Logins."
If you'd rather remove only some passwords in Firefox and keep others, you can select each entry individually in the left-hand navigation column on the Firefox Lockwise page, then click "Remove" in the upper-right part of the entry displayed in the main part of the page.
Opera: Settings > Advanced Settings > Autofill > Passwords. Click the three stacked dots next to each password entry, then select "Remove."
Safari: Safari (in menu bar) > Preferences > select Passwords tab. You'll have to enter your macOS password or use Touch ID to see the contents of the tab. Once you do, you can select each password entry individually, or shift-click to select multiple entries. Then click "Remove" at the bottom left of the window.
Which passwords to delete, and one more crucial step
It might be OK to let your browser remember passwords that don't really matter — for example, those that get you access to websites in which no financial transactions are involved. After all, some websites just want you to register your name and email address so they can send you spam later on.
But if there's a credit-card number tied to the account, or anything that involves money, be it an online store or a bank account, then get that password out of your web browser. The same goes for passwords for social-media and webmail accounts.
Whatever you do, don't reuse your passwords. If you do, then you expose yourself to credential-stuffing attacks. That's when crooks take passwords exposed in data breaches, phishing attacks or browser hacks and try using them on other accounts that you may have signed up for.
Put it this way: If one account gets hacked or otherwise compromised, then all the other accounts on which you've used the same password should be considered compromised as well.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.
-
sarcastro "That's because desktop web browsers, despite their best efforts, tend to do a lousy job of safeguarding your passwords, credit-card numbers and personal details, such as your name and address. "Reply
I don't think LastPass should be the top recommendation, especially in the context of this article, considering they keep proving themselves to be really lousy at this too.