Browsers: Protecting Stored Passwords
Web browsers can store login passwords so the user does not need to type them for each website. However, this creates a degree of risk from the following scenarios:
- Another user physically or remotely accesses the machine while it is logged-in;
- Malware runs on the machine and can exfiltrate the passwords; or
- The machine is stolen and the passwords can be retrieved from the disk (where Bitlocker is not used, for example).
These risks can be mitigating by adding a password for the password database.
- In the address bar, enter:
- Scroll down and enable Use A Primary Password.
This password will be prompted for each new browser session, so it needs to be something that can be remembered, easily typed, but long enough to resist brute-force password-cracking attacks. For example, I live in Adelaide! or Running Up That Hill.
- For maximum security, close the browser when not in use so the password and decrypted password database do not remain in memory.