Browsers: Protecting Stored Passwords

Web browsers can store login passwords so the user does not need to type them for each website. However, this creates a degree of risk from the following scenarios:

• Another user physically or remotely accesses the machine while it is logged-in;

• Malware runs on the machine and can exfiltrate the passwords; or

• The machine is stolen and the passwords can be retrieved from the disk (where Bitlocker is not used, for example).

These risks can be mitigating by adding a password for the password database.

Firefox

1. In the address bar, enter:

   about:preferences#privacy

2. Scroll down and enable Use A Primary Password.

   This password will be prompted for each new browser session, so it needs to be something that can be remembered, easily typed, but long enough to resist brute-force password-cracking attacks. For example, I live in Adelaide! or Running Up That Hill.

3. For maximum security, close the browser when not in use so the password and decrypted password database do not remain in memory.