We often warn that browser-based password managers lack the security and features of dedicated password software. But still, they’re better than nothing, right? A new report from AhnLab ASEC proves the opposite—storing passwords in your browser leaves you incredibly vulnerable to hackers, even if you use unique passwords for each of your accounts.
While investigating a recent data breach, researchers at AhnLab ASEC found that hackers stole company login information from a remote worker’s browser. The hackers used a common malware called RedLine, which costs between $150 and $200, to retrieve this login information. Antivirus software did not detect the malware, which was probably distributed through a phishing email.
Browsers like Chrome and Edge have password management tools enabled by default, and they keep track of all login attempts with pertinent information like date and time, the website URL, and whatever username or password you used. RedLine can access and interpret this data, which hackers may use or sell to bad actors.
To avoid this vulnerability, you need to completely disable your browser’s built-in password management tools. Telling your browser not to remember login data for a certain site isn’t enough—your browser will still log the site’s URL, which hackers can use to try and brute-force their way into your account without login credentials. (This data is more valuable if you’re signing into a work account, which may require logins through a VPN or firewall.)
We strongly suggest disabling your browser’s built-in password manager and using dedicated software. There are a ton of great free and paid options out there, and you can easily export your Chrome, Edge, or Firefox passwords to a dedicated password manager.
Source: AhnLab ASEC via Bleeping Computer