As you navigate through Chrome, or Safari, or Firefox, or whatever your browser of choice is, you’re often given an enticing option: Would you like us to save your password? A recent browser breach is a reminder that if you answer yes, you’re taking a risk.
Late last week, the browser Opera confirmed a successful attack on its systems. The hackers were likely able to access personal information, company developer Tarquin Wilton-Jones wrote in a post announcing the breach, “including some of our sync users’ passwords and account information.”
Opera sync is that browser’s version of the feature that helps you coordinate passwords across devices. Save your Facebook password in Chrome or Safari or Opera on your desktop, and it’ll be there waiting for you on the mobile versions of those devices, as long as you’re logged in. While Opera says it encrypts all passwords it stores, it still reset all Opera sync account passwords, and asked people to reset passwords for third-party sites as well, “as a precaution.”
Of Opera’s 350 million users, only 1.7 million used sync in the last month, meaning the fallout is likely limited. The incident is a reminder, though, that while browser-based password syncing can be a terrific time-saver, it’s not a replacement for more serious security hygiene.
The issue isn’t that what happened to Opera will necessarily happen elsewhere; that’s a concern, but it’s not something that’s likely to be repeated at companies with more security resources at their disposal, like Google or Apple. The real concern is that while these browser-based password managers make life more convenient, they may offer a false sense of security. In fact, for the most part, it’s not at all clear how secure any of them really is.
“The cryptography details and implementation details should at least be documented somewhere, but they’re not,” says Evan Johnson, a systems engineer at CloudFlare who has studied password managers. “Chrome says ‘Your passwords are always encrypted,’ but this doesn’t say a whole lot,” says Johnson. Safari and Firefox aren’t much better.
Neither, for that matter, is Opera, which makes it difficult to assess the scope of the damage of last week’s hack. “Little is known about how Opera’s password synchronization is implemented,” says Jerome Segura, an analyst with Malwarebytes. “Users have to put their trust in the only developers that have full access to the code.”
If you were buying a safe, you’d want to know at least something about how secure its mechanisms are. For password managers, you mostly have to go on reputation. “It’s hard to say if any other company is doing a better job at protecting stored passwords because all we have to go by are their claims,” says Mark Burnett, author of Perfect Passwords. “It’s impossible as outsiders for us to truly know who is more secure or who will get hacked next.”
The Price of Convenience
Even if the company was more transparent, though, the central problem would remain: Browsers can do a lot to keep your password safe, but that security is always going to be a secondary focus. These features exist to make your life easier, not safer. (It’s the same old convenience-versus-security problem that plagues so much of our digital lives.)
“I think storing passwords with the browser is a bad idea with the ecosystem in place today. Browser password managers have not evolved much over the last five to eight years,” says Johnson.
That’s not to say they’ve been stagnant; Chrome, in particular, has recently taken important steps to improve its Chrome Password Manager. Last year, as part of its Smart Lock suite of features, Google introduced passwords.google.com, a central place where you can manage what passwords Chrome keeps. Access to the site is protected by two-factor authentication. Smart Lock also lets you skip the log-in process entirely with some apps, if you choose to activate that setting.
There is at least one potential benefit to this approach, however, according to Lorrie Cranor, FTC chief technologist and Carnegie Mellon computer science professor. She says that relying on your browser is at least better just reusing passwords. “You are likely to find out pretty quickly if there is a security problem with your browser password storage,” Cranor says. “If you use the same passwords everywhere, you might not find out that one of the places you use your password had a breach.”
But the biggest problem with browser-based password storage is that it doesn’t require strong passwords. If it did, the value equation would be different. The Opera breach is the only public example so far of a hack like this; the vulnerabilities, at least on a large scale, otherwise remain hypothetical. The scourge of weak passwords, however, is very real.
“Browsers are still missing all of the usability features that really help normal people have good password hygiene,” says Johnson. “Random password generation, weak password hunting, password reuse, etc. Browsers do not do this at all, and it’s a huge source of value for end users.”
In fact, just one strong password–usually required to access the other passwords in a browser storage system–may be enough to help users even in a case like Opera. “Although it’s very concerning seeing a major web browser developer experience a breach like this, the passwords themselves are probably safe if you have a strong master password,” says Burnett.
Still, experts recommend the use of a dedicated password manager, like LastPass, 1Password, or Dashlane. If they store your information in the cloud, they can still be breached–researchers unearthed a handful of LastPass vulnerabilities earlier this summer–but at least they can help you create, and keep, better passwords.
“I think there can be a fair trade-off when it comes to security versus convenience, and online password managers are better suited than browser-based ones,” says Segura, who argues that it’s largely a matter of focus; browsers have to support many interweaving parts, while password managers have a singular focus that leads to a more secure result.
If you use Opera sync, hopefully you’ve already changed your passwords by now. But for anyone else letting your browser share your password across devices, consider this a modest warning. Your digital life is easier than ever, but still not as safe as it should be.