Today I visited one website in chrome browser and after making the process of registration and login on that web site. The browser prompts me that "Hey man, can I get the permission to remember (save) your login details". And as usual, my cerebrum has got activated and started thinking of whether I have to click on allow button or not.
The browser whose major job is to do browsing only and not like the password manager, is really capable to save my password? I asked the question to my brain.
My brain gives reply back to me that hey duffer you have seated in front of a computer screen and on that computer, the browser is there to solve your query so go ahead and search for it.
After exploring this topic I get the following information.
Password managers built into browsers are primarily there for convenience, and security plays a lesser role. The reason for this decision is that regular users are more easily convinced to use a system that is convenient for them, rather than a system that is more secure, but harder to use.
You already have it. Everyone uses a browser these days, and all major browsers come with built-in password managers. This means that from a regular user's point of view, the barrier to entry is incredibly low.
It discourages password reuse. People dislike remembering passwords, so they certainly won't remember one password per site. If the browser automatically suggests a strong password upon registering, then the user will not be tempted to reuse an existing password for it. Furthermore, the passwords suggested by the password manager will likely not be cracked by any attackers, should hashes ever be stolen.
It doesn't defend against local attacks. Attackers which may have access to the computer of the user (think jealous girlfriend, not government agency) may be able to get the passwords rather easily. With access to the browser, for example when a user forgot to lock their computer, all passwords can be read out in a matter of minutes.
It should be noted that local attacks are not something every user is concerned with.
Someone could potentially hack into your Google account, sign into Chrome, and also get access to all your passwords.
There's no "master password" (outside of your OS password) to protect them if someone should get logged in access to your computer.
On Linux, chrome will allow users to view saved logins, even without requiring a user password (unlike on Windows and macOS, where a user password is required). Firefox, on the other hand, gives instant access to those passwords, without authentication, regardless of platform (unless a master password is set). Like Chrome, Safari at least hides passwords behind a user's password.
How to get the browser saved passwords without knowing the os password of the device.
However, even on the Windows and macOS operating systems, there are ways around the password prompt. For example, using the Inspect Element window of a browser, you can edit the code of a page in such a way that it will un-hash a user password. To do this:
- Right-click the password field on a website.
- Select Inspect Element.
- Double-click on type="password", and replace password with text.
- Hit Enter, and close the Element Inspector. The password will be unhashed, revealed for all.
Saving the passwords of the website which is less important, will be ok but saving the passwords of banking websites, social media websites and all such important websites will be dangerous for you.