Skip to main content

Chrome wants to make your passwords stronger

A common sentiment, shared by many people down the years, is that storing passwords in browsers is a bad idea. Malware, for example, would specifically target password storage in browsers and plunder everything in sight.

Password managers weren't exactly flying off the shelves back in 2007, your only real options were home grown. People ended up saving logins in all sorts of odd places: Text files, email accounts…you name it. Naturally, security-minded folks gravitated towards saving passwords in browsers, because what else were they going to do?

The browser password wars

Even just 8 years ago, it was still a hotly contested debate. The problem then was that passwords were stored in plain text. They aren't now, but if the device you're using is compromised it doesn't matter. Malware files can decrypt your passwords, or wait for you to do it. So, no matter how recently you look, many of the same threats still exist for browser passwords. And new ones emerge, like the rogue advertisers trying to grab autofill data.

Let's be clear: things are better now for passwords in browsers than they used to be. Even something as basic as having to enter your Windows password to view or copy saved passwords is reassuring. Making use of encryption, instead of leaving data lying around in plaintext, is excellent. Browsers taking things one step beyond simply storing, and checking for stolen passwords is great. Real time phishing protection is the icing on an ever-growing cake.

With that in mind, Chrome continues to make inroads in the name of beefing up browser password safety.

Weak password? Chrome 88 can help

Beginning with Chrome version 88, you can now check for weak passwords (open Settings and search for "Passwords") and alter them on the fly, with just a few clicks. The "Change password" button doesn't alter anything inside the browser, which may disappoint. It simply takes you to the site where you use that feeble password. At this point, you'll have to manually alter the details. The browser should then detect you've altered the password and update its password database, as it normally would.

If you really want to know what the stored password is but can't remember it, you'll need your Windows login, as mentioned earlier.

There's not a huge amount to add about this new feature, as it is indeed incredibly simple to use. A list of all your potentially weak passwords is displayed, and off you go to fix them all. This is to its benefit. It's easy to get bogged down in password minutiae and end up not bothering.

You don't need bells and whistles while looking for weak passwords. You just want a list of sites, and to be told where there's a problem. In this regard, the new functionality more than delivers.

Browser or password manager?

Having said all of that…you may still wish to ignore all the above and stick with a dedicated password manager. No matter what password features are added to browsers, some folks will never want anything to do with that. There are a wealth of choices available. Totally offline, or online functionality: the choice really is yours. I'd be surprised if there isn't something for everyone in the options available. But if you really don't want a password manager, then browsers are a better solution than nothing at all.

Do you prefer to keep all your tools in the browser basket, or cast passwords away into dedicated password managers? Either way, we wish you many years of secure password management to come.

The post Chrome wants to make your passwords stronger appeared first on Malwarebytes Labs.



from Malwarebytes Labs full article here

Popular posts from this blog

BlackArch Linux - Penetration Testing Distribution

BlackArch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers. It contains over 1800 security and hacking tools. Here is the complete list of tools in the BlackArch Linux: 0d1n : Web security tool to make fuzzing at HTTP inputs, made in C with libCurl. 0trace :  A hop enumeration tool. 3proxy : Tiny free proxy server. 3proxy-win32 : Tiny free proxy server. 42zip : Recursive Zip archive bomb. a2sv : Auto Scanning to SSL Vulnerability. abcd : ActionScript ByteCode Disassembler. acccheck : A password dictionary attack tool that targets windows authentication via the SMB protocol. ace : Automated Corporate Enumerator. A simple yet powerful VoIP Corporate Directory enumeration tool that mimics the behavior of an IP Phone in order to download the name and extension entries that a given phone can display on its screen interface ad-ldap-enum : A LDAP based Active Directory user and grou...
Read more

Mobile Security Framework (MobSF) - An All-In-One Mobile Application Security Assessment Framework

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing. Screenshots: Static Analysis - Android Static Analysis - iOS Dynamic Analysis - Android APK Web API Viewer Requirements: Mac: Install Git Install Python 3.6 - 3.7 (3.8 is not supported) macOS Catalina users must uninstall existing python3 and install the one from Python.org . After installation, go to /Applications/Python 3.7/ and run Install Certificates.command and Update Shell Profile.command Install JDK 8+ ...
Read more

Maltrail - Malicious Traffic Detection System

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user-defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. https://ift.tt/1O9qs2Q for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in the discovery of unknown threats (e.g. new malware). Requirements: To properly run the Maltrail, Python 2.6.x or 2.7.x is required, together with pcapy (e.g. sudo apt-get install python-pcapy). There are no other requirements, other than to run the Sensor component with the administrative/root privileges. The following (black)lists (i.e. feeds) are being ...
Read more