Contact Us Today!

The dangers of password autofill

The dangers of password autofill

Modern web browsers and password managers come with a feature called password autofill. This helps users store and automatically use their account credentials to access websites and other applications. While this innovation is a thoughtful development, there is a loophole that hackers can capitalize on to track your activities, through the autofill function.

A password manager requires one password to manage all your accounts. The password unlocks your “Vault” to ensure your data is safe. Thus, you don’t have to keep a tab on many passwords. But, you can also take further security measures like two-step verifications and logging in your data on secure computers.

Password managers offer both convenience and a high level of security. You use secured and unique passwords across all devices and manage these passwords. But, how do you trust a password manager to handle such sensitive information?

There are two types of autofill password managers with different operating systems.

One type is “automatic autofill” or autofill that does not wait for user interaction. Another example is “manual autofill”; in this case, the password manager waits for the user to interact with the page before filling in the password.

Since the “automatic autofill” doesn’t wait for user interaction as soon as it loads in the browser, the password manager fills in the user’s password in the clear, understandable text that JavaScript can act. But, manual fill waits for the user to choose from a list of saved sites.

Why password autofill is so dangerous

Modern web browsers and password managers have a feature that enables usernames and passwords to be automatically entered into a web form. This feature isn’t completely safe, however. If you enable this feature and hackers gain access to your computer or web browser, it will be easier for them to infiltrate your accounts because the autocomplete feature will fill in all saved credentials.

Tricking a browser or password manager into providing saved information is incredibly simple. All a threat actor needs to do is place an invisible form on a compromised webpage to collect users’ login information. Once the browser or password manager enters the user’s information, the hacker will gain access to that data.

One simple security tip

A quick and effective way to improve your account security is to turn off autofill. Here’s how to do it:

  • On Microsoft Edge – Open the Settings window, click Profiles, and then select Passwords. Disable “Offer to save passwords.”
  • On Google Chrome – Open the Settings window, click Autofill, and disable “Offer to save passwords.”
  • On Firefox – Open the Settings window, then click Privacy & Security. Under the Logins and Passwords heading, untick the box next to “Autofill logins and passwords.”
  • On Safari – Open the Preferences window, select the Auto-fill tab, and turn off all the features related to usernames and passwords.

The easiest way to protect yourself is to disable autofill in any browser you use. Actually, if you use a password management service – which we highly recommend – then they will instruct you on how to disable the browser autofill. It's important to complete this step, because password management services will help you to address this serious security flaw by first verifying the authenticity of the website that you are trying to log in to, and then require your input to fill in the credentials before safely logging in.

How to disable autofill

So how do you get around this? Well, first of all, stop using browsers to save your passwords, or at least sensitive passwords such as those for social media, email and anything that involves credit cards or financial transactions, including banking and shopping sites. It's already too easy to steal saved passwords from web browsers in other ways. You can't even disable autofill in many Chromium-based browsers, including Chrome, Opera and Vivaldi. Brave is an exception because it doesn't autofill to begin with, and Edge has a special Microsoft-only setting

Contact Beringer Today!

Having good password security habits can significantly protect your sensitive data. For 24/7 cybersecurity support that goes far beyond protecting your privacy, give us a call.

If you concerned about the quality of your passwords and your overall network security, then reach out to Beringer Technology Group today. We can also help evaluate your current cybersecurity posture with our our Cyber Security Risk Assessment Solution, and implement the right security solutions for your organization.

Beringer Technology Group, a leading Microsoft Gold Certified Partner specializing in Microsoft Dynamics 365 and CRM for Distribution also provides expert Managed IT ServicesBackup and Disaster RecoveryCloud Based Computing, Email Security Implementation and Training,  Unified Communication Solutions, and Cybersecurity Risk Assessment.


theProfessor

theProfessor

Rob is the CTO of Beringer Technology Group, and focuses his efforts on software development, cloud engineering, team mentoring and strategic technical direction. Rob has worked with Beringer since 2005, and has influenced every department from Development, Security, Implementation, Support and Sales. Rob graduated with his MBA from Rowan University in 2012, earned his Bachelors of Computer Science in 1997, and is current with several Microsoft technical certifications. Rob is very active, and loves to mountain bike, weight train, cook and hike with his dog pack.