Social networks, internet banking, shopping sites and many others. Any account we create in the web environment requires a password. Necessary to protect our data, their explosion created another problem: memorizing them. In that context, password managers have gained popularity. Many users, however, still resort to the browser’s own password storage system, but is this really safe?
First, it is necessary to understand how password storage in the browser works. Every time you accept that Chrome saves your username and password, the data is stored in an SQLite3 database inside your computer, which can only be accessed by the browser itself. The information is encrypted, and can only be decrypted when your user is logged in, thus preventing the password from being “remembered” by Chrome when another user is using the PC.
Passwords stored in Chrome can be ‘read’ Credit: ESET / Divulgao
The problem starts when someone with malicious intent accesses the computer, as explained by Daniel Kundro, malware researcher at ESET Latin America. “He can easily obtain passwords, decrypt them and steal them in plain text. This type of behavior has been observed in several malicious codes and even in banking trojans targeted specifically at Latin America, where they are intended to steal access credentials from home banking services “, comments Daniel Kundro, malware researcher at ESET Latin America.
A simple editor, such as DB Browser for SQLite, can access the database with login and password information, despite the fact that it is encrypted in a BLOB (binary large object) structure. And since the attacker already has access to the computer, he can decrypt the password using the CryptUnprotectData function. “All of these steps can be performed by malware quickly and automatically. However, malware is not the only risk that we must take into account, as there are currently several programs that are easily accessible through an online search that are capable of perform these same steps, ”explains Kundro.
In conclusion, the use of the Chrome password manager, or any other browser, is risky. To ensure a higher level of security, password managers like LastPass or 1Password follow as a more reliable alternative. In any case, if you have to use the browser’s native function, at least avoid doing so on websites such as banks or social networks, which store a large number of personal information.