After years spent warning users to create strong and unique passwords, security analysts are now also cautioning against relying on web browsers’ built-in password managers to store them.

Although browsers can now store your passwords – and use them to automatically log you into websites – experts warn that cybercriminals are targeting the feature with great success.

Stored passwords can be viewed by anyone with physical access to your computer, while many browser plug-ins have direct access to system data, and purpose-built malware can infiltrate browsers’ secure password repositories. Some malware can even scrape details from password fields as they’re automatically filled by the browsers.

“If your computer’s infected with malware, an attacker can get decrypted access to the browser’s storage areas,” a recent Microsoft discussion about its Microsoft Edge password manager security explains.

“Internet browsers aren’t equipped with defences to protect against threats where the entire device is compromised due to malware running as the user on the computer… The attacker’s code, running as your user account, can do anything that you can do.”

That warning proved more than academic for a recently-breached company that called in the AhnLab ASEC security analysis team to unpick the incident.

That team found the network was breached after a remotely-working employee used their web browser to store the password for the company VPN used to securely access company systems from home.

Once the remote worker’s computer was infected by credential-stealing malware, the company VPN password was stolen – and used by cybercriminals to log into and pilfer the company’s network.

Such malware is more common than you’d like to think: Check Point Research, for one, recently warned that over 2 per cent of all Australian cyber incidents were caused by infection with Formbook, a long-established information stealer that extracts passwords from web browsers, screenshots user activity, monitors and logs keystrokes, and can install malware if instructed to by cybercriminals.

A newly updated version of Formbook was discovered last month, while in March, researchers discovered hackers selling new data-stealing malware called BlackGuard that targets cryptowallets, VPN services, browser credentials, email clients, instant-messaging services, and file transfer services.

Last year, NordLocker security researchers discovered a 1.2 terabyte database of data extracted from victims’ web browsers that included 26 million login credentials, 1.1 million email addresses, and over 2 billion web browser cookies stolen from 3.25 million compromised computers.

The burden of convenience

The warnings come as the annual World Password Day, observed every 5 May, sees security specialists once again warning users not to choose convenience over security.

Fully 57 per cent of consumers admit using the same password for multiple online accounts, according to new data from Cisco Duo that also found 51 per cent of Australians admitting they reset forgotten passwords once or twice per week.

It’s happening so regularly that technical support staff are getting sick of helping users who keep forgetting their passwords, with 51 per cent calling security issues around compromised credentials the most frustrating or concerning aspect of password admin.

The problem has been compounded by the pandemic-era rush to embrace online services and associated security exposure.

“As organisations digitise, many take a reactive approach toward authentication,” explained Robert de Nicolo, Cisco’s director of cybersecurity for Australia.

“They end up piling authentication systems on top of each other, which not only creates complexity for the organisation and tech teams – but for users as well, ultimately creating more security gaps than it solves.”

“When it comes to password hygiene, we still have a long way to go,” agreed Jacqueline Jayne, security awareness advocate APAC with security training firm KnowBe4, which recently found that 34 per cent of office workers still use the same password for more than one account.

“The average person has between 70 and 100 passwords,” Jayne continued, “and it is simply not possible to remember them all – especially when you consider that passwords need to be unique, complex and, depending on where you read it, anywhere between 8 and 20 characters.”

A multi-factored defence

Jayne recommends thinking of a phrase – for example, a favourite line from a movie – then extrapolating the first letters of each word, varying the case of the letters, changing at least one letter to a number, and changing another letter to a special character like $ or &.

Using this method, for example, the famous line from Network – “I'm mad as hell and I'm not going to take this anymore!” – would become IMAHAINGTTTA, then ImAhAiNgTtTa, then ImAhA1NG2tTa, and finally ImAhA1NG2tT@.

Or, of course, you can always use the automatic password generators built into commercial password managers, which run separately to Web browsers and therefore don’t suffer the same security issues.

Ultimately, adoption of multi-factor authentication (MFA) is helping the password problem by requiring users to enter their password as well as a time-limited code that hackers can’t easily access.

Yet companies shouldn’t believe MFA makes them bulletproof either, warns Tenable chief security strategist Nathan Wenzler, who recommends companies use privileged account management (PAM) tools and better security for Active Directory systems that store user and device credentials.

“We’ve made great strides in the information security community to educate users about why strong passwords are still needed and getting them to leverage MFA,” Wenzler said, “but we still have a long way to go to strengthen our passwords against attackers and compromise.”