The incovenient truth about stored passwords
About The Author
To overcome the challenge of managing passwords online, many of us often rely on web browsers to store and auto-fill our credentials. It is certainly convenient when we don’t have to type those details yet again, or remember that password variation, or re-enter information from a different device.
But the convenience comes with an extra security risk. Where dedicated password managers offer additional encryption layers and alerts when credentials are compromised, browsers don’t.
Furthermore, knowledge of coding is no longer necessary to mount a cyberattack. Threat intelligence researchers with no prior coding experience can use AI to create a password-stealing tool (an infostealer). In a recent test case, malware of this type successfully extracted login data directly from Google Chrome.
In 2024, 3.2 billion credentials were stolen worldwide. Of these, 75% (roughly 2.1 billion) were compromised by infostealers – 33% more than in 2023.
It’s also important to remember that infostealers bypass passwords altogether – no matter how strong they seem – by extracting login credentials directly from the device.
Microsoft recently announced plans to transition away from passwords entirely, moving toward passkeys and device-based two-factor (2FA) authentication. These methods – which use email, SMS, or an authentication app – rely on linking account access to a device’s physical hardware.
For the price of a little inconvenience, 2FA better protects accounts tied to sensitive personal or professional information, and makes it much harder for the hackers – even if they get to steal a password.
