How safe is the password manager in browsers?
For example, Opera has a "wand" feature that remembers user names and password you typed across various sites.
Let's say you get a trojan, which steals data from your PC. Can the trojan decrypt stored passwords by browsers, and use them?
The points noted in Bob's answer are all valid, so I won't bother repeating them; however, I thought a little additional information might also be helpful for some, as your question is a valid concern.
Opera's Wand feature allows you to specify how frequently to ask for your master password under
Preferences > Advanced > Security > Ask for passwordwith selections such as "Once per session" (which, as Bob correctly points out, limits your security), "Every x minutes/hours" (if you don't mind fiddling with.inifiles, you can customise your own frequency), and "Every time needed" (obviously the most secure option as your password will not be stored in memory during your browsing session). I don't use Firefox but can imagine that there's a similar extension available somewhere.The Wand data is stored in a file called, wait for it,
wand.datin a format that can be deciphered with relatively little effort if no master password is used; if you do use a master password, it is encrypted using a random component and your master password with an algorithm that currently escapes me (should be easy to look up though).If you use a password for a site whose security is more important to you than the average login, you can simply choose not to save the password.
Private tabs in Opera (or their equivalent in other browsers) allow you to store that tab's session data separately from that in "normal" tabs, which may add another layer of security.
The security model used in Chrome and its derivatives (that is, sandboxing each tab in a separate thread) gives you even greater security.
-
You can guard against keyloggers and such by regularly:
- updating your anti-virus and firewall software; and
- changing your passwords.
To sum up:
Your browser's level of security and that of your logins is up to you to a large extent.
If someone was very skilled and resourceful, they could probably get at your data eventually despite all the above precautions, but it would make your browser's data far more secure and would raise the level of sophistication required to crack it significantly.
If you have malware on your computer, no passwords entered or stored on it can be considered truly safe. Even encrypted passwords such as KeyPass databases, as soon as you enter the details required to decrypt it the attacker can retrieve your passwords.
Browsers typically do not pay very much attention to the security of saved passwords, at least not with default settings.
Let's say you get a trojan, which steals data from your PC. Can the trojan decrypt stored passwords by browsers, and use them?
In a word: yes. Browsers typically do not encrypt remembered passwords, so they can be read with trivial effort. Encryption with a stored key is useless anyway: if the browser is able to decrypt it, other programs running on the same computer can do the same.
I'm most familiar with Firefox, so I'll go with that.
Firefox allows you to set a 'master password'. If you do, it encrypts the stored passwords with the master password. However, for the sake of convenience, you only have to log in using this master password once per session. Once you are logged in, the information necessary to decrypt saved passwords is stored in memory, and can be accessed. A more secure and cumbersome approach would have been to require the master password to be typed every time Firefox needed to look up a saved password.
Even if the saved passwords were perfectly encrypted and completely inaccessible, they must be decrypted and entered on web forms at some point. Which means holding the passwords, unencrypted, in memory. There are actually quite a few 'asterisk revealer' programs designed to grab those passwords out of memory and, well, reveal them. Malware could theoretically do the same.
And malware could also keylog you, allowing the attacker to retrieve any password you typed.
There's a very in-depth study of password security across major browsers (IE, Chrome, FF) here. To summarise, both Chrome and IE10 rely on Windows' encryption routines, which are considered strong. However, they do not protect against other programs running under the same user, i.e. they are useless against malware. Again, any executing program (as Administrator) can grab information from memory or by keylogging anyway.
The method of encryption is most important when you consider the possibility of theft of your saved data for later analysis, e.g. someone sneaking in and copying off your or stealing your computer. In general, all modern browsers do a decent job of protecting against that form of attack. Firefox with a good, strong password is again preferred, since the Windows encrypted data can be recovered by logging into the Windows user account, and the Windows password is not fully safe any longer. Do note that none of it will stop a very determined attacker.
NirSoft provides a tool called "IEPassView" which can decrypt Internet Explorer 8 and under passwords. System Information for Windows can do the same; just click on the key at the top.
NirSoft provides "password recovery" tools for many popular browsers (http://www.nirsoft.net/password_recovery_tools.html) -- these make a good "proof of concept" to show that the built-in password storage isn't safe.
Lastpass and software like it are good convenient answers. While they don't give you total security (you still need to do the basics like firewall, anti virus, ect.) it's a good way of managing your passwords. Also due to the fact that it's stored on the magical cloud you can access them from anywhere (unlike some local software where you have to store in on your machine to access it).