When logging in to a secure Web page, the browser will often have an option to save my password

Question:

When logging in to a secure Web page, the browser will often have an option to save my password. Or the Web site will ask if I want to store my password. Are these the same? Where and how are these passwords saved? How secure is it to do this? Are the passwords stored in an encrypted format, and if so, can they be hacked? As a precaution, I never store passwords anywhere in electronic form. I don't trust password managers because there is no way to know what they are doing with the information. What is the safe way to manage passwords?

Submitted by: Gary H.

*******************************************************

Answer:

Well, Gary H., your question starts out simple, but goes quite a bit deeper into online security. Let's start with the difference between the browser's "remember my password" vs. a Web site's "keep me logged in" option.

Your browser actually saves your login name and password info, encrypted, on your hard drive, and fills the fields when you pull up that certain Web page again. However, how it saves it depends on the browser's actual implementation.

By contrast, the "remember my password" option on a website actually saves a special cookie (think of it as a marker) that's unique to you that when come back to the website, it shows that you're user so-and-so and logs you in. That cookie likely will NOT actually contain any password info for any one to unscramble, but rather is just something the website itself understands, but, again it depends on actual implementation. It's probably similar to your local supermarket handing you a membership card. By loading that number, they know it was you using the card, since no one else has that number. The website's "remember my login" would probably work along similar lines.

Neither is technically "secure" since any one who can physically access your computer (i.e. sit down at your table) can get into those websites, either way. Assuming your home is reasonable safe from intruders, that leaves external hack attempts.

The best defense against external hack attempts is a hardware firewall, and regular security updates for your operating system, probably WinXP.
Windows is already setup to warn you and/or to apply the updates automatically so all that remains is a hardware firewall, esp. if you are on broadband connection to the Internet. If the hackers can't reach your PC, they can't hack it. You can of course, not connect the PC to the outside at all, but that would be rather drastic.

On the other hand, is there anything on those websites that you really need to protect from hackers? Or, if you are more worried about the stuff on your PC, why? Hacking individual people's PC's consumes time, with very little chance of payback for the hackers. Think of it this way... let's say they are after... Credit card numbers. How many credit cards is one likely to own? Maybe 2 or 5. Would their numbers be stored on the PC? If so where? It's impossible to say. It could be in Word documents, Excel spreadsheets, Quicken, MS Money... etc. Choices are endless, and searching through it all would be time consuming. Hackers would be far more likely to get lucky with Phishing or Pharming scams, most of that can be automated and takes almost no time at all on the part of the scammer. It's easier to ask you for the password than to dig it out of you (or your PC), so to speak.

As for trustworthiness of password managers... I personally use one. I have no qualms about using one. Your firewall should automatically block traffic from unauthorized programs, which is how you know which program is not doing what it’s supposed to. However, it is quite difficult to "prove" security. In a way, it's like defending against terrorists. We have to be 100% effective, they just have to be 0.0001% effective...

If you are so worried, get a cheap PDA and put your passwords on those, and keep the PDA with you at all times. But then you have to worry about the PDA getting lost and all that...

The entire idea of security is balancing risk vs. convenience. Password managers increase convenience, but also increase risk by offering a central location to lose ALL of the passwords at once. Firewalls decrease the risk of external hacks, but also decrease convenience by requiring various config of port forwarding and such. It is all about trade-offs, and what is acceptable to me may not be acceptable to you. Ultimately, you will have to decide if the risk of using a password manager outweighs the convenience of having one and having it remember stuff for you.

Submitted by: Kasey C. of San Francisco, CA