Everyone wants to help you save your passwords. All browsers default to enable autofill and offering to save your passwords for you. When this first started happening, all browsers just stored your unencrypted passwords in a text file inside a folder on your computer. Luckily, they’ve upped their game but still – so many of these password tools link and store your passwords in the cloud (securely, kind of) automatically.
Why should I care?
Quick story about Jim. He just turned his new computer on and started using Edge. It forced him to create a local account linked to Microsoft. Little did he know, it automatically started backing up all his data to Microsoft OneDrive. All the Office Defaults stored his files in the cloud. He opened up Edge and accepted all those first three pages so he could get to Google to search for that cool new coffee warmer for his desk.
Sadly, he didn’t realize he’d also linked his Microsoft account to Edge and when it popped up and offered to store his password for him to the Vobaga website – he just said yes. This happened to him over the course of the next year using his computer. As he’s using his email, he gets the classic phishing email from a friend saying that his buddy has sent him an invoice. “Weird”, he thinks. “Why is he sending me an invoice?” – and he clicks on the link (::facepalm:: don’t click links in emails!!). It asks him to login to Microsoft to view the Invoice. “I thought I was logged into Microsoft, it doesn’t usually ask me to login…oh well.” He types his email address and password like normal…it sends him a 2FA request (this website is a proxy and is pretending to be Microsoft, logging the hacker in on the other end).
The hacker proceeds to login to all Jim’s accounts using the passwords stored with Microsoft in his account on Edge. They can’t see the passwords – but it will auto-fill for them. Soon, they have access to Jim’s Bank Account – Amazon Account – and anything else he stored in Edge. They go on a frenzy buying and stealing as much as they can before Jim can figure out how to kick them out.
This example is extreme but if you want assistance unraveling yourself from Microsoft or Apples Cloud ID integrations – don’t hesitate to reach out. We’re happy to selectively choose what you integrate and what you do not with your cloud provider (Google, Apple, Microsoft, etc.). We wish companies would give more clarity on these default settings but in an effort to “simplify” things for users – they just turn it all out without your knowledge or consent.
Disable Browser Settings for Remembering Passwords
Firefox Passwords are under “Privacy & Security” – make sure you turn off Ask to save passwords
Microsoft Edge has the Microsoft Wallet – under Passwords uncheck both “Offer to Safe Passwords” and “View and autofill passwords and passkeys”
Under Chrome – go to Passwords and open Settings. Disable “Offer to save passwords and passkeys” and “Sign in automatically”
If you are a Brave Browser user – make sure to disable all the options under similar Passwords section (Brave is based on Chromium and looks very similar to Chrome)
What do I do instead?
We are bias and use Bitwarden – full disclaimer we are a Bitwarden reseller. We don’t really care what Password Manager you choose to use – we just want you to pick one…do not integrate it into anything else and use it solely to access your accounts going forward. Here are a few 3rd party password managers that we have seen clients successfully use – in no particular order!
Bitwarden – https://www.bitwarden.com
1password – https://1password.com/
KeePass – https://keepass.info/
Keeper – https://www.keepersecurity.com/
Lastpass – https://www.lastpass.com (disclaimer, since their breach in 2022 we do not recommend them as a viable option but have clients who want to stick with it regardless of the security concerns)
There are additional options and you can research options yourself. We find that Bitwarden continues to meet our expectations and as soon as something changes, we will be the first to switch to a different option to keep ours (and your) data secure.