Password Autofill: Convenience Compromising Security?

Password Autofill: Convenience Compromising Security?

“What’s that password again? Wait, I changed it … Harrumph. I don’t remember!” We’ve all been there, sometimes many times a day. Password autofill on our Web browsers felt like the sun was shining on our online activity again. Sorry to tell you, but this convenience may not be entirely safe.

Most browsers will ask after you’ve entered a new password into a site or changed a password if you want it stored for you. That way, when you revisit that site, the browser can autofill the access credentials for you. It saves you the struggle of trying to keep all your passwords straight.

The problem is that some sites, including legitimate sites, can be compromised with a hidden form. You’ll never see it, but your browser will. So, it will autofill that form, and in clear, unencrypted text. This allows bad actors to capture your username and password without your knowledge.

Another risk? Irresponsible digital marketers may use hidden autofill forms to track your online activity. That’s done without your consent.

Using browser autofill with a password manager can also cause confusion, especially if your browser autofills, whereas the manager asks before filling in forms. Using both at the same time you also run the risk of duplicating passwords, which could make it difficult to track your passwords and increase the risk of security breach.

How to disable autofill

You can protect your passwords by disabling autofill on any browser you use:

  • On Microsoft Edge, go to Settings, then Profiles, then Passwords, and disable “Offer to save passwords.”
  • On Google Chrome, go to Settings, then Passwords, and disable “Offer to save passwords.”
  • On Firefox, open Settings, then Privacy & Security, then Logins and Passwords, and “Autofill logins and passwords.”
  • On Safari, from the Preferences window, select and turn off Auto-fill.

Can I keep using password managers?

A password manager, such as LastPass or 1Password, typically provides more security than browser autofill. Password managers have strong encryption algorithms to protect your login credentials, which means that even if your device is compromised, your passwords are safe.

Still, if the manager autofills your credentials, you face the same risks. Most password managers have autofill disabled by default. That’s good. Leave preemptive autofill off. You might see it called “Autofill on page load.” Keep that turned off, too.

Our advice? Use a password manager that requires you to click a box before it fills in your credentials. This action avoids your information from automatically populating a hidden form.

Securing your online activity is an ongoing challenge. Our experts can help identify ways you can protect your privacy and data online.