Is it security wise for one's own computer to save password for you?
February 15, 2023 1:57 PM   Subscribe

There is a box in the sign in page in some emails (not Gmail though) that asks if you want to have it saved for you. In case it is stolen would the theif find out the password?
posted by amfgf to Computers & Internet (6 answers total)
 
Best answer: It is useful to think of this in terms of a threat model, so that you can manage risks according to the threats that actually apply to you.
  • If passwords are stored on your computer, then someone who gets physical access to the computer (while it is unlocked) can get access to more passwords. Different password managers have different rules for locking/unlocking.
  • If passwords are stored in a cloud service, then someone who hacks into the cloud service can get access to your passwords.
  • If passwords are stored on paper, then someone could copy the paper without being noticed, or you could lose the paper.
  • If passwords are stored in your head, then you will tend to reuse the same ones, and someone who hacks one system could try the same name/password combination on other systems.
So: if your computer asks you to save a password, it's important to understand whether it will be saved on the computer or in the cloud. Storing passwords on your computer is usually a good choice, as it has low risk and allows you to more easily avoid reusing passwords. But you might have reasons to be more worried about physical intruders or destruction of the computer.
posted by Phssthpok at 2:36 PM on February 15, 2023 [5 favorites]


Best answer: So it is hard to say more without specifics but generally this means you are instructing the web site to set a cookie for the site that would allow the site to automatically log you in the next time you visit the site. What is in the cookie is up to the people creating the web site. It would be poor form to store the password directly. Better would be to store a complex authentication token. You as a normal web user have no reasonable ability to know what a web site developer choose to do.

In either case, someone stealing your computer can become you when they visit the web site even if they can't directly determine your password. This is why phones and traditional computing devices support fully encrypting the storage to make this a harder thing for an adversary to do.
posted by mmascolino at 2:39 PM on February 15, 2023 [1 favorite]


Best answer: Yeah, it's hard to answer this question without knowing the specific context.

If the website has a checkbox like "remember me on this computer", that means it stores a login cookie on your computer in a way that stays around even after you close the browser window. This login cookie doesn't typically include your password (as mmascolino has mentioned).

If your browser is asking you to "save this password", it depends on the browser. I believe Chrome, by default, doesn't encrypt passwords, so anyone with access to your computer can read them. Safari stores passwords in the system keychain, which is encrypted, so you need to decrypt the keychain (using your phone passcode or login password) to read them. I'm not sure what Firefox or Edge do.
posted by panic at 3:31 PM on February 15, 2023 [2 favorites]


Best answer: This kinda boils down to a question of "what can someone with physical access to your computer get to". Recent versions of Windows, MacOS, and Linux at least offer the option of encrypting your local storage, if not mandating it. Assorted Apple hardware is even making it difficult to wipe and reinstall on, making the used markets recent Apple hardware difficult to navigate, but making them less attractive theft targets.

So if that's the case on your computer, then your passwords are as safe as your mechanism for logging on to your computer (and, if your browser or password manager has its own authentication, that lawyer as well).
posted by straw at 6:36 PM on February 15, 2023


Best answer: I log on to my computer with a password. The end. I log into programs, on the web, so, email is not an app on my computer, nor facebook, any of them. My passwords are elsewhere, hand written. Hand entered as I create them. Certain things I only do on my home computer, other, more mundane, social media etc, I can do on my phone, but I never switch out to read the papers on their app, or don't keep email open anywhere. There is not a guest log on option on my computer. There is only one password in my computer, that is the logon password.
posted by Oyéah at 7:10 PM on February 15, 2023


Best answer: I'm not sure what Firefox or Edge do.

Firefox asks you to create a master password for the stored password list, and requests that password each time FF is started, or when you want to see any of the stored passwords in plain text.

If passwords are stored on paper, then someone could copy the paper without being noticed, or you could lose the paper.

That again depends on where that paper is stored, and how obvious it is how each of those entries relates to a particular account. For some people just writing down a password, or an entry code or something is enough to anchor it in their memory, and that paper can then be put between the pages of an innocuous book to be looked at again only rarely. And the advantage of paper is that it's impossible to get to via remote access to your computer.

For certain tasks on my work laptop I have the 'problematic' passwords printed as barcodes, with a barcode reader providing keyboard input, but even if someone got hold of that AND the laptop, it's not clear offhand what password is to be used where, and one call to Support, which I would need to do if the laptop goes walkies anyway, will just block those accounts. That paper, of course is NOT in my laptop bag when commuting to the office. ('problematic' as in, for some tasks one of those passwords needs to be entered 15 times in short succession, and they're >20 chars with 'sufficient complexity')
posted by Stoneshop at 3:16 AM on February 16, 2023 [1 favorite]


« Older Science fiction short stories by BIPOC, female...   |   How should I wash reusable MUJI mop heads? Newer »
This thread is closed to new comments.