Autocomplete Passwords: Are They Safe?

Passwords are the bane of many people's existence. They're inconvenient and often hard to remember. However, they are often the only protection our accounts have from cyber-criminals. Using strong passwords that include a mix of alphanumeric and special characters is a great step in securing your accounts against hackers. However, they are not always easy to remember or keep track of.

This is where password managers come in. Password managers are virtual managers that generate and store long passwords for your accounts. All browsers, including Chrome, Firefox, and Safari, include default password managers, but there are also third-party applications and plugins that can generate and store complex passwords. 

Password managers are highly convenient and easy-to-use, especially if you use the auto-fill feature, which enables your password manager to automatically fill in your username and password in the relevant fields on the website. However, this same autocomplete feature may be putting your information at risk. Finnish web developer and hacker Viljami Kuosmanen recently found that hackers and advertisers can trick browsers into giving away your personal information using the auto-fill feature.

How hackers can access your passwords

The attack is brutally simple. Hackers gain access to certain websites and create invisible forms on them. When you use an autofill function to enter your login information on those websites, your browser automatically enters the information wherever it detects the relevant boxes on the form, whether they are visible to you or not. 

In other words, the login information is entered into the boxes created by the hackers, enabling them to access your passwords and hack into your account. This, in itself, is not a major problem, as compromised websites are rarely the ones in which sensitive data is stored. Email accounts, online banking websites, and other sites that store sensitive data usually have better protection than websites you visit for fun. The worst a hacker can do in this situation is log in to that website using your credentials.

The problem is that most users use the same username and password for multiple sites. So, if the hacked password is the same as your email password, the hacker can log in to your email. This is the biggest issue with these kinds of attacks.

Ad networks can access your autofill data, too

Hackers are not the only ones who collect your information through autofill. Some ad networks use advertising or tracking scripts, also known as cookies, to grab your login information. They use the same invisible form technique as hackers to collect information such as your name, email id, mailing address, and other demographic data. 

The difference is that, rather than hacking your accounts, they use the information to track your browsing and target you with specific adverts based on your movements on the web. As well as being a privacy concern, you should also take note that advertisers, who aren't sophisticated hackers, are able to use this method to access your data. This is a clear demonstration of the dangers of using autofill.

Of course, as mentioned before, this is not a great cybersecurity risk if you use unique passwords for every website you visit. The issue arises when you use the same password for all your accounts. If you wish to safeguard your email and other sensitive accounts, it is still recommended that you use a password manager for your passwords without the autofill function. If you want to know more about securing your accounts or your business from cyber-threats, we'd be happy to offer our expertise. Feel free to contact us!