Password autofill is a feature that allows a browser or application to automatically enter your username and password for online accounts and services.
When you create an account on a website, some browsers may ask you if you want to save credentials. If you agree, the browser stores the data in the browser or your device and automatically supplies the information when you revisit the website.
Browsers like Chrome and Microsoft Edge offer free password managers that can conveniently autofill your login information, saving you a lot of time. Of course, there are downsides. We’ll discuss that later.
How does browser-based password autofill work?
When you try to sign up for a service using a username and a password, your browser detects the login fields from HTML elements like <input type="text"> for username and <input type="password"> for password. Once you have entered your username and password, a prompt asks if you want these credentials to be saved.
Here’s what happens if you agree:
The browser uses a one-way hashing function to scramble your password and store the username and the password locally.
When you revisit the website, the browser detects the URL and looks for the credentials that correspond to that URL.
Once it finds a match, it supplies the username and a hash representing the password.
Thanks to the multi-device sync features offered by browser-based password managers like the Google Chrome password manager, you can use the auto-fill feature from your Windows or MacOS desktop and Android or iOS phones.
How does the website verify the password?
As we mentioned earlier, a browser-based password manager saves your password using a one-way hashing function, which means it cannot re-create the password when auto-filling. Instead, it provides a string that represents the password.
Since websites often support multiple hashing algorithms and applications across the board use standardised hashing protocols, the verifying website can check if the auto-filled string matches one of the hashes present in its own database or active directory; if yes, it allows the sign-in.
How safe is password autofill?
The ability to automatically fill in passwords and login information is not just convenient, it’s necessary. It saves you from
- Writing down passwords on paper in plaintext
- Remembering complex passwords
- Using the forgot password option repeatedly
It is a wonderful feature that everyone should be able to use. There is nothing wrong with password autofill as a concept. It is just objectively better than manually typing in passwords during authentication. The problem lies with the tool you use to autofill passwords.
Browser-based password managers are not completely reliable, especially for businesses.
Security concerns associated with browser-based password managers
You get useful password management solutions from browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox. These tools are convenient and free. But if you are not careful, they can also lead to compromised data, stolen credentials, and account takeovers. Take the Google Password Manager, for instance:
Issues with using Google password manager
The Google Password Manager is among the most secure browser-based password managers, but it has some serious flaws.
- Your passwords are protected by default by server-level encryption. Unless you opt for the on-device encryption feature, a hacker can access your password by remotely accessing your browser.
- If your device is signed into your Google account, anyone with access to the device can also see the saved passwords in plain text.
- While Google allows you to check whether your passwords have been exposed in leaked credential databases, it doesn’t automatically raise an alert if that happens.
- Your passwords are not reset periodically, and you cannot share them securely.
Hackers often hide invisible forms in websites which weak password managers can detect as valid login fields and divulge sensitive data. You will face issues similar to those of other browser-based password managers.
When you juxtapose a browser-based password manager secured by your device’s passcode with an enterprise-grade password manager that uses zero-knowledge encryption so that your master password never reaches their server, even in an encrypted form, you know the difference.
If you think these issues pose a threat to your digital security, you might want to disable the Chrome password manager and move your credentials to a more secure password management solution.
2FA and usability issues
Whether you use a browser-based password management tool or a proprietary tool with many features, two-factor authentication is a game changer in terms of ensuring password security.
After entering the password – something you know – you are also asked to enter a code sent to you or to click on a prompt sent to you to prove the ownership of a device – something you have. This doubles account security and reduces the impact of phishing attacks.
However, 2FA creates some friction since it introduces extra steps to the authentication process. People tend to opt out of it despite knowing how crucial it can be.
Uniqkey’s 2FA autofill feature deals with this issue
Uniqkey’s 2FA autofill pulls your 2FA information and fills it in automatically. You no longer need an authenticator because it is built-in with Uniqkey, nor do you need to switch apps to copy and then paste the 2FA information. It just eliminates the hassle of the 2FA process and paves the way for 100% 2FA adoption.
Takeaways
- Businesses should not use browser-based password managers for password auto-fills. Getting an enterprise-grade password management solution is the best option for securing passwords and overall security administration.
- Auto-filling the 2FA information securely is the next big step in advanced password security, and Uniqkey has achieved this.
- Teams need a password management tool that enables secure password sharing on top of password storage and auto-fill.
