Why are browser storing synced passwords locally?

The thing is, this is a massive security issue and I thought someone like Google would do it by now. After all, they have the server power to utilize password fetching on request every time user needs to login somewhere. But they still keep on insisting on idiotic local password storage. Why!?

I’ve had a security breach ages ago with Firefox where malware that I executed by mistake during testing pretty much just copied the local password storage file and submitted it to god knows where. And then I had to change passwords of every single service I was using at that time. Then I checked other browsers and they ALL do this stupid thing. So I was forced to move to LastPass.

And here is where I got the idea. LastPass offers 100% remote password storage if you enable it in its settings. Granted, you have to be connected to the internet in order to access and use your passwords, but then again, what good are all those passwords without internet connection if you can’t access the service in the first place? There are really very rare cases where you need to lookup password for a device that isn’t the one on which you’re looking up the passwords. I’ve had like 3 such scenarios in last 2 years or so where I needed passwords to be used on a smartphone.

So, this is how Lastpass always connected password storage and syncing works:

Visit webpage with login -> LastPass detects it -> sends query to their servers and returns the password for that page -> browser extension inserts the password into webpage -> You just have to click Log in button

Why is this a smarter method?

If you happen to have a security breach, all you have to do is to change the LastPass master password and all the remote passwords will be safe again. Because there is no way someone on the other end will manually check every single password one by one and abuse it the very moment it’s submitted to a remote location. And since LastPass also offers 2-step authentication (which is highly recommended!), it’s nearly impossible to steal your passwords. Someone would actually have to hack your computer (or rely on you installing RAT (Remote Access Tool) yourself via malware), install RAT and use your local browser to steal your passwords from within the browser LastPass extension by hand. A scenario which requires way too much work for anyone to bother with, knowing there might not even be any profitable “loot” when they do it.

Syncing is an integral part of every browser these days and if you use more than one device, you’re most likely using browser syncing. So you have same bookmarks, passwords and settings on all systems. If you use sync, passwords should be strictly remote. If you don’t use syncing, then browser should store passwords locally like they used to for the last 2 decades or so.

I know you can set a master password for local password storage, but it’s really annoying and if they steal your local password storage file and a crypt key, they can do the decryption locally using brute force. And then you again have to manually change all the passwords. It’s just pointless and stupid.

But remote storage and instant fetching of passwords would greatly boost security and make password stealing a massive pain in the ass for the criminals. Google can do it easier since they have all the resources, servers and 2-step authentication already in place, but I’m expecting Mozilla to do it as well. Because seeing how great it works in LastPass, I just can’t accept any excuses for not using such system.

For the time being, I highly recommend ditching all the existing browser password managers and usage of LastPass instead. It’s convenient, secure and after using it for several years, it works amazingly well with just 1 few hours long downtime when LastPass was experiencing some issues (that was like few months ago). 1 downtime incident in several years. It’s hardly inconvenient considering all the benefits. But when Google and Mozilla will do it, now that will be awesome.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s