Browser Password Storage Thoughts – WST

There is some risk when allowing a user’s browser to remember passwords. If a bad actor gets access to a machine, they could possibly leverage the passwords stored in the browser to increase access and move to other systems. It should be noted that there are numerous other ways they can do the same, so blocking browsers from remembering passwords is simply a layer in your overall controls. All browser vendors allow you to block password storage via Active Directory Group Policy, and a Google search for “browser block passwords storage via group policy” should get you going.

If you do disable browser stored passwords, it’s important to give users an alternative, otherwise they will likely end up using a Word doc full of passwords on their desktop or maybe just write them down on sticky notes – arguably less secure than letting the browser store passwords! Some popular password managers are KeePass, LastPass, and 1Password. Whatever you choose, you will also have to train your employees on proper usage, and it’s a good idea to reinforce this training at least annually.