Your Password Manager’s Autofill Feature is Hurting You

We all know what they say about passwords and security. To keep your data and information safe, you need to have a long involved password, and it needs to be unique to that website. If you use a browser-based password manager with an autofiill feature to help you with that task, though, you may want to reconsider, as advertisers are able to gather data from those helpful managers.

news-password-manager-advertisers-situation

Often, passwords are required to have at least one uppercase letter, lowercase letter, and number, and many times a symbol as well. But the more websites and apps you connect to, the more passwords you’re required to remember. Unless you have a really good memory, it just becomes too tough to remember all those logins with unique passwords.

This is when we start relying on a browser-based password manager. It’s so much easier to have all those difficult-to-remember passwords remembered in that password manager. It will autofill your login information, taking care of all the work for you. And sometimes it will even suggest unique passwords for you, to take care of that whole password task.

But research from Princeton’s Center for Information Technology Policy is claiming that while those password managers seem ultra helpful, they’re also being ultra hurtful as well. They’re also allowing advertisers to pull data and information from the password manager browser add-ons that are able to access the autofill feature.

news-password-manager-advertisers-stealing

These add-ons actually use a fairly simple system to steal your information and send it to advertisers. After you ask the add-on to save your information, a tracking script is in place but not visible to you.

After you have signed on with the autofill feature, and you visit a different page on the same site, it includes a tracking script which puts up an invisible autofill form that is again filled in automatically by your password manager, but this time you don’t see it.

The third-party script grabs your email address from that autofill form and sends it to third-party servers, and they use that information to track you.

These tracking scripts were found on 1110 of the Alexa top one-million sites. While those scripts are only collecting your email address from the autofill feature at this point, collecting your password may turn up in future scripts.

To be sure that you’re not falling victim to this ploy, you need to make sure that your browser-based password manager doesn’t automatically fill in that information for you without any input from you.

An example of a password manager that doesn’t exploit you with scripts is 1Password. It’s designed in a way to avoid all of that. A user has to take a specific action in order to get the password to be filled in via the autofill feature.

While there are several different ways to get the login information to be filled in, in every one of those ways the user needs to give the browser the approval to do so. 1Password won’t do it automatically for you, meaning a third-party script doesn’t have the ability to sneak in there and steal that information from the autofill feature.

If you’re concerned about your email being leaked to advertisers and maybe your passwords at some future date, you’ll want to make sure that if you use a browser-based password manager that you use one like 1Password that doesn’t fill in your login information automatically.

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.