All modern browsers have the option of logging into them, which the browser offers immediately after installation. If you do this, all your browsing data (favorites, history, open tabs, plugins, etc.) are automatically uploaded to the cloud and shared with other copies of the browser you have logged into. In the case of Chrome it also automatically signs you into your Google account on all Google sites.
So where’s the problem, you ask?
The problem starts when we install such a browser, for example Chrome, on a computer at work. This can be in your workstation or from any virtual machine (after all, who wants to work with IE?)
If after installation you have entered your name and password into the browser, then the auto sync starts to work. And then what happens from that moment on – all the passwords you entered in your work, including the internal sites of your company (intranet) and the sites of other companies on the network you use (i.e Salesforce), are automatically uploaded to your account in the cloud!
And if you are a developer, all of your site’s passwords in development and testing (including your customers’ UAT environments) and even your production site passwords are also uploaded!
Worse, in most cases it is even accessible through their website – log in to https://passwords.google.com from the browser at work, if you see the list of passwords you used during your work that is not good..
The passwords that were never supposed to come out of your work environment are uploaded to a 3rd party website and even downloaded to your personal computers at home and to your laptops, which increases the chances of them reaching the wrong hands.
Scary, isn’t it?
So what can we do?
First, never login into your browser at work. I do not believe there is a real need for it – do you really want your browsing history from work to go home, or worse – the opposite?
In order to know if you are signed into Chrome, go to the Settings page. This is how it looks like if you are logged in:
If you see your name and email there – then you’re connected and you’ll need to click the logout button. The Settings page now should look like this:
But since we’re in 2017 and we do need to log into certain sites at work (Google, Facebook etc.), how can we do it safely?
The solution is to do it from a dedicated browsing window in private/anonymous mode. Each browser has this mode – in Chrome for example it is called Incognito and it can be opened by right clicking on the browser window in the task bar and choosing “incognito”.
As long as the window is open you can use it normally (for example, if you sign in to Facebook and open tabs with other sites, you can comment there with your Facebook account), but you enjoy improved security as other sites will not be able to exploit security breaches and access your passwords or accounts, and when you close the browser all cookies will be deleted which will result in immediate log off from all your accounts safely – which means that no one will be able to recover this information because it is not stored on the hard disk.
Ask yourself if you need this feature at all. Browser synchronization feature is designed to give users the ability to “continue browsing from another computer” but comes with high security and privacy risks – especially if you sync your passwords.
If you are interested, I recommend doing the following:
- Choose specifically what to sync – don’t sync passwords and history. You can do this from your sync settings: Google Sync Settings
- Google has an option to use a global sync password. From the moment you enter your password, the information is encrypted before uploading to Google’s servers. It will be available from other computers where you entered the password, but Google does not know the password so no one will be able to see the data (i.e in case of compromised employee, hacking, or a request from NSA). After activating the feature, this is how the password page in your Google Account should look:
The disadvantage of this method is that this information is also not available for apps on mobile devices, so automatic sign-in for mobile apps/sites will not work.
Safe browsing everyone!