Don't Let Your Browser Autofill Your Passwords — Here's Why

You should turn off autofill in your password manager, and stop using some browser password managers altogether, argues a Czech security researcher.

"Most password managers have the autofill feature enabled by default, even though it reduces the security of the stored password," said Marek Toth, a penetration tester at Avast, in a recent blog post.

Autofilling is when your password manager fills in the username and password fields in a website's login page with your saved credentials without you actively prompting the password manager. 

The characters pasted into the field can then be "read" by scripts present in the login page — such as might be preset in an online ad that has nothing to do with the page itself — and those scripts will be able to copy and send your username and password anywhere. 

Of course, those scripts could also read your username and password when you actively fill in the fields when logging in, but at least you have control over when that happens.

Autofilling tries to fill those fields all the time. Malicious scripts can and sometimes do create invisible login fields that you can't see to catch those credentials without your knowledge, as three researchers discovered in 2017

Toth found that most major web browsers, including Chrome, Firefox, Edge, Internet Explorer, Opera and Vivaldi automatically filled in usernames and passwords by default, as did the stand-alone password managers LastPass, Dashlane and Sticky Password. 

The Safari and Brave browsers did not autofill passwords, Toth said, nor did the 1Password, RoboForm and Bitwarden password managers. Another password manager, Keeper, will autofill passwords on a site-by-site basis with user permission.

"By activating autofill by default, our users perceive the value of a password manager sooner," Dashlane Chief Technology Officer Frédéric Rivain told us. "This ultimately increases their chances to continue using a password manager and thus become more and more secure."

"The autofill also provides an anti-phishing protection as Dashlane only suggests users' information on the specific website linked to their password," Rivain added. "The only vulnerability identified is when an attacker has modified the website you're logging into, in which case they can steal your password whether or not you have autofill enabled."

"We are constantly evaluating ways to improve the autofill flow to protect our users while still offering a convenient login experience," said Dan DeMichele, vice president of product management at LastPass. "we always recommend users only visit sites and click on links that they trust to prevent against potential attempts to steal login information."

"If the user wants to be in control of the credential filling, this option is available as an extension preference setting and, for Business users, as a policy," DeMichele added. "Delivering a secure service for our users remains our top priority."