Should You Disable Autofill? - Here's How to Protect Your Passwords

What is a Password Manager? 

Malwarebytes defines a password manager as a “software application designed to store and manage online credentials and it also generates passwords” (malwarebytes). The passwords are typically stored in an encrypted database and protected behind a master password. 

The purpose of a password manager is to keep all of your login credentials all in one place so you don’t have to scramble to remember what your password for a specific website is. It makes it easy for you to keep all of your account usernames and passwords in one spot and locked via a master password, which is the only password you need to remember. Once you enter your master password into the password manager, it unlocks the password vault and can retrieve any password that you need. You can also autofill your login credentials in browsers with the password managers. Although the autofill feature is beneficial, the rest of this article will discuss why you should disable autofill on your browsers and the security concerns that come with it.

Password Manager Examples

Here are a few password manager examples:

• LastPass
• Bitwarden 
• KeePass
• Dashlane
• 1Password

What is Autofilling? 

Autofilling is when your password manager fills in the username and password into a website’s login page with your saved credentials. 

Benefits of Using Autofill in Your Password Manager

By using a password manager, you have the ability to autofill your login credentials on any website as long as you have the autofill for your password manager enabled. This makes it so that you don’t have to memorize your passwords anymore for a certain website. You can even use the password manager to auto-generate a highly secure password for you for a website or application if you don’t want to come up with one on your own. 

Although there are many benefits of using autofill with your password manager, security experts are encouraging people to disable autofill in your password manager because there are autofill features that can be exploited by hackers. 

Should you Disable Autofill? 

The answer is YES, you should disable autofill and I will tell you why. The biggest concern with autofill is privacy and how a hacker can easily obtain personal information. It is simple to trick a browser or password manager into giving up saved login credentials. 

The hacker just needs to “place an invisible form on a compromised webpage to collect users’ login information” (techadvisory). Back in 2017, Finnish web developer, Viljami Kuosmanen, published a demo on GitHub that shows how an attacker takes advantage of the autofill feature that is provided by most browsers. Kuosmanen “discovered a vulnerability that can expose your stored data to a malicious person via phishing” (Social Engineer). In this attack, once a user visits the phishing website, they will be presented with “a series of text boxes where it asks for some basic information” (PCMag). If you use autofill to enter in the information, then the hidden text boxes are actually collecting your information without your knowledge. Once successful, the hacker now has access to your login credentials, credit card information, and any other sensitive data. 

Hackers are not the only one trying to use your login credentials, some “ad networks are using tracking scripts to grab email addresses stored in your password manager for autofilling”. The purpose of doing this is to not hack your personal information but to get a better understanding of the websites you visit so they can target more appropriate ads towards you. 

Prevention Against Autofill Attack

The best way for you to prevent any attack is to disable autofill in any browser you use. It's better to copy and paste the password from your password manager than to autofill it. If an organization allows the usage of password managers, then it is important to educate all employees to not click on any suspicious links or emails received. Phishing emails are hackers' favorite way to deceive users into getting the information that they want. 

How to Disable the Autofill Feature on Chrome, Firefox, and Safari

It is important to note that the autofill feature is enabled by default and this is how you can disable autofill in each of the listed browsers.

Chrome

1. Click on the three dots on the upper right hand corner of the browser
2. Go to Settings
3. Expand the Autofill section and then select on what you wish to disable autofill (you can toggle the OFF setting if it has been enabled)

Firefox

1. Click on the three lines at the top right of the screen 
2. Click on Settings
3. Select Privacy & Security on the left side of the screen 
4. Scroll down until you see Logins and Passwords then uncheck (if it is checked marked) Autofill Login and Passwords

Safari

1. Click on the Safari menu → Preferences → Autofill tab → Unselect Username and Passwords and any other options listed that you do not want to have autofilled 

Hopefully by now you have a better understanding of password managers and how you can disable autofill in your browser. If you didn’t know much about password managers then I hope this article helped explain that. 

Autofill with password managers does have its advantages however the privacy security concern should raise some red flags. Hackers will always do their best to obtain personal information without the person’s knowledge. Therefore, it is very important to make sure what can happen if you continue to use autofill in your browser. Companies should be doing their best to prevent attacks from occurring as a loss of credentials may cause serious if not permanent damage to the organization.