How do current web browsers (or mobile mail clients and any software in general) save user passwords? All answers about storing passwords say we should store only hashes, not the password themselves. But I'm having a hard time searching the web trying to find the best techniques to store passwords when we know we will need them in plain text later on — without storing them in plain text, without using a weak encryption (known key) and without asking the user for a master password. Any ideas?
Web Security – How Web Browsers Save Passwords
encryptionhashingpasswords
Best Answer
locally it is either stored as plain text or encrypted.
when encrypted the en/decryption key can be fixed per browser (hardcoded in the executable), per machine (generated at install and stored in the install directory) or per user (generated at first time use of password manager and stored in the
%appdata%)or they can be combined: the user level key is encrypted with the machine level key so that when malware takes the file where the passwords are stored it is stored it is useless without the user level and machine level keys
Some browsers also allow you to use a "master" password which which is combined with the existing key to provide more security
when you use a (good) synchronization service the passwords are never stored in plain text on the server and never decrypted server side.