Hot Take Microsoft is removing a security feature from the Edge browser

[SeriousHoax]

Saved passwords, at least in Firefox, are encrypted so the only thing malware can actually steal is encrypted database, I'm not sure about other browsers though. You can even enhance security by using master password feature in Firefox

I tested some of those infostealer against Firefox too and they were successful. Master password is not enabled by default, so for most users, their password can be stolen.

Gemini's explanation:

## 1. Is it encrypted by default?

**Yes, but with an asterisk.** By default, Firefox encrypts your stored usernames and passwords (Areia et al., 2024). It stores them in a JSON file called `logins.json` located in your local user profile directory (Areia et al., 2024). The cryptographic key needed to decrypt this file is kept right next to it in a SQLite database named `key4.db` (Areia et al., 2024).

The catch? **The decryption key itself is not protected by default.** Because Firefox does not enforce a **Primary Password** (formerly Master Password) out of the box, the key in `key4.db` sits wide open to anyone—or any program—that has access to your local user files (Areia et al., 2024).

## 2. How Infostealers Bypass This Encryption

Infostealers don't need to use sophisticated cryptographic attacks to crack your passwords. Because of the unprotected default setup, the malware simply replicates the browser's own decryption process (Areia et al., 2024).

When an infostealer infects a machine, it executes a highly targeted routine (Areia et al., 2024):

1. **Targeting the Profile:** It sweeps the local directory for Firefox profiles.
2. **Exfiltration:** It copies both `logins.json` and `key4.db` (Areia et al., 2024).
3. **Decryption:** Because there is no Primary Password locking `key4.db`, the malware uses standard, open-source decryption routines (often built right into the malware or executed on the attacker's command-and-control server) to read the database, extract the key, and instantly decrypt `logins.json` into plain text (Areia et al., 2024).

 

[lokamoka820]

That changes things for me a bit. For me it is less about trusting/not trusting since password managers have been proven to be reliable. For me it's more about not being able to login to my account to use password when needed.

That's why I use two password managers, exporting my vault monthly and backing it up as well.