PSA: Browsers and saved credentials

(PSA == Public Service Announcement)

From this interesting blog post:

And now the explanation for the mysterious appearance of credentials becomes clear: When the user logged into the Internet Cafe PC, any random credentials that happened to be on that PC were silently imported into their MSA/AAD account and will now roam to any PCs sync’d to that MSA/AAD account.

Now, there’s a further issue to be aware of: If you log out of a browser/sync, by default, all of your roamed-in credentials are left behind!

So, for example, if you logged into the browser on an Internet Kiosk, dutifully logging out of your profile after use, if you fail to tick this checkbox:

… the next person to use that browser profile will have access to your stored credentials. Even worse, if they decide to log into the profile, now your credentials are roamed from that Kiosk PC into their account, enabling them to log in as you from wherever they go.

Please read the blog post in its entirety. I wanted to higlight the above part though as it’s obvious in retrospect but I hadn’t realized signing in to a browser and then signing out leaves your passwords behind. Like I said, obvious in retrospect as I know that’s what happens with bookmarks, but I sorta assumed it wouldn’t be the case for sensitive info like passwords. To be safe and sensible: don’t ever sign in to a browser profile on any browser not on your own machine in the first place. Heck, don’t save your passwords in your browser in the first place – use a password manager!

Although the above post is about Edge (and pretty sure Chrome too) it also applies to Firefox. Unless you tick the box your passwords are left behidn.