Securing someone workstation is a complex task, that should require a customized approach. It consists of an assessment of the user’s needs, balancing security with operational functionality. However, security always involve user behavioral education. Securing how we handle the password is but one step. Here is a quick checklist to help you secure your workstation browser, and set the basis for a more comprensive security education.
1. Disable the browser functionality that save passwords.
Since every browser save the passwords in a way that a skilled and malicious user can steal, the first step would be to disable this feature. I would recommend doing this step, on every installer browser, regardless if you are using it or not. Eventually removing the unused software is also a good thing.
2. Export all your saved passwords in a file.
We will need this in just a moment, the procedure is different for every browser. You will need to refer to each browser’s guide on how to do so. Save the files in the same folder, the Password Manager will then deal with eventual duplicates. Please do not use a network connected or shared folder for this task.
3. Define a Master Password.
At some point, you will need to remember at least one password. This password must be secure and easy to remember. This may seem contradictory, we generate complex passwords, but then we use one easy to remember password to protect them? An “easy to remember” password is not necessarily a weak password. To this purpose, please refer to my article: “How to define a Master Password” for a detailed guide and explanation on this point.
4. Sign up for a free Password Manager service you like.
There are various reliable options to choose from. I personally recommend Bitwarden, which Im using from many years, and it is a staple when I’m asked to secure a customer workstation or network. Like others, it is not without its flaws. However I must say it never let me down, and the usability is great. Using a Password Manager implies a necessary change, in user habit. Security always comes at a price.
5. Import all your browser password in the Password Manager
The procedure will be different depending on what Password Manager you have choosen, and what browser’s password you are importing. Please make sure you have correctly imported all your browser’s passwords, before moving to the next step of this list. I suggest you to also install the relative browser plug-in.
6. Erase your browser’s passwords and exported passwords files
If we don’t clean leftovers, we have achieved nothing. At this point our browser’s still have our passwords saved somewhere, and we also have exported files with all our credentials. Deleting a file is not forensic safe. We want to prevent the very possibility to recover our deleted files. To this purpose, please refer to my article: “How to forensically delete files” for a detailed guide and explanation on this point.
7. Generate secure passwords using our free tool
The Password Manager app, can do this as well. However, I have noticed poor entropy in generated password. I have created a Secure Password Generator to solve this flaw. The tool is free and works locally. Simply download the ZIP archive, extract the HTML file, and bookmark it on your browser.
8. Improve the security
At this time, the most secure way to protect a login, is implementing the WebAuthn. However, the few services implementing it, leave a big flaw on the way. In an effort, to keep their service appealing for the less experienced people, they use a less secure way, to recover the account. Unfortunately, the right implementation of the WebAuthn, can only be achieved on custom software. It is not bulletproof, but this is the best we can have at the moment.