Internet users are becoming increasingly savvy when it comes to securing their online accounts. According to a Digital Guardian survey, 70% of web users change their passwords at least once a year, while 65% prioritise convenience over security when it comes to choosing one in the first place. However, no matter how secure your passwords are, the rise of autofill—introduced by Google on its Chrome browser in 2011—may render these measures redundant.
There’s no denying that autofill is an extremely useful feature, especially when people use so many different passwords across all their apps. It comes as a default setting on most smartphones, and not only saves passwords but contact details and even credit card information.
While this is undoubtedly convenient, autofill can also leave devices incredibly vulnerable. This is especially true when compared with independent password manager apps, which do the same job as autofill, but within a separate, password-protected program. Even before autofill was rolled out onto mobile devices, controlled hacking tests pointed out a flaw, which allowed personal details to be stolen via phishing attacks. As far as smartphones go, a study by mobile security specialists Wandera showed that users are 18 times more likely to be phished than they are to download malware, making it arguably the most prominent threat to mobile devices.
So, as devices provide their own in-built forms of password management, is it worth turning the feature on at all?
The benefits of autofill
Let’s get this out of the way early: despite the security risks, there’s no getting around the fact that autofill is convenient. It’s undeniably handy to have all of your passwords and contact details already filled out whenever you need to complete a lengthy online form. This also reduces the risk of making mistakes, and cuts your chances of having to prove your identity, or change your password because you’ve forgotten it.
Most platforms with autofill allow you to manage the details you have saved, which means you don’t need to share anything you’re not comfortable with. Thanks to 2018’s GDPR regulations, your data will only be saved if you allow it. Similarly, any fear about including your credit card details on autofill can be easily put to rest as your browser will never save your CVV number—the three digits on the back of your card. This prevents any unauthorised transactions from taking place.
The cons of autofill
All this being said, not all platforms’ autofills are created equal. It took until the September 2018 release of iOS 12, for example, for Apple to integrate its apps with any external password managers. Users were previously reliant on in-browser autofill. As noted above, password managers can make your login credentials and personal details less vulnerable to third-party hacking.
Furthermore, research from Princeton University in 2017 showed that browser autofill functionality can easily be exploited by web trackers, using a small script on a page to steal email address hashes to send on to other servers. These hashes, as the study notes, “can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps”, allowing your web presence to be pieced together through just a single point of information.
On a more practical level, if your phone is stolen, not using a recommended password manager to store all of your personal details can leave your device even more vulnerable in the wrong hands. While a password manager often relies on two-factor authentication to allow users access to their passwords, once the thief has access to a device, autofill will simply provide them with more than just the device itself.
