Clicking 'save password' and the security risks you need to know

Password memory technology has changed the way people log in. It makes everything faster. But do you understand how password memory systems work? And who really has your login data?

Too many passwords, 'ask' the computer to remember them!

It's no coincidence that the password saving feature is integrated by default in most browsers and applications today.

A survey by NordPass (a service specializing in online password management) published in 2024 showed that the average user owns about 255 accounts that require passwords, of which 168 are personal accounts and 87 are work-related accounts.

Meanwhile, statistics from Google and security organization Enzoic show that up to 65% of users regularly reuse passwords for many different platforms. This number shows that remembering all passwords is almost impossible in today's digital life.

That's why the ability to automatically save and fill in passwords is becoming a popular solution. With just a few initial setup steps, users can quickly log in to multiple accounts without having to re-enter complex character strings each time they use them.

However, if the device is hacked, all data can be exposed in seconds.

According to Tuoi Tre's research, in Avast's Q1-2023 report, malware that specializes in stealing login information is on the rise, with the number of browser attacks increasing by 40% compared to the same period last year. These software can extract autofill data such as login names, passwords, and cookies from computers or phones.

In addition, security firm Kaspersky also warned about a type of malware called PSW, short for Password Stealing Ware. This is a trojan that specializes in collecting passwords and login information from popular browsers, then sending it to the attacker's control server.

In Vietnam, the National Cyber ​​Security Monitoring Center has recorded many cases of users having their accounts hijacked because they did not set a password for their devices, allowing strangers to directly access the entire saved password repository.

What's behind the 'Save Password' button?

Every time you log into an account and select “Save Password,” that information doesn’t disappear, it’s stored in a separate vault called a password manager. On most phones, computers, and browsers today, this password vault is typically built into the user’s Google or Apple account.

Basically, Google Password Manager and iCloud Keychain are two popular systems that help users remember and automatically fill in login information. After you save your password, the data will be synchronized to your Google or Apple account. When you reuse that account on another device, all your passwords will be available after just a few login steps. Thanks to this, users no longer have to remember each complex string of characters, and can save a lot of time when accessing familiar services.

However, having all your passwords tied to one master account also creates a potential vulnerability. If your Google or Apple account is compromised, someone else could potentially access your entire password vault.

While both platforms use encryption and support layers of protection like two-step verification, the nature of the system is still cloud-based storage controlled by the provider. In the event that a user forgets their login credentials, Google and Apple both have recovery mechanisms, meaning they have the ability to decrypt and re-grant access if they qualify for verification.

Choosing to save passwords with your Google or Apple account isn’t a bad thing. It’s convenient, especially for those who aren’t tech-savvy. But this convenience is only safe if you protect your primary account with strong passwords, two-step verification, and other precautions. Because losing control of your central account can open up your entire digital ecosystem.

How to protect your digital key

There is no such thing as a foolproof method in the digital world , but you can reduce your risk by proactively protecting your personal accounts. The first and easiest thing to do is enable two-factor authentication for important accounts. This is an extra layer of protection, requiring users to provide a verification code in addition to their password. Even if someone gets their hands on your password, they won't be able to easily log in without this second code.

In addition, instead of leaving passwords scattered throughout the browser, users should consider using specialized management software such as Bitwarden, 1Password or KeePass. These tools are not tied to any operating system or service account, giving you better control over your login information.

Some services also support generating random, stronger, harder-to-guess passwords and storing them with end-to-end encryption.

You can also check for yourself if your account has been breached by visiting the website “Have I Been Pwned.” It’s a free tool that lets you enter your email address and see if it’s been included in any known data breaches. If it has, it’s a sign you should change your password immediately.

Finally, a simple but extremely effective habit is to avoid using the same password across multiple services. If just one of them is compromised, all of your other accounts are at risk.

In an age where everyone has dozens of online accounts, it’s worth taking the time to set up a proper security system. Just like in real life, keeping your keys in a safe place is never something to be taken lightly.