Passwords

When are passwords saved?

When you enter your password for the first time on a website, Yandex.Browser offers to save it for you. When you visit this site in the future, your saved password will be entered for you automatically.

How can I turn the option to save passwords on or off?

Note. By default, passwords are saved in the browser.

If you don’t want Yandex.Browser to save passwords:

  1. Click   → Settings.
  2. At the bottom of the Settings page, click Show advanced settings.
  3. In the Passwords and forms section, disable the Offer to saved website passwords option.

To start saving passwords again, re-enable the Offer to save your web passwords option.

Websites for which passwords may or may not be saved

To view the list of websites for which you have allowed or not allowed passwords to be saved:

  1. Click   → Settings.
  2. At the bottom of the Settings page, click Show advanced settings.
  3. In the Passwords and forms section, click Manage passwords.

The Passwords window in the section Sites without saved passwords will list sites where you are not allowed to save passwords, while the section Sites with saved passwords will show a list of sites with passwords saved in Yandex.Browser.

To delete a password from the list:

  1. Click in the line with the corresponding site address.
  2. Click Done.

If you forgot the password

If you forgot a password that is saved in Yandex.Browser, you can view it in the settings:

  1. Click   → Settings.
  2. At the bottom of the Settings page, click Show advanced settings.
  3. In the Passwords and forms section, click Manage passwords.
  4. In the Saved passwords section, click the line with the desired website.
  5. In the box with the password, click Show.
  6. Enter the password from your account on the computer in the dialog box that opens and click OK.

    The box will display the password from the website.

To make the password hidden again, click Hide in the box with the password.

Password phishing protection

Yandex.Browser applies additional password protection against:

  • Phishing. Malicious users create websites that are very similar to real sites. The user thinks that it is a familiar website and enters their password. The hacker then gets the user's password and can use it to steal personal data or money.
  • Identical passwords. This is a serious threat to security. By getting the password to one account, an attacker can gain access to all the other accounts.

    For example, if you use the same password for your online bank and for an online store, employees of the online store can get access to your personal bank account without you knowing it.

    It is particularly dangerous to use the same password for HTTPS and HTTP websites. Because passwords for HTTP websites are not encrypted, they can be intercepted by hackers who can use these passwords on an HTTPS website to steal personal data or money.

How this protection works

When you enter a password on an important website, Yandex.Browser uses it to create a fingerprint (hash) and saves it in its database. When you enter passwords on other websites, the browser compares their hashes with the ones in its database. If there is match, the icon will appear on the right side of SmartBox and you will see a popup window with a warning.

Adding a website to secured sites

Yandex.Browser protects passwords by default on popular websites like VK or Mail.ru. The browser generates a list of important websites, but you can add other pages to it as well (such as those where you make online payments).

To enable protection on a selected page:

  1. In the right part of SmartBox, click any Protect toolbar icon.
  2. Click the More info link in the section where connection status displays in the window that appears.
  3. In the Permissions section, enable the Protect passwords option.
Disable protection
Attention. We do not recommend doing this, because this will make it easier for hackers to get access to your personal information.
  1. In the right part of SmartBox, click any Protect toolbar icon.
  2. In the Security settings section, disable the Display a warning about entering important passwords on unfamiliar sites option.

Password hashing in Yandex.Browser

Passwords are saved in Yandex.Browser as hashes. Since passwords are not stored in clear text, even if hackers steal the password database, they will not get access to your personal information.

Cryptographic hashing helps transform a password into a unique character sequence that can be easily used for password identification, but it is practically impossible to restore an original password using it. For example, the text “hello” after hashing becomes “2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824”.

Yandex.Browser uses the OSCrypt algorithm for hashing. This algorithm generates a hash using not only the central processor, but also multiple read/write operations in the memory. Such an approach makes it difficult to crack passwords. For example, a hacker will not be able to use video card acceleration for brute force hacking. The OSCrypt algorithm is used, for example, in LiteCoin crypto currency.

As a result, it will take a malicious user more than 100 years to match a six-digit password, including uppercase letters, lowercase letters, numbers, and special characters.

Error message “You have changed your password but your information is still encrypted with your old password”

Passwords are saved in encrypted form on Yandex's server. For encryption, the password to your Yandex account is used as a key. If you change that password, the browser needs to decrypt the passwords on the server and then re-encrypt them using a new key. If an error occurs during this process, you will see the error. To fix it:

  • If you remember your old account password:
    1. Click   → Syncing.
    2. Enter your old password in the sync form.
  • If you don't remember your old account password or didn't change it, then the encrypted passwords will be lost. However, you can restore the remaining sync data:
    1. Make sure that the browser has all the bookmarks, extensions, and settings that you want to save.
    2. Click   → Settings.
    3. In the Syncing section, click Show settings.
    4. Click delete under Syncing. Your profile data will be deleted on the server.
    5. Enable syncing. Data will be sent from your browser to the server.