Protect: prevent password phishing
Why do I need password protection?
- Phishing. Malicious users create websites that are very similar to real sites. The user thinks that it is a familiar website and enters their password. The hacker then gets the user’s password and can use it to steal personal data or money.
Identical passwords. This is a serious threat to security. By getting the password to one account, an attacker can gain access to all the other accounts.
For example, if you use the same password for your online bank and for an online store, employees of the online store can get access to your personal bank account without you knowing it.
It is particularly dangerous to use the same password for HTTPS and HTTP websites. Because passwords for HTTP websites are not encrypted, they can be intercepted by hackers who can use these passwords on an HTTPS website to steal personal data or money.
How the technology works
After you enter your password on an important website, Yandex.Browser creates a fingerprint (hash) for it and saves it in its database. When you enter passwords on other websites, the browser compares their hashes with the ones in its database. If there is a match, the icon will appear on the right side of the SmartBox to warn you. The browser will ask you to confirm that you want to use the same password on several websites before sending your password to the server.
Enable page protection
Yandex.Browser protects passwords by default on popular websites like VK or Mail.ru. The browser generates a list of important websites, but you can expand it by adding pages you need (for example, online payment pages).
To enable protection on a selected page:
Disabling password protection
- In the right part of SmartBox, click any Protect toolbar icon.
- In the Security settings section, disable the Warn when entering important passwords (such as for email) on unfamiliar sites option.
- In the lower half of the Settings page, click Show advanced settings.
- In the Passwords and forms section, disable the Phishing protection option.
- You can also delete all password hashes. To do this, click Clear data.
Password hashing in Yandex.Browser
Yandex.Browser stores passwords for important websites as hashes. Since passwords are not stored in clear text, even if hackers steal the password database, they will not get access to your personal information.
Cryptographic hashing helps transform a password into a unique character sequence that can be easily used for password identification, but it is practically impossible to restore an original password using it. For example, the text “hello” after hashing becomes “2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824”.
Yandex.Browser uses the SCrypt algorithm for hashing. This algorithm generates a hash using not only the central processor, but also multiple read/write operations in the memory. Such an approach makes it difficult to crack passwords. For example, a hacker will not be able to use video card acceleration for brute force hacking. The SCrypt algorithm is used, for example, in LiteCoin crypto currency.
As a result, it will take a malicious user more than 100 years to match a six-digit password, including uppercase letters, lowercase letters, numbers, and special characters.