Protect: Password phishing protection

Why do I need password protection?

Yandex.Browser applies additional password protection against:

  • Phishing. Malicious users create websites that are very similar to real sites. The user thinks that it is a familiar website and enters their password. The malicious user gets the password and can use it to steal personal data or money.
  • Identical passwords. This is a serious threat to security. By getting the password to one account, an attacker can gain access to all the user's other accounts.

    For example, if you use the same password for your online bank and for an online store, employees of the online store, unknown to you, can get access to your personal bank account.

    It is particularly dangerous to use the same password for HTTPS and HTTP websites. Because passwords for HTTP websites are not encrypted, they can be intercepted by hackers who can use these passwords on an HTTPS website to steal personal data or money.

The protection process

Once you enter a password on an important website, the browser hashes it and saves the result in its database. When you enter passwords on other websites, the browser compares their hashes with the ones in its database. If there is match, the icon will appear on the right side of  SmartBox to warn you. The browser will ask you to confirm that you want to use the same password on several websites before sending your password to the server.

Enable page protection

Yandex.Browser protects passwords to popular websites such as VK or The browser makes a list of important websites, but you can add other ones as well (such as websites where you make online payments).

To enable protection:

  1. In the right part of the SmartBox, click the Protect toolbar icon.
  2. Click the More info link in the connection status section.
  3. In the Permissions section, enable the Protect passwords option.

Disabling password protection

Attention! This is not recommended, as it will be easier for hackers to access your personal information.
Method 1: Via the Protect pop-up window
  1. In the right part of the SmartBox, click any icon in the Protect toolbar.
  2. In the Security settings section, disable the Warn when entering important passwords (such as for email) on unfamiliar sites option.
Method 2: In the browser settings
  1. Click the icon  Settings.

  2. In the lower part of the Settings page, click the Show advanced settings button.

  3. In the Passwords and forms section, disable the Phishing protection option.
  4. You can also delete all password hashes by clicking Clear data.

Password hashing in Yandex.Browser

Passwords for important sites are saved by Yandex.Browser as hashes. Because passwords are not stored as plain text, hackers will not be able to get access to your personal information even if they steal the password database.

Cryptographic hashing helps transform a password into a unique character sequence that can be easily used for password identification, but make it practically impossible to restore the original password. For example, the string “hello” after hashing can be transformed into the sequence “2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824”.

Yandex.Browser uses the SCrypt algorithm for hashing. This algorithm generates a hash using not only the central processor, but also multiple read/write operations in the memory. This approach makes it difficult to crack passwords. For example, a hacker will not be able to speed up a brute force hacking attempt using a video card processor. The SCrypt algorithm is used, for example, in LiteCoin crypto currency.

It would take a malicious user more than 100 years to match a six-digit password, including uppercase letters, lowercase letters, numbers, and special characters.

saving passwords for websites
managing passwords
forbid saving passwords