Why Saved Browser Passwords Put Client Data at Risk
Practice staff save HMRC, IRIS and Microsoft 365 logins in Chrome and Edge. Here is why that convenience puts client data at risk, and what to do instead.
- Security
- Passwords
Think about how many logins a single member of your practice juggles before lunch. The HMRC agent services account. IRIS or CCH. The bank. Microsoft 365 and email. A couple of client portals. It is no wonder that, somewhere along the way, almost everyone clicks the little box that says “save password” and lets Chrome or Edge remember it.
It saves a few seconds every time. It also quietly stacks the keys to your most sensitive client data in one place that was never built to guard them.
Why the browser remembers, and why that is the problem
When you let a browser save a login, it stores that password on the device and offers to fill it in next time. For everyday convenience it works beautifully. The trouble is what that convenience looks like from an attacker’s point of view.
There is a category of malware whose entire job is to steal exactly this. It is usually called an infostealer, and it does not need to break into HMRC or your bank. It only needs to get onto one staff laptop, often through a dodgy download, a fake software update, or a malicious attachment. Once it is there, it goes straight for the browser and harvests everything saved inside: passwords, the session cookies that keep you logged in, card autofill details, and more.
It does this in seconds, and the person at the keyboard usually has no idea it has happened.
”But the browser encrypts my passwords”
This is the part that catches most people out, and it is a fair question to ask. Browsers do encrypt saved passwords on the device. So why are they still at risk?
Because the browser has to be able to unlock those passwords to fill them in for you. At the moment it does that, during normal everyday use, the key needed to decrypt them appears in the computer’s memory. Infostealer malware is built to wait for precisely that moment and read the key, so it can unscramble the lot. Some of these tools attach to the browser almost like a diagnostic tool and lift the key without needing any special administrator permissions.
In other words, the encryption protects your passwords while they sit still, but not at the moment they are actually used. Browser password storage was never designed to be a practice’s main line of defence, and on its own it is not enough for the data accountants hold.
Why this matters more for an accountancy practice
For most businesses a stolen browser login is a bad day. For a practice it can be a regulatory and reputational event, because of what those particular credentials unlock.
- The HMRC agent services login does not just expose one client. It reaches across your whole client base.
- IRIS, CCH and similar portals hold tax, accounts and personal financial detail for every firm you act for.
- Microsoft 365 and email are the master key. Get into the mailbox and an attacker can reset other passwords, read sensitive correspondence, and pose as a partner to redirect a client payment.
- Banking and client money logins speak for themselves.
There is a second sting. Stolen credentials are rarely used once and forgotten. They are often sold on quickly, so a single infected laptop in May can lead to an unrelated attacker walking into your systems months later, perhaps right in the middle of the January self-assessment peak. This is the kind of exposure we look for in a cyber security review, because it is invisible until it is not.
What a dedicated password manager does differently
A proper password manager, such as Bitwarden or 1Password, is built around a different idea from the start. Its whole architecture is designed to keep your passwords sealed, so it is not vulnerable to the browser memory trick described above in the same way.
In plain terms, here is what a practice gets from one.
- A single, separate vault protected by one strong master password and its own multi-factor step, rather than passwords scattered through each person’s browser.
- Strong, unique passwords for everything, generated automatically, so a breach at one supplier cannot be reused against your HMRC or banking logins.
- Safe, auditable sharing of the logins a team genuinely needs in common, instead of a password taped inside a drawer or sent over email.
- A clean exit when someone leaves, because you can see what they had access to and change it in one place.
It still autofills, so day to day it feels just as quick as the browser did. The difference is where the passwords live and how well they are guarded.
The other half of the answer: MFA
Even the best password storage assumes a password might one day get out. That is why a password manager and multi-factor authentication belong together.
With MFA switched on, logging in needs two things: the password, and a second proof such as an approved tap on a phone app. So if a credential is ever stolen, whether from a browser, a phishing email or a supplier breach, it is far less useful on its own. The attacker has half of what they need and no easy way to get the rest.
Switch MFA on first for the accounts that would hurt most: Microsoft 365, email, your banking, and any portal that touches client data. It is one of the highest-value security steps a practice can take, which is why we treat it as standard on the systems we look after through managed IT support.
How a practice actually rolls this out
It is far less disruptive than people fear. A sensible order looks like this.
- List the logins that matter. Note which sit in browsers today, starting with HMRC, your practice software, Microsoft 365 and banking.
- Choose one password manager for the whole practice, so everyone is in the same system rather than half a dozen personal habits.
- Move the high-risk logins first. Import them, replace any weak or repeated passwords, then turn off saving in the browser so it stops collecting new ones.
- Switch on MFA for every account that supports it, most importantly Microsoft 365 and email.
- Brief the team once. A short walk-through is usually all it takes, because autofill makes daily use familiar.
If you are also looking at the longer-term future of logins, our guide on passkeys versus passwords is a natural next read, since a password manager is the bridge that gets you there safely.
The short version
Saving passwords in the browser feels harmless, and for years it was treated as good enough. Against today’s infostealer malware it is not, and the credentials most exposed in a practice are the very ones that unlock client data across every firm you act for.
The fix is reassuringly ordinary. Move your logins into a dedicated password manager, put MFA on everything that matters, and stop leaving the keys where the malware knows to look. If you would like a clear, jargon-free picture of where your practice stands, book a free Practice IT Health Check and we will walk through it with you.
Frequently asked questions
Is it safe for our staff to let Chrome or Edge remember the HMRC agent services login?
It is convenient, but it is riskier than it feels. If infostealer malware lands on that laptop it can lift saved browser passwords in seconds, and the HMRC agent login is one of the most sensitive credentials in a practice because it touches every client. A dedicated password manager plus multi-factor authentication is a much safer home for it.
We already have strong, different passwords. Does the browser vault not protect them?
Strong, unique passwords are exactly right, and worth keeping. The issue is where they live. The browser vault was never meant to be a practice's main line of defence, and the way it has to unlock passwords during normal use leaves them exposed to this kind of malware. Moving them into a password manager keeps the good passwords and removes the weak storage.
If a password gets stolen anyway, what actually stops a break-in to our client data?
Multi-factor authentication. With MFA switched on for Microsoft 365, email and your portals, a stolen password on its own is not enough to log in. The attacker would also need the second step from a trusted device, which they do not have. It is the single most effective backstop for a practice.
How long does it take to roll a password manager out across a small practice?
For a typical North Wales practice of three to twenty-five staff it is usually a short project, not a disruptive one. Most of the time goes on tidying up which logins exist and switching on MFA, rather than the software itself. A free Practice IT Health Check will tell you where you stand before you commit to anything.
Want this checked for your own practice?
Book a free Practice IT Health Check, a plain-English, no-obligation review of where your IT stands.
Book your free Health Check