Protect: prevent password phishing

Why do I need password protection?

Yandex Browser applies additional password protection against:

  • Phishing. Hackers can create websites that look very similar to real ones. The user thinks that it is a familiar website and enters their password. The hacker then gets the user's password and can use it to steal personal data or money.
  • Identical passwords. This is a serious security threat. By getting the password to one account, an attacker can gain access to all the other accounts.

    For example, if you use the same password for your online bank and for an online store, employees of the online store can get access to your personal bank account without you knowing it.

    It is particularly dangerous to use the same password for HTTPS and HTTP websites. Because passwords for HTTP websites are not encrypted, they can be intercepted by hackers who can use these passwords on an HTTPS website to steal personal data or money.

How the technology works

When you enter a password on an important website, Yandex Browser uses it to create a fingerprint (hash) and saves it in its database. When you enter passwords on other websites, the browser compares their hashes with the ones in its database. If there is a match, you will see a popup window with a warning, and the icon appears on the right side of the SmartBox.

Enabling protection on a specific page

Yandex Browser protects passwords by default on popular websites like VK or The browser generates a list of important websites, but you can add other pages to it as well (such as those where you make online payments).

To enable protection on a selected page:

  1. In the right part of the SmartBox, click any Protect toolbar icon.
  2. In the window that opens, click More info in the section showing the connection status.
  3. In the Permissions section, enable the Protect passwords option.

Disabling password protection

Attention. We do not recommend doing this, because this will make it easier for hackers to get access to your personal information.
  1. In the right part of the SmartBox, click any Protect toolbar icon.
  2. In the Security settings section, disable the Display a warning about entering important passwords on unfamiliar sites option.

Password hashing in Yandex Browser

Passwords are saved in Yandex Browser as hashes. Since passwords are not stored in clear text, even if hackers steal the password database, they will not get access to your personal information.

Cryptographic hashing helps transform a password into a unique character sequence that can be easily used for password identification, but it is practically impossible to identify the original password using it. For example, the text “hello” after hashing becomes “2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824”.

Yandex Browser uses the OSCrypt algorithm for hashing. This algorithm generates a hash by using the central processor along with multiple read/write operations in memory. Such an approach makes it difficult to crack passwords. For example, a hacker will not be able to use video card acceleration for brute force hacking. The OSCrypt algorithm is used, for example, in LiteCoin crypto currency.

As a result, it will take a malicious user more than 100 years to match a six-digit password that includes uppercase letters, lowercase letters, numbers, and special characters.