You can’t turn a corner online without a password manager in your browser jumping into the fray. Browsers have been offering password management for years, and the backbone built more than a decade ago has grown into a security system that goes across your devices and unlocks all of your accounts with few hurdles.
Browser password managers aren’t perfect, though. Despite the fact that you can improve your online security with a browser password manager, there are still some glaring vulnerabilities to using one.
Related
5 reasons I use Proton Pass to manage passwords and so should you
I was tired of data breaches with my password manager, so I decided to switch to Proton Pass.
The good: Browser password managers make security a routine
Using your browser is still better than a sticky note
Before throwing the baby out with the bathwater, there’s something very important to keep in mind. Some security is better than no security at all. If you or someone you know is writing passwords down on a sticky note, or even worse, reusing the same weak password across all of their accounts, storing unique passwords in your browser is far superior. There are issues with browser password managers that I’ll get to throughout this article, but if the convenience encourages you to use long, random, and unique passwords across your online accounts, that’s better for your online security.
Browser password managers have gotten better over the past several years, too, both in terms of security and usability. For security, Google has continued to push Multi-Factor Authentication (MFA) for your Google account, so if you’re using Chrome, you’ll need your password along with either a verification app, a backup code, or most commonly, a push notification on a trusted device, to unlock your account. There’s also the proliferation of passkeys digitally for passwordless authentication on trusted devices, as well as tried-and-true hardware security keys.
Related
The 5 best YubiKey alternatives to secure your digital life
Looking for a hardware key to secure your online presence? Look no further than these great options for YubiKey alternatives
On the usability front, you can now store far more information in your browser than you previously could. Although I’m focused on passwords here, the account-based nature of a browser password manager means you have access to things like credit card details in your browser as well.
The most important thing about a browser password manager, however, is that it’s in your face. You’re encouraged to use different passwords for all your accounts and store them in an encrypted database. There are problems with that database, as well as tying all of this information to one account. But that’s better than nothing.
The bad: Your passwords are only as safe as your browser (and your account)
Ease of use also means ease of access
It’s really important to remember that anything you can access in your browser, someone else can too. That’s the guiding principle to keep in mind when looking at the security of password managers built into your browser. If someone can access your browser or the account that you use in your browser for saving and generating passwords, they can open up everything.
Here’s a hypothetical to give you an idea of what can go wrong with a browser password manager. If you’re using something like Chrome, everything is tied to your Google account; your history, passwords, cookies, account settings, and so much more. That’s great for convenience because you can install Chrome on a new device, log into your account, and have all your data at the ready in no more than a minute. If someone else can access your login details, however, they can go through the exact same process.
You can easily have all your passwords exposed if you’re not on top of your account security. Maybe you created a Gmail account ages ago that’s now become your main Google account, and maybe you used a simple password that you used across accounts because it was easy to remember. Maybe you ignored the constant calls to enable MFA on your account, and maybe you stay signed in at all times. Seems like a lot of stipulations, but this isn’t a crazy thing to imagine considering passwords like “123456” and “password” consistently surface as the most widely-used passwords in data breaches.
Related
Apple customers are being targeted by “MFA Bombing” password reset attack
A new report has highlighted recent MFA Bombing attacks against Apple customers, where the attacker also spoofs the company’s support line.
All it takes is for one forgotten account with a reused password to be compromised in a breach, and suddenly, all of those passwords stored in your browser are fair game. It’s a single point of failure, and one that, unfortunately, doesn’t always get the attention it deserves. If you’re storing passwords in your browser, you had better use a long, unique password for your account and MFA. It’s the master key that holds all the others.
That’s the security perspective, but there are also some usability issues with a browser password manager. You can’t store certain types of sensitive materials like secure notes, and sharing your passwords securely is a non-option. Many third-party password managers also include account alerts that will notify you when an account is compromised, so you can update your passwords accordingly.
The ugly: Browser password managers are much less secure than they seem
Yes, your browser stores your (encrypted) passwords locally
You might’ve heard that browser password managers store your passwords locally on your device, and that’s true. If you have Chrome installed, you can access this file through Windows easily. Head to Users/[username]/AppData/Local/Google/Chrome/User Data/Default and scroll down to the Login Data file. This is a SQLite database, and it contains your login data, just like the file suggests. If you go up a level back to the User Data folder, you can find a Local State file, as well, which includes the encryption key.
With these two files, a couple of dependencies, and a freely-available Python script, you can see all the passwords stored in Chrome within a few minutes. It’s shockingly easy to do, and if you’ve been storing passwords in your browser for a while, I suggest taking a few minutes to go through the process. It’ll quickly show just how insecure your passwords are. If you would rather watch a demonstration, you can see popular security YouTuber John Hammond go through the process in the video below.
I’m using Chrome as an example here because it’s the most popular browser in the world, but there are popular open-source projects that easily extract and decrypt data from your browser. HackBrowserData is one such project that has been around for a few years, and it can extract passwords, credit cards, history, and basically anything else stored in your browser. And it works on everything from Chrome and Microsoft Edge to Opera and Brave to even more niche browsers like Yandex and Vivaldi.
When you store your passwords in your browser, they’re encrypted, and that encryption is strong. But when everything you need to decrypt your passwords is stored locally, it undermines your security in the first place.
The problem with this system is that there’s no additional authentication required. If you have access to the files and knowhow, you have access to the passwords. Third-party password managers make you jump through more hoops. For instance, 1Password uses a master password along with a secret key. The secret key authenticates your device, and it’s stored locally. However, you still can’t access your account without your master password, which isn’t stored locally. Your vault is secured with your secret key, which is encrypted with your master password. Rather than match the master password, 1Password will derive a key from whatever password you enter, try to decrypt the secret key, and then attempt to decrypt your vault. If the decryption works, the master password is correct, and if it fails, the master password was incorrect. It’s never stored anywhere.
Spreading out the necessary elements for decryption means that your data is inherently more secure. Unlike a browser password manager, where local access and a few minutes is all you need to unlock the floodgates, a tool like 1Password will remain locked until you enter your master password, which isn’t stored locally (or anywhere for that matter). I’m touching on 1Password here because it’s what I personally use, but there are a ton of other great password managers around like Bitwarden, as well as password managers you can self-host like KeePass and PassBolt.
There are levels to it
Browser password managers aren’t inherently bad, but the convenience afforded by modern browsers also exposes your data to certain vulnerabilities. You can keep yourself safe when using a browser password manager with some simple security practices between enabling MFA on your browser account and locking down local access to your PC. But if you want the best security, and you don’t mind jumping through some hoops to achieve it, using a third-party password manager is your best option.
