Is it OK to use your browser’s built-in password manager?

Discussion in 'other software & services' started by JRViejo, Jul 7, 2020.

  1. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,427
    Location:
    U.S.A.
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The thing that the article forgets to mention is that malware often targets the password file stored on disk or registry. That's why most experts have often recommended not to save passwords in the browser. But I'm not sure how third party password managers deal with this issue. I assume as long as passwords are encrypted, you should be save. And don't forget to use 2FA as extra account protection of course.
     
  3. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    yes. the keyword is encryption here. and most pwm's let you save your pw's in the cloud.
     
  4. longshots

    longshots Registered Member

    Joined:
    Oct 20, 2017
    Posts:
    533
    Location:
    Australia
    I know I'm going to cop a lot of heat for this - BUT - we all know how safe the cloud is.
     
  5. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782
    Best to get yourself a well known respective password manager, may take a little time getting used to / setting up.
    But in the long run, you'll be glad you did.
    Not only for security but for convenience purposes as well.
     
  6. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    I would not trust it, never did. I prefer password managers myself. My choice is Bitwarden.
     
  7. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    for my money, (encrypted cloud storage is) no less safer than local storage.
     
  8. longshots

    longshots Registered Member

    Joined:
    Oct 20, 2017
    Posts:
    533
    Location:
    Australia
    Wow. Didn't expect this coming in from left field. I didn't mention anywhere that I don't use a pwm.
     
  9. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782
    My post was not directed at you.
    It was my opinion on the topic of this post.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, it's possible to protect yourself against malware trying to grab browser passwords from disk or memory. You could use a tool like HMPA that protects against credential theft and another method is to use a tool like Secure Folders that is able to protect against non-trusted apps getting access to the browser profile folder. I'm still searching for a good third party browser manager, but so far the browser itself is doing the best job.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Works on this end like a charm. Very few abandoned projects are as stable, simple, and reasonably safe as Secure Folders is proven to be over these many seasons on end without fail.
     
  12. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    "Is it OK to use your browser's password manager?" Yes, for me it is. I have a thing about putting all eggs in one basket viz a third party manager. I've been using the browser's manager since whenever and my browsers are rigorously updated and maintained.

    I follow Tavis Ormandy on Twitter and he used to recommend LastPass. Now he has a different view. I posted this on Malwaretips a while ago; might as well re-post--for another perspective.

    Password Managers. (cmpxchg8b.com)
     
  13. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    using firefox and sync, but i dont let browser (any) save really important passwords (bank, paypal, ebay and similar). its a matter of trust, lastpass has been hacked in 2015, so adobe, malwarebytes forum and some few forums which are lost in time and space in the past 10 years (means: gone).
     
  14. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    471
    Location:
    USA
    That link in plat1098's post #12 (Thanks!) is an excellent read as is:
    https://courses.csail.mit.edu/6.857/2020/projects/6-Vadari-Maccow-Lin-Baral.pdf

    Firefox uses the 3DES-CBC encrypted NSS key database, key4.db, and along with the certificate database, cert9.db, handles logins.json where data is stored, as in:
    Code:
    "https://whuteva.sumthin.com","usernameField": "identifier","passwordField":"password",
    "encryptedUsername":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECISqFPaQbd/6BBBvBR6ZORuk9kASm3qhatQ4",
    "encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD6YTq8wDABgBBBANlr9x3+tbo+K3wy8bPgY"
    I don't use address or credit card auto-fill but I assume and hope that auto-fill-profiles.json would be similarly encrypted.

    I use a 10 character master password for about 30 account logins, which is way more than sufficient for media/content sites, social cesspools, some paywalls, forums... Longer passwords would seriously up the ante.

    Note: Mozilla's unfortunate and IMHO undeserved bad rep is largely based on the previous, now obsolete, key3.db, signons.sqlite and cert8.db.

    I don't need to sync devices, but
    https://blog.mozilla.org/en/products/firefox/password-security-features/
    details Lockwise security:
    Whether or not one can trust Mozilla to manage this class of product is a matter of opinion. And needs.

    For financials, insurance, commerce, IRS and SSA, ordering pizza, I use KeyPassXC with 24 an 32 character passwords. This is also where I store account data for Roku apps and other stuff like the combination for my safe, alarm system codes and so on. There can be more to a password manager than passwords.

    Cheers.
     
    Last edited: Sep 4, 2021
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks interesting link. And yes, I'm also a bit skeptical about third party password managers eventhough they might be quite handy. Nowadays most browsers also have a sync function so that you can sync passwords between devices which is of course also a risk and you have to fully trust the browser itself. Like I said it's most important to protect the password file on disk and memory and this can be done via the security tools that I mentioned.
     
  16. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This looks pretty cool, other browsers should also offer this.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.