Discussion in 'other software & services' started by JRViejo, Jul 7, 2020.
Is it OK to use your browser’s built-in password manager? by Ed Bott
The thing that the article forgets to mention is that malware often targets the password file stored on disk or registry. That's why most experts have often recommended not to save passwords in the browser. But I'm not sure how third party password managers deal with this issue. I assume as long as passwords are encrypted, you should be save. And don't forget to use 2FA as extra account protection of course.
yes. the keyword is encryption here. and most pwm's let you save your pw's in the cloud.
I know I'm going to cop a lot of heat for this - BUT - we all know how safe the cloud is.
Best to get yourself a well known respective password manager, may take a little time getting used to / setting up.
But in the long run, you'll be glad you did.
Not only for security but for convenience purposes as well.
I would not trust it, never did. I prefer password managers myself. My choice is Bitwarden.
for my money, (encrypted cloud storage is) no less safer than local storage.
Wow. Didn't expect this coming in from left field. I didn't mention anywhere that I don't use a pwm.
My post was not directed at you.
It was my opinion on the topic of this post.
Well, it's possible to protect yourself against malware trying to grab browser passwords from disk or memory. You could use a tool like HMPA that protects against credential theft and another method is to use a tool like Secure Folders that is able to protect against non-trusted apps getting access to the browser profile folder. I'm still searching for a good third party browser manager, but so far the browser itself is doing the best job.
Works on this end like a charm. Very few abandoned projects are as stable, simple, and reasonably safe as Secure Folders is proven to be over these many seasons on end without fail.
"Is it OK to use your browser's password manager?" Yes, for me it is. I have a thing about putting all eggs in one basket viz a third party manager. I've been using the browser's manager since whenever and my browsers are rigorously updated and maintained.
I follow Tavis Ormandy on Twitter and he used to recommend LastPass. Now he has a different view. I posted this on Malwaretips a while ago; might as well re-post--for another perspective.
Password Managers. (cmpxchg8b.com)
using firefox and sync, but i dont let browser (any) save really important passwords (bank, paypal, ebay and similar). its a matter of trust, lastpass has been hacked in 2015, so adobe, malwarebytes forum and some few forums which are lost in time and space in the past 10 years (means: gone).
That link in plat1098's post #12 (Thanks!) is an excellent read as is:
Firefox uses the 3DES-CBC encrypted NSS key database, key4.db, and along with the certificate database, cert9.db, handles logins.json where data is stored, as in:
I don't use address or credit card auto-fill but I assume and hope that auto-fill-profiles.json would be similarly encrypted.
I use a 10 character master password for about 30 account logins, which is way more than sufficient for media/content sites, social cesspools, some paywalls, forums... Longer passwords would seriously up the ante.
Note: Mozilla's unfortunate and IMHO undeserved bad rep is largely based on the previous, now obsolete, key3.db, signons.sqlite and cert8.db.
I don't need to sync devices, but
details Lockwise security:
Whether or not one can trust Mozilla to manage this class of product is a matter of opinion. And needs.
For financials, insurance, commerce, IRS and SSA, ordering pizza, I use KeyPassXC with 24 an 32 character passwords. This is also where I store account data for Roku apps and other stuff like the combination for my safe, alarm system codes and so on. There can be more to a password manager than passwords.
Thanks interesting link. And yes, I'm also a bit skeptical about third party password managers eventhough they might be quite handy. Nowadays most browsers also have a sync function so that you can sync passwords between devices which is of course also a risk and you have to fully trust the browser itself. Like I said it's most important to protect the password file on disk and memory and this can be done via the security tools that I mentioned.
Edge has recently introduced the possibility to use the device password on autofill, so you can use Windows Hello for additional protection.
I was considering Edge's PM, but unfortunately it lacks a serious password generator, I do not consider 12 characters quite enough, normally I use up to 128, only the sky is the limit.
This looks pretty cool, other browsers should also offer this.