At Malwarebytes we’ve been telling people for years not to reuse passwords, and that a password manager is a secure way of remembering all the passwords you need for your online accounts.
But we also know that a password manager can be overwhelming, especially when you’re just getting started. Once you’ve stored your tens or even hundreds of passwords, a password manager is relatively convenient to use and keep updated. But you have to get to that stage first and not everyone is at the same level of computer literacy.
So, you may have wondered if there’s another way. No doubt, you’ll have seen the pop ups in your browser asking if you’d like it to save your password for next time. In fact, many browsers refer to that as their password manager.
It’s very convenient, since your browser is usually the application that needs the password, but is it a good idea?
As usual, there are pros and cons.
Encryption. With a browser password manager, someone with access to your browser could see your passwords in clear text, although Windows can be set to ask for authentication (the same you use at startup of your device).
The “Show password’ option
To see the passwords in an actual password manager, an attacker would need to know the password for the password manager or the recovery phrase, which are usually a lot harder to find out than the Windows authentication (if set).
A word of warning here, some password managers have the option to keep you logged in for hours or even days. If there is any chance that anyone may acquire physical access, such settings defeat the added security of a password manager, since the attacker could open the password manager and look at your passwords in more or less the same way as they could in your browser.
Lookalike phishing sites. Both a standalone password manager and the one in your browser will protect you here. They will not fill out your password if the domain doesn’t match the one you saved the password for, which could indicate a phishing site. This can be very useful and this is where it beats writing down the password on a piece of paper or storing it in a text file. I should add that the domains that are worth setting up a fake site for are usually the ones that we would advise you add multi-factor-authentication (MFA) to.
Syncing. If you’ve stored your passwords in the browser and have chosen to synchronize your browser between devices, your passwords will port over as well. This is obviously very convenient, but it’s also a potential danger if someone gets access to one of your devices. A true password manager doesn’t rely on syncing between the same browser on different devices. Once you have the password manager installed on a device, you have it handy to use in any browser or other apps.
Offline. Many password managers cache your passwords locally, so you still have access when your connection is broken. Browser password storage doesn’t allow for this.
Business devices. It’s hard for the IT department to keep track of which user has which passwords saved in their browser. Password managers for businesses give them a better insight and make it easier to revoke passwords when needed.
Password stealers. There are types of malware that are capable of harvesting passwords from your device. They know exactly where browsers store their passwords and the encryption key, so they can steal and send the credentials to the attacker. Password managers are separate to the browser so they’re not at risk in the same way.
Data breaches. Several password managers will warn you if they find that your credentials are involved in a data breach, so you can change them. Browser storage doesn’t do this.
Complex passwords. Humans are bad at creating and remembering complex passwords. A password manager and some browsers can help you create a password that meets the required complexity and store it so you don’t have to remember it.
Side channel attacks. As we saw with a recent bug in Safari, attackers can use the autofill feature in a browser to harvest login credentials for a site. This only works if you have autofill enabled, so to make things a bit safer you can tell your browser to wait for your OK before it fills out the data. Here’s how…
How to disabled autofill
- Brave: Settings > Autofill and passwords > Password Manager > Settings. Toggle off “Sign in automatically”
- Chrome: Settings > Autofill and passwords > Google Password Manager > Settings. Toggle off “Sign in automatically.”
- Edge: Settings > Profiles > Passwords > Settings. There you can toggle off autofill for passwords and for Personal data separately.
- Firefox: Settings > Privacy & Security. Scroll down to Logins and Passwords and uncheck “Autofill logins and passwords.”
- Opera: Settings > Advanced Settings > Autofill > Password Manager > Settings. Toggle off “Auto Sign-in.”
- Safari: Safari (in the menu bar) > Settings > Autofill. Uncheck “Usernames and passwords” and “Credit cards”.
So should you allow your browser to remember your passwords?
Your browser password manager gives you “ease of use” but that costs you some of your security. Of course, password managers aren’t foolproof either, so it’s important to decide for yourself where you store your passwords.
If you’re confident the website is safe and anyone that can access it under your account will not learn anything new, feel free to store the password in your browser, but disable autofill so you are the one that is in control.
Use MFA where possible. It enormously reduces the risk should someone get hold of your password. And refrain from using the browser password manager to store your credit card details or other sensitive personally identifiable information (e.g. medical information).
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.