I'm a little disappointed in the conclusion because there are more secure password managers out there that still offer the same level of convenience as the browser built-in password manager. Yes, if you use a password manager that's implemented entirely as a browser extension, you may as well use the browser's built-in password management features. However, if you're an advanced user and are comfortable using a separate password management application, there are options out there that don't force you to choose between a difficult-to-use app and the convenience of something in-browser.<p>For example, exploiting a browser-based password manager likely means escaping the sandbox that contains web pages and accessing the shadow DOM. But this is still a larger surface area than 1Password, where the password selection menu (on Windows at least...) is actually rendered by an entirely separate process on the system. (I.e., clicking the icons that the extension displays triggers the 1Password desktop application to display UI at the cursor's current position. Picking a password from this UI will transmit it to the browser extension for filling. The password is only present in the browser's memory once you've interacted with the desktop application's UI.)<p>As always, do your research. Don't get suckered into paying a subscription fee for a browser extension that offers the same functionality your browser has built-in. But realize that there are other options out there that <i>may</i> actually be worth investing in.<p>Disclaimer: I've been a happy 1Password customer for a few years now.
This somewhat overlooks the main threat model that password managers solve - leaked credentials.<p>People can’t remember 80 passwords so they reuse the same one, that password eventually gets leaked and 9/10 times it doesn’t get leaked due to a targeted attack or a compromised machine but rather due to a breach of a service you signed up too.<p>Sure password managers have issues, they don’t solve user related errors and can even add to the attack surface of a machine they are running on but that’s really not important...<p>Using password managers and generating different passwords for each service reduces the blast radius from any breach.<p>This is why I don’t care if the password manager has the best encryption, or does it even encrypts at all or does it uses the clipboard vs some more secure side channel. Yeah that’s nice but that’s not in my threat model.<p>Which is why I don’t care if your password manager is a spreadsheet, it’s a terrible choice for a business because their threat landscape and the fact that a spreadsheet won’t allow you to audit who has access to what but for you or your mom even that is better than using the same password everywhere else.<p>Heck at home print your passwords and store them somewhere safe... put them on a post note for all I care as long as you live alone or at least not with anyone you wouldn’t want stumbling on that list...
As it looks like Tavis isn't hanging out and responding to comments here, I thought it'd be worth linking to a question and response he gave on Twitter as most comments revolve around this point.<p>> @diractelda: Based on your thoughts, it seems a more accurate statement is "Don't use a password manager that interacts with your browser automatically unless it's the built in password system. Non-integrated password stores are fine."<p>> @tavis: Yep, that's a fair summary, I was just trying to be punchy<p><a href="https://twitter.com/taviso/status/1401253440622235649?s=20" rel="nofollow">https://twitter.com/taviso/status/1401253440622235649?s=20</a>
> If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.<p>Unfortunately, it also means I can basically never switch web browsers again, so it's an absolute non-option for me. I don't want to be locked into Chrome forever.
Here's a the best solution I've found for those looking for password manager recommendations. It's secure, free open source, easy to use, and syncs to all of your devices<p>1. Password manager for PC / Laptop: KeePassXC. It's not built into your browser, it's a seperate application. It's totally open source, and trusted by many. It also supports two factor authentication, I use a passphrase and a key file. Supports TOTP. Has a ton of "premium" features, totally free. It's awesome.<p>2. Syncing application: Google Drive. Sync your KeePass database using Google Drive (or whatever other sync application you want). KeePassXC supports merging databases if there's ever a conflict, as rare as those are. This is secure, because the KeePass database file is encrypted, and Google Drive / Google will never see the unencrypted database.<p>3. Password manager for phone: KeePass2Android. Not sure what the options are for Apple, but I'm sure they exist. Allows you to open your KeePassXC database from Google Drive.<p>4. Browser support: KeePassXC-Browser. Allows you to autofill your username / password / TOTP from your KeePassXC application to Chrome / Firefox.<p>Totally free, secure, convenient, and syncs to all your devices. Also comes with excellent redundancy for your password database so you'll never lose it. I've been using this setup for years flawlessly.
The major problem with the built-in password managers is that they don't store more than the password. If there's a site that has security questions, I use LastPass to keep track of the security questions and my answers. I have to do this because I don't give real answers to security questions.<p>A minor annoyance is that Safari will not let me treat sites which use multiple domains as equivalent. So Discount Tire uses dt.com and discounttire.com but Safari flags this as a security problem because I'm using the same password with both. LastPass lets me set them as equivalent domains, though the process is probably too difficult for most people.<p>LastPass made free users decide whether to use it either on computers or phones & tablets but not both. Because I use FireFox on my Mac, I used LastPass on computers. I rely on Safari to sync for my phone and tablet. I think it's inevitable that LastPass will continue making life more difficult for free users and I may end up with a flat file or Apple Notes file to store the security questions and answers.
> I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.<p>I haven't used the browsers built-in password manager for years, so I don't know what features they have, but I find it hard to believe that they can provide the same functionality as a dedicated password manager.<p>Some of the top features of dedicated password managers include:<p>* Generating random passwords/passphrases (this is pretty basic)<p>* Storing and generating two-factor authentication codes (TOTP)<p>* Filling out passwords into mobile apps as well as websites<p>* Storing security questions, back up codes, any other site specific data that needs to be secure<p>* Storing credit card information<p>* Platform agnostic syncing<p>* Sharing passwords with friends, co-workers, or family<p>* Weak password checking / HIBP integration<p>I'm sure that the browser password manager can do some of these things, but I doubt it can really do all of them.
The blog suggest using Chrome's password manager. I used MacOS KeyChain as my primary store and Chrome's password manager for my secondary store for years and finally gave up because KeyChain didn't work with Chrome or sync with anything (unless maybe I used iCloud) and Chrome only synced with and worked with Chrome and too often it didn't save passwords properly. For all other browsers, apps, or uses, Chrome password manager is useless.<p>Fortunately I could export Chrome to CSV and use some third party applescript to export KeyChain and import into KeePassXC. It's not perfect but it's better than the built in stuff.<p>Maybe W3C could standardize a protocol for password managers so we don't have this insane vendor lock in.
Personally using a browser based password manager is too restrictive in that you need a browser to access passwords.<p>I use passwords in a lot of places outside of browsers and often the interface I'm using has no browser capabilities.<p>Understand using browser based password management if you only ever use passwords on the web. But I'm sure a lot of others, like me, need them outside of that context.
I use Bitwarden, and to my knowledge the issue raised in this article does not apply to it -- all interaction is through the extension's icon, with no UI elements injected into the page itself.<p>Combined with being completely open-source (including backend), full-featured even in the free version, and $10/year pro version (with features like sharing, encrypted storage, etc.), I can recommend it to practically anyone.
I would NOT recommend the chrome password manager. If you sync your passwords, they will not be stored encrypted at the google side. You need to specifically set password encryption in the settings.<p>I've also spend a lot of time with understanding password managers in my master thesis. What I can recommend is: <a href="https://pfp.works/" rel="nofollow">https://pfp.works/</a><p>The creator was auditing password managers like LastPass, found a lot of issues, and used his knowledge to create pfp, which does it right imho.
The built-in browser password manager is the only one that ever made sense for me. You want the machine to verify the domain for you so you don't enter your credentials into some other site (no copying and pasting) and all third-party scripts are always clunky.<p>I use Firefox with Lockwise[1] for Android and pass[2] as overflow for more involved secrets. This is a solo solution though that doesn't solve sharing these secrets with others.<p>[1] <a href="https://www.mozilla.org/en-US/firefox/lockwise/" rel="nofollow">https://www.mozilla.org/en-US/firefox/lockwise/</a><p>[2] <a href="https://www.passwordstore.org/" rel="nofollow">https://www.passwordstore.org/</a>
I get that nowadays the alternative to password managers is browsers. But they were mostly developed when the real alternative was trying to remember all those passwords, or duplicate them, or write them down somewhere.<p>I used to have random passwords scattered over multiple browsers, because I change browsers.<p>Then I got a password manager, and imported all my chrome passwords... and there were hundreds of them. All the old ones, all the weird little ones that I never cared about. It took me ages to clean this data set and delete all the crap.<p>So no... never going back to storing passwords in the browser, thanks. I realise that technically a malicious site could possibly mess with my password manager. But I'm more worried about what the browser is doing.
It's curious that we haven't seen dedicated effort towards a consistent password autofill API in browsers, like what is present in Android. Even the Credential Management API seems to have not picked up traction for passwords, though it was extended for use with FIDO2 security keys.
I use unix pass as my "source of truth" and then individual browser password managers (mostly Firefox) as a local "cache" for sites where it is painful to manually go out to pass too often. Honestly it works brilliantly, pass syncs using git which I do to a bare ssh repo on a server I control (although it would be perfectly safe to put on github tbh).<p>I really feel like people overthink this sometimes.
I have a bash script which takes in name of the website and generates a 64 character long random string(lower,upper,number,symbol), then puts that in a text file and then encrypts it with gpg using aes256 and puts that file in a dropbox synced directory. Whenever I need to use one, another option retrieves the password, and if I want to use my phone, I just use yet another option which uses qrencode to generate a QR code of the password and then display it using `display` by imagemagick so my phone can scan that to copy the password into clipboard. That's the most safe solution I came up with without trusting third-party solutions. Only downside is dependency on a Linux-powered PC.
> If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.<p>What would be really great if the major browser vendors would get together and come up with a way to reliable, secure, cross-browser syncing of passwords.<p>The main reason I use a password manager instead of the browser’s password storage is because I use different browsers both on the same device and an different devices. I might use Firefox in my Linux desktop and Safari on my Mac. Using a third-party password manager allows me to have the same set of shared passwords on both.
I share the conclusion and for those friends and family who use chrome across devices I've been recommending to just activate 2FA (not sms) and use the built in password manager.<p>But relying on chrome as password manager - even on Android - has drawbacks as it seems not to support all apps and fields one needs to.<p>I personally use bitwarden because it seems to work - when I enable all assistive tech - on 99% of situations. I also don't use chrome anymore so using Google password manager isn't as useful.
> Second, everyone needs to be using unique passwords. You don’t have to use a password manager to do that, whatever system works for you is fine. If you want to use a notebook in a desk drawer, that’s totally acceptable.<p>You don't need a notebook for unique passwords. Just use the service's name. Unless you also meant unguessable, in which case a notebook is probably going to be insufficient because your brain-powered password generator will soon run out of entropy.<p>> The tech press can review usability and onboarding experience, but can’t realistically evaluate any security claims, so how do you propose users tell the difference?<p>"Security at the expense of usability, comes at the expense of security." Users don't need to know the difference because the only danger they need to protect themselves from is "my gmail was hacked" and the only requirement for that is that they use an un-guessable password saved somewhere unsophisticated attackers can't access. Any password manager accomplishes this.<p>> An attacker (or malicious insider) in control of the vendor's network can change the code that is served to your browser<p>Password managers have servers sending code over to the browser? After the installation process?
> This problem is pervasive among online password managers, you can never be sure if you’re interacting with a website or your password manager.<p>Isn't this true for any scenario, password manager or not? If a site has been compromised without you knowing and you enter your password from memory, paste, or a password manager, that password is at risk.<p>Is the author saying that he is able to access ALL passwords in the password manager via a single malicious site?
I have no complaints of keepass on my desktop. I tried using it on mobile but decided it wasn't worth the trouble to get it working as I wanted in terms of syncing and autofill. Instead I just use a select few logged in apps that I either memorize the password or use fingerprints. I don't really like the idea of syncing all my passwords with any online service.
This does not reallz discuss offline password managers like keepassx except for this one sentence<p>> Conceptually, what could be simpler than a password manager? It’s just a trivial key-value store. In fact, the simplest implementations are usually great. Good examples of simple and safe password managers are keepass and keepassx, or even pass if you’re a nerd.<p>I think keepass synched via nextcloud is a great solution, e2e encrypted, works basically everywhere (windows mac linux osx ios android) and it keeps the sync and backup in your hands. If copy and pasting a password or using autofill for keepass is too much to ask, then you propably don't care about security.
I just keep a (symmetrically) encrypted secrets file on my main work machine with a strong pass phrase stored in a gpg-agent. It's simple (emacs will happily transcrypt it simply by opening it) and amenable to straightforward backup/duplication wherever I need it, though obviously it does assume a command line and that I'm not exclusively on a phone or whatever (not that that's impossible, but...).<p>It also has the advantage of scaling in a straightforward way to other secrets that aren't "passwords", like credit card and other account numbers, SSNs for my kids, addresses for relatives who keep moving, etc...
Passwords are a lost cause. This doesn't mean that you need to give up on using good practices, just don't go overboard trying to plug all the theoretical holes. It's not all or nothing, sometimes it's OK to be good enough. For everything important you oughta use 2FA anyway.
It’s irritating to me that there’s no standard integration between password managers and authentication elements on a page. We can do this correctly if we want. Furthermore, I’d love some standard programmatic way to change passwords and communicate complexity and rotation timelines. If I use a password manager anyway, it should just deal with changing my password if some organization decides to use a backwards rotation policy with specific special characters.
After building my new rig, I also made a successful jump from Windows 7 to PopOS. It was mostly a very smooth transition, but I am having real problems with replacing Password Safe I used on Win.<p>I eventually defaulted to using FF for passwords, but it still feels wrong. Password Safe had password generators, space for notes.. lil things that I keep missing.
Given this advice I would
- turn off any webpage integration LastPass does
- still use LastPass to store my passwords in the cloud so I can share passwords between iOS apps and web.
I need to share my passwords between multiple devices and browsers, that's why I use a password manager. I have a second one, called: pass.<p>But I didn't check to synchronise it with devices.
The "attack surface" I worry about is forgetting to lock my screen before going down the hall to get some water, and someone slipping in to obtain a sensitive financial password.<p>I've never succeeded in explaining this to any password manager's tech support. They stay in business because their tools are convenient to use.<p>I've migrated from 1Password to a Dashlane family plan. I use two separate accounts for myself. I log in to one account to access sensitive financial sites, and log out explicitly before leaving my chair. I log into another account for everything else; do I care if my subscription to the Washington Post gets compromised? That account stays open for convenience.<p>Each password manager has a theory on how best to offer similar security/convenience with one account. None work as smoothly as having two accounts.
For my parents, i tell them to just write the password down on a piece of paper.<p>If someone breaks in their house,they have a bigger problem than someone reading their emails, and since they live off givernment pensions, there is not a lot of money that can be stolen via the internet.
I don't think you need your password manager to inject the password into a web site for you. I think you can just copy and paste from Keepass.<p>I want account management protocols so I can rotate all my passwords automatically via my password manager. That would be awesome.
I think this guy is missing one reason you definitely want to run browser based password managers, especially at a business. And that is... phishing. Not every one is tech savy enough to notice a phishing site and some phishing sites are hard to notice even for those who are aware. Browser based password managers fix this problem. Yes, the browser vendor and the password manager vendor are weak points, but it's oftentimes safer than dealing with phishing especially for those not as aware of it as you are.<p>Also the other guy who mentioned re-used passwords has another good point.
I used to like Chrome password manager, but since moving back to Firefox, I like their password manager more.<p>I havent been comfortable with other 3rd party password managers and their integration feels forced
One attack vector is consolidating all your passwords into a password manager, and then being able to unlock the password manager on your phone w/ biometrics (e.g. face, fingerprint).
> I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.<p>I know its about browser integration, but take a look at the repository of Lockwise android app[1] that released the last version 6 months ago and Bitwarden app[2] with last release being 1 month ago (I tried to find the firefox browser version but its a mess to analyse the activity of it). I know firefox has a much larger team but I it doesnt necessarily mean that more competent devs taking are taking care of the browser password manager's security than 1Password for example - maybe this is true for Google Chrome but who knows about Firefox and Edge.<p>[1] <a href="https://github.com/mozilla-lockwise/lockwise-android" rel="nofollow">https://github.com/mozilla-lockwise/lockwise-android</a>
[2] <a href="https://github.com/bitwarden/mobile" rel="nofollow">https://github.com/bitwarden/mobile</a>
Tavis is an amazing researcher that I respect and look up to.<p>However, I would still advocate for a web based password manager for regular people. The benefits overpower the possible risks which are more targeted than generic.<p>For security personal, like myself, a reliable local password manager is unbeatable. yes, it is less convenient no doubt, but removes any remote based attacks from the picture which is a huge deal.
I get that poorly designed non-native password managers introduce extra attack surface, but to conclude that no non-native ones should be used is absolutist, lazy thinking that doesn't seem rooted in reality at all. As other commenters have stated, password managers solve the password reuse problem. More crucially IMO, they solve the password reuse problem /for organizations/ -- the importance of this cant be understated.<p>The content script attack surface issues simply matter less than the giant gaping hole from password reuse combined with spear-phishing and breaches. Anything that makes it easier for the wetware at scale to do the more secure thing is going to increase overall org security by a step function and is a valuable layer. That it's not infallible shouldn't mean it should be discarded.<p>Frankly, I find this article irresponsible. Imagine some organization follows the advice here and actually weakens their overall security posture by following its advice. That would be unfortunate.
Is autosync really that important for people?<p>I use keepass (so no custom browser extensions at all) and I always register for new accounts on my main device. Then, once enough entries amass I manually copy my database into all the other devices I own - usually once a quarter or even less often. That's it.<p>Trusting that some third party service would keep your passwords private is a stretch.
Speaking to the section on "Vendor claims"<p>> An attacker (or malicious insider) in control of the vendor’s network can change the code that is served to your browser, and that code can obviously access your passwords. This isn’t farfetched, altering the content of websites (i.e. defacement) is so common that it’s practically a sport.<p>Is this actually true? For Lastpass, I would assume the code run in the browser comes from the extension directly, and (for Chrome), the extension comes from the Chrome Web Store. There are some problems here, but in theory the system could be improved so that modifications to the extension in Google Web Store are very obvious, and an attacker couldn't just inject code into the extension and update it without someone noticing immediately.
><i>There are two primary components that make up your browser interface, the chrome (confusingly, the term has nothing to do with Google Chrome) and the content area</i><p>Actually it has, since the Google Chrome started as a different "chrome" on top of webkit (hence the name).
I really feel like both the author and the post on HN should specify that these vulnerabilities are specific to browser/online password managers.<p>Got very confused until reaching the end of the article where 'online' was mentioned specifically.
Was this written in 2021 or 2001? How could someone in 2021 not even mention mobile at all? I need a password manager that will work across all of my devices and browsers, not just a single browser on a single desktop machine.
Conclusion is that there's a risk with browser extensions, which is pretty much common knowledge at this stage. Don't use them. Bit disappointed in that conclusion, the intro was pitching for more.<p>Been using keepassxc with auto type, owncloud based replica, a certificate and yubikey for a while now. It's a slight more hurdle than the lastpass and such but also not as blackbox,and the fact that it ain't as much mainstream might make it less susceptible to the mass attacks that we've seen leaking personal data by the gb these past few years
The alternative to password managers is federation. If you're going to trust Apple's or Google's or Microsoft's browser to remember passwords in the cloud then you might as well use SAML or OAuth and stop caring about passwords almost entirely.<p>For the few sites where security matters more than trust in browser vendors it's probably better to memorize those passphrases, or use completely offline password managers.
I think iOS does this right. It helps you get a password from the Bitwarden app when using the browser. No browser extension with injection is required.
The “built in” password manager in your browser only addresses use of a browser. Password managers like 1Password are useful in other contexts as well.
I do not use a browser-based password generator, because of the Javascript insecurity issues (edit: And because I’ve been using a system like this far longer than online password managers have existed). I use a shell script, with a small C program to handle the core cryptography, to generate secure passwords.<p>I run the password generator in a terminal window, then copy and paste the password in to the site I am trying to log in to.<p>It’s a fairly complicated shell script, since it also has to deal with nonsense like stupid arbitrary password rules (e.g. Southwest considers an underscore to be a letter, and insists at least one non-letter non-number punctuation is in a password; some places require a password to be 8 characters or shorter; etc.) and also provides login information so I can also remember my username.<p>As recently as 5 or 6 years ago, there were issues with websites which wouldn’t let you copy and paste a password in to their password field; Firefox has always had a “ignore any Javascript which stops pasting” special rule in about:config I had to use. I haven’t seen one of those in a while; developers finally got a clue and realized that password managers exist.<p>One weakness this setup has is that anyone with the “master key” can get all of the password generated by the password generator. My workaround is to use a separate master key in a virtual machine for critical passwords, such as online banking ones.<p>Shameless plug time:<p><a href="https://github.com/samboy/PassGen/" rel="nofollow">https://github.com/samboy/PassGen/</a>
Browser built-in password managers are much less useful for me than some password manager apps like LastPass. I can use it in Chrome, Safari, on iOS, macOS, etc.<p>If I use Chrome's built-in password manager for example and want to get the password for some website in Safari on iOS, I think that would not be as seamless as with LastPass for example.
Good article<p>This is why, while I do use Password Managers, I hate the tiny widgets and prefer to copy/paste or use a typeable password.<p>Having your password as "@#$!@#-<_" will just annoy you every time you need to type it and/or use it in an automated fashion (because every system gets confused by $, \, /, -, etc, in different ways)
I've always found password manager browser extensions to be finicky and brittle. They never really seem to work all that good, and as the author writes, the security is bad. I much prefer just copying the credentials from another application.
To me anyone dispensing security advice while using Chrome loses all credibility. Sure, it’s not an insecure browser per se. But it facilitates Google slurping my data and that falls within my threat model.
uncharitable tldr: Google employee says that for Chrome users, using the password manager in Chrome is your best option.<p>He's a brilliant researcher, but I think he's wrong on this one, and the blog post is an appeal to authority and ends with basically a 'I've already heard your counter arguments and you're wrong'.<p>He should show his work.
I worked on the design of adding passwordless 2fa to the Saas Pass password manager. In addition the saas pass password manager identifies websites that you can add 2FA to as well.
tl;dr: browser extensions are bad therefore all password managers are bad<p>Also find it odd the author uses Chrome, which doesn't even let you set a master password to E2E encrypt its password store.