Browser password managers – flawed security, by design

If filesystem access is a legitimate concern, you have bigger problems. Even if passwords were secured by FIDO or similar, session tokens are not.<p>If you compromise a computer, you can compromise web sessions. There is no mitigation for this. Shame on the author for attempting to create panic when far more productive security can be achieved elsewhere.

As usual with security discussions, one needs to start from analyzing security threats and attack vectors. Is a simple to memorize and likely multi-use password is a bigger security threat than a unique, hard to guess passwords in a file storage? It depends.<p>Is this a laptop without disk encryption that travels a lot and especially internationally? Sure, these semi-unencrypted passwords on disk are likely not very safe from lost laptops, customs inspections, etc. Might still be better than a common and simple password though.<p>Is this a laptop sitting at home most of the time with a strong disk encryption? I’ll take unsecured browser password storage with unique hard passwords any day.<p>Edit: formatting

This is a bad bad article, the advice is dated and the counter-arguments are well known and oft-discussed by anyone who&#x27;s actually in the security community.<p>The author &#x2F; website does seem to be offering services in the security industry, but they seem compliance-focused rather than security-focused (compliance is a component of security). So likely offering legal &amp; administrative expertise rather than technical.

&gt; Note – many of these dedicated password managers have browser plugins or extensions to help users save and fill passwords. These are very different and much more secure than the built-in password managers that are the subject of this article!<p>This is a shitty article from someone who doesn&#x27;t really know what he&#x27;s talking about. Here is a post from Tavis Ormandy, well-known security expert at Google Project Zero, advocating the exact opposite: <a href="https:&#x2F;&#x2F;lock.cmpxchg8b.com&#x2F;passmgrs.html" rel="nofollow">https:&#x2F;&#x2F;lock.cmpxchg8b.com&#x2F;passmgrs.html</a>

&gt; Microsoft Edge is Windows-exclusive of course<p>No, no it is not. When an article gets something so easy to check so wrong, it&#x27;s difficult to believe anything else in it.

Whoever wrote this seems to have no modern security training.<p>&gt; then your average employee is probably doing one of these three things: Writing passwords down on paper<p>&gt; Hopefully, you have a corporate security awareness training program and have long been discouraging<p>Please, please encourage people to write down passwords on paper! That provides really good safety against most modern threat models, especially in a world where people are working from home.<p>&gt; Even though Chrome, Firefox, and Edge browsers all store passwords in encrypted databases, by default all three products intentionally leave the associated encryption keys completely unprotected in predictable locations.<p>There was (is?) a long lived Chrome issue (which I can&#x27;t find now). They reasonably make the point that operating system level protection is the correct way to protect this (ie, if a person can log onto your device they are assumed to be you).

Even if the user doesn&#x27;t turn on a master password, having the key in a predictable place <i>on an encrypted volume with appropriate access permissions</i> is still far more secure than sticky notes on the monitor. Contrary to the OP link&#x27;s statement, it isn&#x27;t enough for the attacker to get access to the user&#x27;s system, they have to get access to the user&#x27;s account.<p>And if the organization in question isn&#x27;t using Bitlocker or FileVault or some other encryption, browser password stores are way down the list of security worries.

If your home directory is readable or writable by anyone other than you, you&#x27;re compromised in a dozen more important ways, even though this is of very high importance. Your home directory&#x27;s security is an axiom. It&#x27;s not true, no, in the same way that there were once upon a time remote exploitable worms in major http frameworks but we don&#x27;t question that a webserver doesn&#x27;t allow remote-code-execution - it&#x27;s the wrong layer of abstraction.<p>Even encrypting the browser&#x27;s data store at the application level is misguided and probably pointless - Anything that can read the browser&#x27;s files is going to read the encryption key just as well . Anything that can read the browser&#x27;s files when running as you is probably going to pop up an identical looking &quot;Enter Password&quot; prompt and will have the right timing and permissions to enter it into the browser once it&#x27;s been leaked. Gui frameworks are not designed to protect the user from malicious applications.<p>Android actually handles this much better - Applications (Rather, developers) are given their own user id, and so separation of files between apps is enforced at the OS level. Some level of this is why everyone has moved to Docker on the server, too.

This is a bunch of silly hand-wringing. I guarantee that if browsers required creating and memorizing and typing a master password all the time, users would be less secure overall. Because people simply wouldn&#x27;t use the annoying password manager. Using a password manager without a master password is <i>way</i> more secure than not using a password manager at all.<p>If you are a business and you want your employees to be secure, forget about anything to do with passwords. You need hardware second factor tokens. Which I notice the article doesn&#x27;t mention at all. An article about login security in 2022 that doesn&#x27;t even mention hardware tokens for two factor authentication is not worth anyone&#x27;s time.

I don&#x27;t think there is anything wrong with storing passwords unencrypted locally assuming the machine itself has encrypted storage. Malware that retrieves passwords from password manager could get them from an unlocked password manager as well.

A lot of the criticism of this article seems to be: “If they already have access to your local file system, you already have bigger problems”<p>What about defence in depth?<p>This article is suggesting an alternative, which are password managers such as 1Password. These Password managers do not suffer from the same weak key storage as the browser’s build-in password managers.<p>So this article is bringing attention to a weakness in the browser’s built-in password managers, and suggesting a very viable and easy-to-adopt solution.<p>Why the strong criticism of this article?

I remember there being a lot of buzz about security issues related to allowing Browsers storing passwords, this was more than 10 years ago, but ever since that I have just not trusted them. I reluctantly use a open source password manager, keepass, and figure it is still better than using the same password everywhere.<p>Why would we store password in the browser? Seriously. I want my passwords to be available wherever I need to use them, and that only happens if I somehow share the passwords between my devices. I would not trust a proprietary browser developer do store my passwords securely. Period. I have no way of seeing or knowing what is going on on their cloud servers.<p>There are very simple ways to sync files between systems, which are open source, and are much more unlikely to compromise your passwords. E.g. The database itself is encrypted, and the methods of sharing are so simple that it is easy to cover many of the most probable points of entry. Obviously, sharing a password database file over the internet is extremely bad, but if you feel you must, do at least manage the server where you keep the pw db yourself. Heck, I would even 7zip it with another layer of security, because I can not know for sure if Keepass&#x27; encryption is safe.

There is a lot of backlash against this article, which to be fair is kind of poorly written, but still makes a valid point. Encrypting something and writing the key on the same place is pointless.<p>These browsers encrypting the passwords with a key saved on the device is security theater and has to be called out.<p>Security is not all or nothing, most people don&#x27;t have full disk encryption so their passwords are sitting there completely unencrypted, trivially retrieved from anyone with physical access.

Sure, encrypting the passwords is better, but to steal all the stored unencrypted password the attacker would need access to the users computer.<p>If they have that access you have bigger problems on your hand. Yes, this can lead to privilege escalation, but for the vast majority of people access to the desktop is enough for that anyway.<p>If you need better security, you probably already are using more advanced measures.

One thing i often do when i forget one of my passwords, is go into chrome, goto the webpage corresponding to the login of the thing in question and let it autofill, then i turn the password area to a plain text area in the HTML editor.<p>I&#x27;ve always thought this kind of bypasses most checks you get if you try to go into the password db in the browser it self.

The new Hell I&#x27;m experiencing is everyone wanting to validate my identity through my phone. Email does it, banking does it, I suspect by the end of the year Windows will probably be sending me a code before I can log in. I&#x27;m sick of it. I don&#x27;t like needing to have my phone on me, I don&#x27;t like the fear that if I lose my phone I&#x27;ll be locked out of everything, and I really don&#x27;t like being forced into this.<p>It feels like there&#x27;s a lot of fear around passwords right now. I&#x27;m sure companies see them as a liability and are eager to move away from them as soon as possible. Are we going to have a future where each person (or identity) has a single hardware token for all logins? I don&#x27;t think we&#x27;re anywhere close to that yet.

Does this cover things like LassPass, OnePassword, BitWarden? Or just the built in managers?

Or you could report this as a security bug on those browsers.<p>This vulnerability does not exist in Safari on any platform: macOS, iOS, or windows. Admittedly in the last case because it is alas dead :D<p>I would have assumed that on macOS Firefox and Chrome use the platform APIs that support secure storage of data, and would absolutely consider this to be a security bug if not.

Lot of critical reactions, maybe deserved. Some saying master password is not all that important. I notice that with Firefox Sync that means knowing the unlock swipe of your Android is all that&#x27;s needed to view passwords in plain text via the Settings UI when you lose your phone or someone peeks in it on an unguarded moment.

I&#x27;m just not sure why they haven&#x27;t built in something like Apple&#x27;s face ID. I know security experts hate anything that isn&#x27;t locked down with 3 forms of verification but my goal is to have security to the point that it isn&#x27;t a hastle every time I want to go to a new website.

I get asked for my windows password when I try to view the passwords, are they not encrypted by windows?

Keen to understand the hackernews take on this...

TIL. I enabled master password on my work browser before I finished reading the article.<p>Seems obvious now

Lastpass just sent us a bill for $750 and unless we pay it they locked the whole company out of out shared password database and refuse to supply even chat or email support to discuss it