All modern web browsers include password management functionality. It makes sense on first glance to integrate the functionality; most users sign-in to services on the Internet regularly.
One of the main advantages of password managers in browsers is convenience. The browser recognizes new logins and prompts users to save the information. Similarly, it proposes to sign-in using saved data whenever a website is found in the password manager’s database.
It is handy and that is the reason why it is widely used.
Disadvantages exist as well:
- Functionality is limited to a specific browser – Synchronization support may extend the reach, but it is still a limiting factor.
- Automatic login functionality is limited to a browser – It cannot be used to sign-in to apps and other services that are not opened in the browser.
- Protective features are limited — Usually to the device password or Pin.
Limited functionality
When you save a password in a browser, it is stored by it in a database on the local device.
If synchronization is enabled, the database will be synced across all devices on which the browser is installed and synchronization is enabled.
Still, it is limited to that browser. If you use multiple browsers, then you won’t be able to use the functionality there as well, unless you use import features.
The saving of passwords and automatic logins are also limited to the browser. If you need to log in to an application on the device, then you need to do so manually by copying the username and password from the browser’s password manager.
Security is limited
Security and protective features are another. Depending on the password manager, passwords may not be saved with a password. Some browsers support setting a primary password to protect the password database, but in many cases, it is not enabled by default.
Anyone with access to the PC may get access to the stored passwords of browsers. While that requires the account password for the PC in question, it may open up a can of worms in some cases.
The browser may prompt for a password or a pin when the password manager is opened and entries are inspected there. However, there is no such protection when visiting saved websites. Browsers like Chrome will fill out the passwords on the sites and sign-in users automatically.
It is even possible to show passwords in plain text by manipulating the HTML code of the website. This is not a problem if the account password is strong and you never leave the PC unattended.
Synchronization is convenient, but it moves the password database into the cloud. It is encrypted, but it adds another attack vector that would not exist if the database would be stored locally only.
How dedicated password managers compare
Here are the main differences:
- A password is required to create a new password database — This means that it is protected by the device password and also the password the user selects during creation.
- Additional protective features are available — This may include two-factor authentication for extra protection, customizing security features, such as the number of iterations.
- Password managers run system-wide — You can use them to sign into apps or other services on the device, independent of any browser or program.
- Self-hosting may be supported — Instead of relying on a server by a company, you can self-host the cloud space.
- Open source and audits — Many browsers are not open source. Good password managers are audited regularly.
Some of the features depend on the password manager. My recommendation goes to Bitwarden and KeePass. There are numerous others that you can try.
Granted, password managers are not perfect. They cannot help you if you need to sign-in to a service on your Smart TV, but neither can browser password managers.
Closing Words
Using a password manager is highly recommended. If you use a browser password manager, make sure you configure extra security features, if needed. This may include setting up a primary password, enabling operating system protections, or using a strong device password or pin.
Standalone password managers offer more functionality. Good ones offer better security right away, more customization options, and a lot more that browser password managers do not support.
To answer the question of this article: a dedicated password manager is better in many regards, but it is still better using a browser password manager than none at all.
What about you? Do you use a password manager? If so, what is the program that you use currently and why?
I do use two password managers, one as a Windows software, another as a browser (Firefox) only extension. I do not use the browse’s synchronization feature.
– The Windows Password Windows software is where I create and save logins together with some extra confidential data. It is not linked to the browser. Data is encrypted and password protected.
– The browser password manager I use is Bitwarden, only as an extension. I nevertheless do not provide “extra” confidential data such as bank logins and credit card data.
About using the browser’s built-in password manager.
Besides the security reasons (not the synchro easiness given I don’t use the browser’s synchro), there is in my case another reason for me to avoid it :
Firefox Password Manager requires pref “security.nocertdb” to be set to “false” (default).
Intermediate certificates caching is considered as a fingerprinting attack vector and is enabled with “security.nocertdb” set to “false”. hence I disable it (“security.nocertdb” = “true”), hence Firefox Password Manager is as well unavailable.
Bitwarden is OK, does impact very slightly the browser’s velocity.
I know many users use local password managers linked to the browser via a dedicated extension, that may be preferable to Bitwarden, my argument is plainly that of being the easiness of referring to what we’re used to.
One thing is sure : I do not and will never send over the clouds what I consider as being extra sensitive data, which remains locally encrypted ONLY.
Thanks for the tips. I agree with you on one thing, I prefer KeePass myself. But that’s nothing compared to the horrors of online storage like LastPass.
Over many years on the internet, I’ve used several password managers. First Roboform, followed by KeePass and then LastPass. I used LastPass until it was sold; then I felt uncomfortable with it. Apparently a good instinct since it’s been breached multiple times. I finally switched to Bitwarden and am perfectly happy with it. I hope it remains available because there is no reason to change again, but if I absolutely had to, I’d likely go back to Roboform.
Like you, I switched from Roboform to LastPass to Bitwarden. I really hope that Laspass respected my choice of deleting all passwords in LastPass Vault. I really do not want to go to every website and change passwords.
I did change all banking passwords after LastPass, but all passwords in general would really be a daunting task.
We use Password Safe because it is portable, open source, and most of all, isolated.
I use Keepass. Easy as pie to add passwords to a browser to login with. As for saving passwords to a browser then no, I prefer to keep the two completely separate from each other.