You’re using your favourite web browser to log into a secure website. The browser then asks you to save your password into its built-in password manager so that it can fill it in for you next time you try to log in. Super convenient, right?
While built-in browser password managers are unrivaled for a frictionless environment, it’s important to recognize the security risks of built-in managers.
Security risks of browser password managers
The first flaw of browser password managers lies in the fact that they are not primarily designed for the security of the data that they store. Nor is there a strong impetus for browser developers to focus on privacy protection when a key function of these browsers is to track your search and purchase history to maximize targeted advertisements for other parties. Without a strong line of defense, your browser-stored information is vulnerable to potential hackers from anywhere, including your own location.
Notably, browsers rely on your operating system for login security. Users must manually enable a master password as well, meaning that password managers on most browsers do not automatically encrypt your passwords. That means if malware gets on your device and gains your access permissions, it can ask for your browser data to be decrypted—since at that point the request seems like it came from you.
Likewise, if your physical device is stolen and the thief gains access (either because the device was unlocked at the time, or they manage to bypass your access code) all previously accessed apps and saved passwords will be exposed, making an already debilitating situation infinitely worse. The risk is increased since the built-in password manager assumes the user must have permission and will automatically fill out login credential forms. This is different from dedicated password managers where a master password is needed to unlock an encrypted vault.
Furthermore, browsers themselves are frequently subject to attempted hacks, data breaches and accompanying malware because they are known to store so much personal information. Keeping your information out of a browser password manager mitigates any potential damage from these kinds of cyber-attacks.
Another consideration is that browsers typically synchronize profiles across multiple devices. This is an added convenience allowing you to use your passwords and bookmarks across all your devices. However, for that process to occur, the profile data is uploaded to the cloud, meaning your information is no longer entirely under your control.
For example, if you use the Chrome built-in password manager, this multi-device synching means Google will create copies of your passwords on their servers. This could be an issue if those servers are ever hacked.
Convenience vs Security
While some may wince at having to use a dedicated password-manager instead of letting their browser fill everything in, the pros of enhanced security outweigh the cons of lost convenience. To start, having advanced security measures around your passwords makes it significantly harder for a potential hacker to break into your information, meaning that their attempt to access your data will fail outright, or they will give up entirely as it is not worth the effort. Being responsible for your digital safety as much as you can is the best deterrent and defense you can have.
Although the convenience of your browser and a simple prompt can be addictive, especially when switching between multiple password-protected applications in a day, the risk of compromising each of those is not worth the speed. Several non-browser applications can even autogenerate secure passwords and organize your login credentials according to their corresponding links, allowing for greater customization and organization without the risks and repetitions of a browser manager. It is almost impossible to memorize the hundreds of unique passwords the modern user requires, but there are safer ways to store them than a browser manager.
More secure alternatives
Your first thought may be to open your phone’s Notepad app, or, if you’re a classic user, resort to pen and sticky notes, your best alternative is often a third-party, dedicated password management software with zero-knowledge architecture in their encryption policy. Zero-knowledge architecture means that the application storing and encrypting your passwords does not have the code to unencrypt and access your information. Examples include Bitwarden, 1Password, Keeper or Dashlane. This ensures that even if these company’s servers get hacked, the hackers can’t see your data without also gaining access to your master password.
Another advantage of dedicated password managers is they typically have cross-platform and cross-browser functionality. Build-in password managers tend to lock you into one ecosystem, while dedicated managers provide a password vault that travels with you and synchronizes with whichever device you are using.
Additional password hygiene tips
As a rule of thumb, keep all personal password information as far away from public or unsecured sites as possible. That includes avoiding sending passwords over messaging apps and using unencrypted or unprotected apps or managers toby protect your passwords.
Another crucial tip is to always enable multi-factor authentication and biometric authentication when available, as it greatly decreases the risk that anyone aside from you can access your passwords. Losing a bit of time and typing out the texted numerical codes is better than losing banking information, credit card details or worse. Passwords are an integral part of modern identity to secure your online purchases and identity. Protecting them is one of the best things you can do to protect your digital life.
Read more:
https://www.howtogeek.com/please-stop-using-your-browsers-built-in-password-manager/
https://www.cyber.gc.ca/en/guidance/password-managers-security-itsap30025
https://www.dashlane.com/blog/risks-using-browser-password-manager