Google has added useful features to the built-in password manager in Chrome and Android that make it a real alternative to dedicated password managers. However, this isn’t enough to convince security experts to trust browsers to store passwords. “I am not a fan of storing passwords in any web browser,” Chris Hauk, consumer privacy champion at Pixel Privacy, told Lifewire over email. “However, this is especially true of a browser like Chrome, which has suffered numerous security and privacy breaches in the past.”
Wrong Tool for the Job
In an email exchange with Lifewire, Dahvid Schloss, Managing Lead, Offensive Security, at Echelon Risk + Cyber, said the rollout of the google password manager does seem to create a very nice ease-of-use application to share between a user’s devices. “But at the end of the day, the application is only as secure as its least secure device that uses it.” Stephanie Benoit-Kurtz, Lead Faculty for the College of Information Systems and Technology at the University of Phoenix, agreed. In an email, she told Lifewire that although browsers have come a long way in providing users with a simplified experience when storing logins and passwords to websites, using them to store passwords is a slippery slope. Benoit-Kurtz specifically pointed out two issues with storing passwords in browsers. The first is encryption, as web browsers depend on the device configuration for encryption settings. She said general users don’t fully appreciate the importance of encryption in protecting their devices. “The second challenge is that if a device with your browser settings is stolen or falls into someone else’s hands through hacking the bad actor may have access to all the login and password data to systems,” said Benoit-Kurtz. She also acknowledged that while browsers have come a long way with security, people still need to keep up with all patches, and necessary maintenance to keep them secure. Even then there are zero day threats that can make even fully updated browsers vulnerable. Schloss acknowledged that while he hasn’t yet tinkered with Chrome’s updated password manager, it doesn’t seem to be an addon module to Chrome. “This means that it is very well possible that this wouldn’t resolve the plain text storage issue that has been and is being abused by threat actors,” explained Schloss, “leading to all your passwords being breached if a threat actor was already on your device.”
Call on a Specialist
Instead of using browsers to store credentials, our experts recommend using specialized tools created explicitly for storing passwords. “For a more secure option, evaluate more advanced technology such as password vaults to keep logins and passwords secure,” suggested Benoit-Kurtz. “These tools typically are sold as a subscription and provide encryption, multi-factor authentication (MFA), and other technologies necessary to protect logins and passwords.” Hauk relies on the 1Password password manager, which he points out works across most popular platforms and apps and securely stores credentials in a well-encrypted database. “Password Managers enable you to create strong, complex passwords without having the memory of an elephant,” said Schloss, “and most of them provide some level of breach monitoring to let you know when you need to change a site password.” Schloss uses Keeper and Last Pass for his home and work devices, but suggests that while they both have their advantages, most people don’t need to use two password managers. He argued that most of the popular ones have cross-device support that makes them convenient to use. While many store your credentials on a third-party server, the data is encrypted end-to-end, which means your passwords are safe even if hackers breach your password manager’s servers. “That being said, any password manager is better than no password manager,” advised Schloss. He pointed out that reusing passwords is a lot more dangerous and a terrible practice to get into the habit of. “For example, in the event of a site being breached and the threat actors gaining access to your password, they could use that same password to gain access to your other accounts,” warned Schloss. “You gave them the keys to your castle at that point.”