Stop using your browser’s built-in password manager. Here’s why

The choice between a browser password manager and a real password manager is clear

I get this question a lot: Should I use a password manager? The answer is simple… yes. But no matter how often I give that advice, many ignore it and continue using their browser’s built-in password manager. I get that, as using the browser password manager is convenient and doesn’t require that you install yet another piece of software. 

Everyone is busy, and having to take an extra step just to log into one of your many accounts can cut into your productivity. No one wants that.

However, let me ask you another question: Is that slight hiccup to your workflow worth the peace of mind you get knowing your passwords are safe? If you answered yes, then I suggest you download one of the many powerful password managers and start making the transition. If your response was a resounding no, I suggest you continue reading.

One of the big issues, with regard to browsers and passwords, is the vast majority of users opt for the Chrome browser. Among all of the popular web browsers (Chrome, Firefox, Edge, Safari, Opera, Brave, and Vivaldi), that particular browser is one of the most insecure. 

Part of the reason for this is such widespread usage places a target on the browser’s back. This isn’t the only reason, however. You’ll also find Google releases a steady stream of warnings that users must upgrade Chrome due to one or more severe vulnerabilities. And given users’ propensity for neglecting such updates, a great many Chrome installations remain insecure.

And then there’s the ubiquitous Chromebook. In 2022, nearly 30 million Chromebooks were shipped. I know plenty of Chromebook users who depend on Chrome as their password manager of choice. By doing so, they can even powerwash their machine and, upon logging back in, still have quick access to all of their passwords. 

Allow me to show you something. I have Chrome installed on my Pop!_OS desktop. I don’t use Chrome but I have it ready, in case I need to write about it. I do not allow any of my browsers to save passwords. 

Instead I use a password manager. However, for the purpose of this point, I added a text password entry into Chrome to illustrate how easy it would be for anyone to hop onto your desktop and steal your passwords.

Here’s how it works:

  1. Stand at my desk.
  2. Open Chrome.
  3. Go to Settings > Autofill > Password Manager.
  4. Locate the password you want to view.
  5. Click the eye icon.
  6. View the password.

One thing to note is that the above workflow depends on the OS. On Linux, there is no password protection for the Chrome password manager, so the above scenario applies. On MacOS and Windows, the password manager behaves in a similar fashion to ChromeOS: the first time you need to view an entry, it will prompt you for your user password. After you’ve entered that password, you can view another entry without authenticating for the next 60 seconds. 

That means if you successfully type your password to view an entry and leave the Settings tab open, someone else could follow behind you and (before the 60-second timeout window expires) view a password without having to authenticate to your account. Of course, 60 seconds isn’t much time but it is enough, should you view a password and immediately walk away from your desk.

Those are some very specific criteria for someone to steal a password. And, you could just find yourself in the same situation with a password manager. I have my password manager set to auto-lock after five minutes of inactivity, but I work from home and it’s almost always only myself and my wife in the house. On my mobile devices, that timeout is set to Immediately. So, as soon as I view a password entry and close the app, the vault locks.

Yes, it does require a specific set of circumstances for someone to steal those passwords, but it is possible. 

Let’s go back to the desktop version of Chrome. Unlike Firefox, Google’s desktop browser doesn’t have a true primary password feature. What this feature does (at least on Firefox) is lock your passwords behind a primary password (just like a password manager). Once you’ve set the Firefox primary password, passwords cannot be viewed or even used by the browser until you successfully authenticate. That feature can protect your saved passwords from prying eyes. 

Even better, it prevents someone from opening your web browser and logging into an account for which you’ve saved the password to the browser. Until that primary password is entered, those password may as well not even exists in your browser. Chrome doesn’t have an analogous feature. So, if you save account passwords in Chrome, as long as someone can access your desktop, they can access those accounts. 

Even so, web browsers are simply not the most secure pieces of software on your computer. With them, you transmit data (sometimes in plain text) and even your passwords are often synced to an external server. Can those passwords be intercepted in transit? Sure they can. Are they viewable by that third party? Not easily. 

But why take a chance, when you can adopt a password manager that alleviates so many of the problems with entrusting your passwords to a less secure system? And there are so many password managers available, most of which are free to use.

I’m not saying every password manager is 100% safe. If your computer is connected to a network, nothing is 100%. Even if your computer isn’t connected to a network, there’s always the possibility it can be hacked. Along with technology comes the understanding that it’s not a matter of “if” but “when” an account will be compromised. Because of that, you should consider taking every possible step to remain as secure as possible. To that end, consider the following advice:

  • Use a secure browser like Firefox or Brave.
  • Never allow your browser to save your passwords.
  • Adopt a password manager.
  • Use two-factor authentication for every account as well as your password manager.
  • Always use randomly generated passwords from your password manager.
  • If your browser of choice has a primary password feature, use it.
  • Set your password manager to auto-lock its vault immediately after use.
  • If using a Chromebook, enable Linux and install a password manager.

Follow the above advice and you’ll be considerably more secure than you would if you were simply using Chrome, allowing it to save your passwords, and depending on its built-in password manager.

Your passwords are the keys to so many “kingdoms” and you should treat them as if they are precious cargo. Take every step you can to protect yourself, even if it means disrupting the workflow you’ve created.

Be safe… not sorry.


Posted in Tip.