8

Possible Duplicate:
How are browser saved passwords vulnerable?

How secure are the password managers that are built into modern web browsers?

Currently I use lastpass plugin as I believed the browser based password managers were not secure. It is also the solution that I promote when friends and clients ask me about password security. However, I recently noticed that Firefox and Opera have the ability to set a master password on their stored passwords. I also notice that Chrome does not have such a feature (or am I missing something somewhere.)

Are these browser based password managers, with master passwords turned on, any good?

Should I continue to advocate lastpass and similar to my friends?

OR

Should I advise them to simply enable the master password option on their browser of choice?

Community
  • 1
Rincewind42
  • 455
  • 1
  • 5
  • 12

4 Answers4

2

Personally, I use browser-based password managers. As far as I'm concerned, they're secure enough.

I don't bother with a master password, as (a) no one else uses my machines, (b) I have good physical security on them, and (c) my machines are secured enough that I'm not very worried about malware on them. As far as I am aware, browser-based password managers are fine for almost all web sites (including, e.g., webmail, e-commerce, etc.).

I do make one exception: I do not trust my online banking passphrase to my browser's password manager. (But my bank has things set up so that my online banking passphrase won't be stored in my browser's password manager anyway.)

The primary downsides with browser password managers is (as far as I am aware) not security, but rather convenience: if you use have more than one computer (e.g., a home PC and a laptop), then you'll need to manually keep the passwords on all of them in sync. If you are in that situation, you might look at Firefox Sync or Chrome password sync, to keep your passwords updated on all your browsers. In that situation, make sure your master password is long and strong.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • This doesn't really answer my question. In your circumstance it maybe OK to use the browser based password manager but I was asking about what I can recommend to others. Other people (a) do share machines (b) don't have good physical security (c) do visit dodgy websites and download malware. My question is what do you recommend to these people. – Rincewind42 Aug 05 '11 at 00:17
  • WRT downsides you mention there are two more convenience ones. If you clear your private data from the browser then you passwords are all lost. Also Chrome and FF seem to remember passwords per page not per site. On convenience, Lastpass still wins in my book as it essentially functions like the browser's manager but is a bit more refined and easier to use. – Rincewind42 Aug 05 '11 at 00:22
  • @Rincewind42: OK, fair enough! That makes sense -- sorry for the unhelpful answer. – D.W. Aug 05 '11 at 01:31
1

I myself do not trust to store passwords in browsers. Having the master password set is 1 thing, but once u open up your browser the passwords are unlocked and I think they can be read from that point. 2nd when closing your browser with tabs u need to unlock your passwords for every tab ( a bit off topic).

Chrome indeed doesn't have a master password feature tough it has been reaquested from the start.

If I where you I would continue using external password managers or just do not use any password manager. The last is still my favourite. I use the same passwords for different kinds of access ( f.e. servers type a have password x, servers for forums have pass b etc...)

Goez
  • 331
  • 1
  • 4
  • I used to do what you do, and use a set of 5 or 6 passwords depending on the status and importance of the site. However, I changed. For very important systems such as my bank account or my web server root, I keep it in my head. But rather than re-use one password for all the web forums, blogs, facebook, twitter and so on, I felt using a password manager would be more secure and simpler. – Rincewind42 Aug 04 '11 at 13:50
  • 1
    keepass does the trick for me... (though i only access it when i forget an old or rarely used password) – Ormis Aug 04 '11 at 14:36
  • I tried keepass before. Personally I like to keep things attached to the browser as that is where I use passwords most. I also like the portability of browser based systems as I often hop between windows and Linux and have more than one PC in house. Lastly with keepass I have to worry about backups as it would be dreadful to loose the password file. – Rincewind42 Aug 05 '11 at 00:28
  • @Goez If you use Firefox's password manager, the passwords are not unlocked when the browser is open. When you ask the manager to fill in a password field, it then prompts you for the master password at that point. – Rincewind42 Aug 06 '11 at 09:30
1

The biggest issue for me is that, putting all the eggs in one basket means a massive yield when they are compromised. However one has to balance this with the current situation where most passwords exist in one place - in the user's head - and that often provides much weaker protection - hence phishing.

It would be really nice to get a browser-integrated password manager which:

  1. provided secure syncing / remote backup so I could use it on all my machines
  2. gave alerts if I supplied an existing password to a different site (hence the requirement for browser integration). About the only feature in Rapport I think genuinely useful!

I did have a look around for such a program - but realised, even if I could find such a thing - it would probably be a 3rd party add-on. Do I trust 3rd parts tools?

i.e. how secure they are perceived to be is, as usual, more important than how secure they are. Even for me.

Certainly just now I'm using third party tools for storing my passwords (axcrypt, PGP) - but not ones integrated into the browser / connected directly to the internet!

symcbean
  • 18,418
  • 40
  • 74
  • Using a password manager needn't be putting all your passwords in one basket. The most important passwords can be kept in your head. The password manager can keep all the other rarely used and easily forgotten passwords. – Rincewind42 Aug 06 '11 at 09:19
  • As for your point No.2, a good feature but a change in habit can work too. Rather than keying in a URI then getting the manager to fill in the password, you should use the password manager app to select the site you wish to visit. The password manager will open a new tab or window with the correct address and enter the login details ensuring that you never enter the login details on the wrong site. – Rincewind42 Aug 06 '11 at 09:23
  • @Rincewind42 I think he was talking about password reuse - to be alerted if the password he is setting up was already used elsewhere for different service. However I dunno how that would work (the SW would have to read what you put in a registration form and figure out what is a password field). – jena Nov 02 '19 at 20:07
0

Are these browser based password managers, with master passwords turned on, any good?

-I never thought about using both applications. I would think one would supersede the other. Probably Lastpass. In terms of functionality, Firefox and free Lastpass are very similar so using both might not be necessary. If password management is a high priority then suggest an application or even a device like MyLOK.

Should I advise them to simply enable the master password option on their browser of choice? -I think it depends on the browser they use and the type of security they're looking for. After all, not everyone has 50 passwords they need to remember. If they're a relatively "light" user then the browser password keeper should be fine.

Troy Bassham
  • 1
  • Using both Lastpass and Firefox's password managers at the same time creates a mess. You have to choose one or the other. If you use lastpass you need to disable Firefox's password manager. – Rincewind42 Aug 06 '11 at 09:27