All major browsers have a built-in password manager. So we should use them, right?
- I use my browser’s password manager because it’s convenient: with sync, I get all of my passwords on all of my devices.
- This convenience means that I can use a different password for every website, improving my security.
- This convenience means that my passwords can be long and hard to type, because I never have to do so.
- This means that I don’t even know my own passwords for many sites, and because I can rely on my password manager to only fill my passwords on the sites to which they belong, I cannot succumb to a phishing attack.
- Enabling the Microsoft Edge Password Manager enables security-improving features like Password Monitor (breach detection) and Password Generation (effortless strong passwords)
The easy answer is “Yes, use your browser’s password manager!“
The more nuanced answer begins: “Tell me about your threat model?”
As when evaluating almost any security feature, my threat model might not match your threat model, and as a consequence, our security choices might be different.
Here are the most relevant questions to consider when thinking about whether you should use a password manager:
- Is a password manager available for your platform(s)?
- What sort of attackers are you worried about?
- What sort of websites do you log into?
- Do you select strong, unique passwords?
- Are your accounts protected with 2FA?
- What sort of attacks are most likely?
- What sort of attacks are possible?
- How do you protect your devices?
- What’s your personal tolerance for inconvenience?
- Are you confident in the security of your password manager’s vendor?
- If you sync passwords, are you confident in the security of the design of the sync system?
- Does the password manager offer advanced features like breach detection and automatic password generation?
The answers to these questions might change your decisions about whether to use a password manager, and if so, whether you want to use the built-in password manager or use a password manager provided by a third-party.
For instance, if you’re sharing a Windows/Mac OS login account with someone you don’t trust, you should stop. If you cannot or don’t want to, you should not use a password manager, because there are trivial ways for a local user steal your passwords one-at-a-time and simple mechanisms and tools to steal them all at once. Of course, even if you’re not using a password manager, a co-user can simply use a keylogger to steal your passwords one-by-one as you type them.
WinKey+L) your computer when you’re not using it.
While browser passwords are encrypted on disk, they’re encrypted using a key available to any process on your PC, including any locally-running malware. Even if passwords are encrypted in a “vault” by a master key, they’ll be decrypted when loaded in the browser’s memory space and can be harvested after you unlock the vault. Locally-running malware is particularly dire if your threat model includes the possibility of a worm running rampant within your enterprise– it could infect all of your employees’ machines and steal all of their passwords in bulk in seconds. (Yes, dear reader, I know that you’re thinking of clever mechanisms to mitigate these sorts of attacks. I assure you I can defeat every practical idea you have. It’s a fundamental law of computing.)
Password storage sync introduces another vector for theft– if an attacker can phish your sync service’s credentials, they could steal all of your passwords. If your password manager contains corporate creds, they could be stolen from your “personal” profile.
Primary Passwords: No Silver Bullet
Edge and Firefox offer a “Primary Password” mechanism to restrict autofill until you authenticate with Windows Hello (PIN/Fingerprint/etc) or supply a custom primary password.
It is critical to understand that these mechanisms are a useful hurdle against opportunistic theft by an attacker without tools (e.g. your eight year old), not a security boundary.
Locally-running malware or a motivated malicious co-user can circumvent the protection using the mechanisms described in the previous section. The documentation contains similar caveats.
Security Baseline Recommendations
Concern about instantaneous bulk theft and egress of credentials has led the authors of security configuration guidance to recommend disabling browser password managers. For instance, the Edge Security Baseline and the Chrome STIG have historically suggested preventing users from using the password manager. (I personally think this is a poor tradeoff that increases the higher risk of individual users getting phished, but I don’t write the configuration guidance.)
Some tech elites advocate for using a 3rd-party password manager, and some users really like them. Most 3rd-party password managers are designed with broader feature sets to help satisfy alternative threat models, including using a “primary password” to help protect against limited local attackers. Importantly, however, no password manager is able to operate securely on a PC compromised by malware. Many also include additional conveniences like automatic generation of strong passwords and roaming of passwords to mobile platforms and apps.
On the other hand, many external password manager applications are themselves a source of security vulnerabilities, and these products often end up growing extremely complicated due to the “Checkbox Wars” endemic to the security products industry.
Hacking expert Tavis Ormandy recommends using the Password Manager built into your browser, and he explains why, in depth.
When that’s not yet possible (because you don’t control the website): choose strong passwords, use a password manager if it satisfies your threat model, and enable 2FA if available — especially on your email accounts used for Password Sync and to which password recovery emails are sent. If a site offers a choice of 2FA methods, prefer FIDO over HOTP/Authenticator and HOTP/Authenticator over SMS Text messages.
PS: Back in 2017, there was a bunch of press excitement about a privacy threat whereby autofilled credentials from the password manager might allow a website to identify a visitor before the user clicks the Login button. See this post for an exploration of this threat and its mitigations.