The autofill prompt in browsers like librewolf. Or should you save passwords with a manager? I like the aspect of autofilling passwords and certain data.
You must log in or register to comment.
Saving the password in your browser is using a password manager; you’re just using the one built into your browser. The safety and security of using any individual password manager is pretty much up to how secure that particular password manager is, but generally speaking they all store passwords encrypted.
Ones built into a browser have the added attack vector of being potentially vulnerable from the browser itself vs a stand alone manager, but if you use a plugin for your favorite password manager they likely share a pretty similar attack vector possibility.
Either way, using a password manager is infinitely better than reusing passwords, so this is really just a long winded way of saying “no, not really”.
Dedicated password managers usually come with more security, control, and features, but you’re generally going to be fine using the one built into your browser.
Well I mean only when you have a master password for them, otherwise even if they are encrypted, one can just decrypt them like the browser would. Am I mistaken? Because in my mind storing passwords in browser is basically a password manager without the encryption…
password managers in the browser still store them encrypted. They usually authenticate via a passkey, in-built security in the OS like windows hello, or through other services such as SSO through google; That said, if you have them on auto-pilot with this authentication, anyone with access to the device can theoretically access them, though to actually view them in the password manager they usually require you to authenticate.
Browser password managers are sorta less secure than a third party one, assuming you turn on all the convenience features to make your life easier, but a lot of third-party password managers have the same convenience features a lot of the time anyways.
If you do not set a master password for the browser (that you have to type before the saved passwords are filled in), the despite what others have written, the passwords are not really encrypted. They are, it just doesn’t matter. Because they are encrypted with the password of you OS user. So they are unreadable if someone steals your device or to any other users on your system, but any malware that runs in your user context has full access to the passwords any time you are logged on to the machine.
Of course if you have malware on your system they can also log your master password as you type it, same with any other password manager. If you unlock the password save, it is available to malware in that moment.
Also if you use passwords for anything other than websites you should have a password save for those passwords as well so why not have one single save instead of one in your browser and one outside of it.
Tl:dr saving passwords in your browser is fine but you should absolutely set a master password. External password manager can be more pragmatic compared to browser only.
Where’s that comic about the incredible danger of someone having your password to root versus just access to the computer?
Ah, of course it’s xkcd. https://xkcd.com/1200/
Passwords (saved in firefox or a firefox derivative) are stored locally, and are encrypted. Passwords in a password manager are stored locally and encrypted, or are stored in the manager’s computer and are encrypted. If someone were to breach your computer’s security, there are probably larger vulnerabilities than the encrypted passwords that are stored locally, as noted in the comic.
That may not be the entire story when it comes to security, but I think it’s a good start.
Not to mention this one: https://xkcd.com/538
Browsers store their credentials in predictable places that make them easy targets for malware. There is account syncing hazard from using browser profiles. Even if you don’t sync your passwords, a hacker who gains access to primary email accounts can change the passwords of secondary accounts created by the primary account. For example, using Gmail for your bank account and recovery account to reset forgotten passwords.
To make browser manager password manager more secure, use master password and Two-Factor Authentication. Browser master password are usually localized, which only works against physical access to your device. Recommended for shared devices.
Reputable third-party password managers have better security.
Adding to what the others have said, if save your passwords in a password manager application (I’ll volunteer KeePass…), then you’re effectively doing a similar thing, but you can take the passwords with you to other devices.
So, I disable the browser’s option to save passwords (which avoids a potential security vulnerability) and use KeePass.
But, I’m working on 2~3 laptops and a phone, so losing the convenience of the browser autopopulating authentication fields is mitigated by having my passwords on multiple devices.
Im not sure anymore. I know they did not do it well at one point. I personally use online/offline with vaultwarden as online and keepassxp as offline. I keep important things offline only and things that are not important in the online.
For something like lemmy I would save it for convenience as i can always make a new account if something happens but for a bank not a chance. I use an offline password manager in that case.
