ab14

Level 6
By now, all browsers give you the option to save your passwords. The feature is enabled by default, and it’s a convenient way to store passwords and synchronize them across devices. But is it also safe? In what follows, we present some of the security risks of browser-based password managers and the advantages of using a dedicated password manager.

Pros and cons of browser-based password managers
Storing your passwords in your browser is the most straightforward way to log in to your accounts instantly. It’s an integrated functionality, so you don’t have to download an extra app, and it’s free. In addition, your passwords are kept in sync across all your devices. However, if you tend to use different browsers on your devices, you’ll have to update your passwords for each browser separately when you do your regular password change. For privacy-minded users, that means every six months. It might become a cumbersome task, especially if you tend to use three or more different browsers.

Speaking of password change, you need some creativity to come up with new passwords. Unlike dedicated passwords managers, browser-based password managers do not integrate a complex password generator. Some browsers, such as Firefox, offer suggestions for random passwords, but they do not allow customization, such as choosing a specific length or specific characters.

If you enjoy the flexibility of using different browsers, you should consider a dedicated password manager. Cybersecurity experts recommend using multiple web browsers, each for different activities. It is not only convenient, but it is also beneficial for your privacy and safety. For streaming, your priority might be speed, while for online banking, you might prefer the browser with the best security track record. Following popular wisdom, you shouldn’t put all your eggs in one basket – or keep all your cookies in one browser.

Source: Browser-based password managers vs. dedicated password managers | Avira Blog
 
Last edited by a moderator:

Freud2004

Level 3
I like sitckypassword, but in my office i don't have access because I can't install applications do to administrative privileges, and that is a big problem.
Perhaps browser-based solution is better for me...


1598616536617.png
 

Spawn

Administrator
Verified
Staff member
I can't install applications do to administrative privileges, and that is a big problem.
From a security perspective, blocking users from installing whatever they want is good practice.

Why would you use your own password manager in an Office / Work environment?

Do you have separate identities for Personal vs Work?

As suggested above, use a password manager that is compatible with the browser.
 

Freud2004

Level 3
From a security perspective, blocking users from installing whatever they want is good practice.

Why would you use your own password manager in an Office / Work environment?

Do you have separate identities for Personal vs Work?

As suggested above, use a password manager that is compatible with the browser.


Sometimes I see personal things in the office, like MalwareTips and so, my personal passwords are required. ;)
 

Thales

Level 9
I used to use Bitwarden for years. One year as free and I'm a paid customer since the TOTP feature has been released, so don't need any 3rd party TOTP authenticator. It is browser based, and awesome
I always switch back to KeepassXC for an unknown reason. Probably because I like it more than any browser based password manager. It also has the TOTP feature and they improved the software and the dedicated browser extension a lot in the last update, so respect.
I don't know any other password manager with in-built TOTP authenticator. Shame!
 

SpiderWeb

Level 3
Will never ever use browser-based passwords ever. I use Bitwarden Premium because it supports security keys and it's open source so the code is reviewed and tested for holes by everyone. I don't trust any closed source code near my passwords.
 

The Cog in the Machine

Level 23
Verified
I don't know any other password manager with in-built TOTP authenticator.
Hi! 1Password is browser-based and offers in-build TOTP authenticator. Dashlane offers that too but QR code needs to be scanned from your mobile phone. Enpass is not browser-based but it offers in-built TOTP authenticator. I guess Remembear offers that functionality but not sure about it.
 

Thales

Level 9
Hi! 1Password is browser-based and offers in-build TOTP authenticator. Dashlane offers that too but QR code needs to be scanned from your mobile phone. Enpass is not browser-based but it offers in-built TOTP authenticator. I guess Remembear offers that functionality but not sure about it.

Thanks. Good to know. (y)
 
  • Like
Reactions: JB007

Thales

Level 9
As it doesn't make sense.
Storing two-factor-authentication in the same database/the same location makes 2FA pointless. It's then only a "1FA"

I disagree. If the password manager is properly protected then it is completely fine to use the in-built TOTP feature.
2FA apps use the same encryption model than password managers. Also we need backup codes to login if we lost access to the 3rd party 2FA app for some reason.
Where should we store the backup codes if we can't store that in our password manager? Should we use another app or encrypted doc? It is complicated and also increase the risk to lose the backup codes.

If I follow your statement then we should use different app for username, passwords, 2FA codes and backup codes. Different apps for everything.
 
Last edited:
  • Like
Reactions: JB007

security123

Level 26
Verified
I disagree. If the password manager is properly protected then it is completely fine to use the in-built TOTP feature.
Doesn't matter. 2FA mean using a second factor. If you use a password manager for first factor (the password), you can't use the TOTP codes from the same vault as it's not a second factor.

2FA apps use the same encryption model than password managers.
That depends on password manager and the 2FA app

Also we need backup codes to login if we lost access to the 3rd party 2FA app for some reason.
Every site provide you the backup codes at 2FA setup and recommend saving them secure.

Where should we store the backup codes if we can't store that in our password manager? Should we use another app or encrypted doc?
You can print them or store in another database which isn't on same device/ in same cloud.
I print all these backup codes and put them in a safe, away from my house.

It is complicated and also increase the risk to lose the backup codes.
Security is always comfort enemy

If I follow your sentence then we should use different app for username, passwords, 2FA codes and backup codes. Different apps for everything.
No and this isn't how it works nor what i recommended. Read what 2FA is.

Also you should read about the 2FA future which is the FIDO2 standard. This include WebAuthn but is backwards compatible with FIDO1 standard like U2F.
I'm talking about hardware token.
 
Top