Advice Request Browser-based vs. Dedicated Password Managers

Please provide comments and solutions that are helpful to the author of this topic.
CyberPanther

CyberPanther

Level 7
Thread author
Verified
Well-known
Oct 1, 2019
303
By now, all browsers give you the option to save your passwords. The feature is enabled by default, and it’s a convenient way to store passwords and synchronize them across devices. But is it also safe? In what follows, we present some of the security risks of browser-based password managers and the advantages of using a dedicated password manager.

Pros and cons of browser-based password managers
Storing your passwords in your browser is the most straightforward way to log in to your accounts instantly. It’s an integrated functionality, so you don’t have to download an extra app, and it’s free. In addition, your passwords are kept in sync across all your devices. However, if you tend to use different browsers on your devices, you’ll have to update your passwords for each browser separately when you do your regular password change. For privacy-minded users, that means every six months. It might become a cumbersome task, especially if you tend to use three or more different browsers.

Speaking of password change, you need some creativity to come up with new passwords. Unlike dedicated passwords managers, browser-based password managers do not integrate a complex password generator. Some browsers, such as Firefox, offer suggestions for random passwords, but they do not allow customization, such as choosing a specific length or specific characters.

If you enjoy the flexibility of using different browsers, you should consider a dedicated password manager. Cybersecurity experts recommend using multiple web browsers, each for different activities. It is not only convenient, but it is also beneficial for your privacy and safety. For streaming, your priority might be speed, while for online banking, you might prefer the browser with the best security track record. Following popular wisdom, you shouldn’t put all your eggs in one basket – or keep all your cookies in one browser.
Click to expand...

Source: Browser-based password managers vs. dedicated password managers | Avira Blog
 
Last edited by a moderator:
  • Like
Reactions: Step 1, Viking, Protomartyr and 3 others
Freud2004

Freud2004

Level 10
Verified
Well-known
Jun 26, 2020
440
I like sitckypassword, but in my office i don't have access because I can't install applications do to administrative privileges, and that is a big problem.
Perhaps browser-based solution is better for me...


1598616536617.png
 
  • Like
Reactions: Protomartyr and oldschool
enaph

enaph

Level 29
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,897
Freud2004 said:
I like sitckypassword, but in my office i don't have access because I can't install applications do to administrative privileges, and that is a big problem.
Perhaps browser-based solution is better for me...


View attachment 245611
Click to expand...
Or switch to a PM that doesn't require you to install Windows app - like Bitwarden for example.
 
  • Like
Reactions: Gangelo, Protomartyr and oldschool
I

Ink

Administrator
Verified
Jan 8, 2011
22,489
Freud2004 said:
I can't install applications do to administrative privileges, and that is a big problem.
Click to expand...
From a security perspective, blocking users from installing whatever they want is good practice.

Why would you use your own password manager in an Office / Work environment?

Do you have separate identities for Personal vs Work?

As suggested above, use a password manager that is compatible with the browser.
 
  • Like
Reactions: Protomartyr, ForgottenSeer 85179, Gandalf_The_Grey and 1 other person
Freud2004

Freud2004

Level 10
Verified
Well-known
Jun 26, 2020
440
Spawn said:
From a security perspective, blocking users from installing whatever they want is good practice.

Why would you use your own password manager in an Office / Work environment?

Do you have separate identities for Personal vs Work?

As suggested above, use a password manager that is compatible with the browser.
Click to expand...


Sometimes I see personal things in the office, like MalwareTips and so, my personal passwords are required. ;)
 
  • Like
Reactions: oldschool and Protomartyr
Thales

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
732
I used to use Bitwarden for years. One year as free and I'm a paid customer since the TOTP feature has been released, so don't need any 3rd party TOTP authenticator. It is browser based, and awesome
I always switch back to KeepassXC for an unknown reason. Probably because I like it more than any browser based password manager. It also has the TOTP feature and they improved the software and the dedicated browser extension a lot in the last update, so respect.
I don't know any other password manager with in-built TOTP authenticator. Shame!
 
  • Like
Reactions: Protomartyr and JB007
F

ForgottenSeer 85179

Thales said:
I don't know any other password manager with in-built TOTP authenticator. Shame!
Click to expand...
As it doesn't make sense.
Storing two-factor-authentication in the same database/the same location makes 2FA pointless. It's then only a "1FA"
 
  • Like
Reactions: JB007
SpiderWeb

SpiderWeb

Level 13
Verified
Top Poster
Well-known
Aug 21, 2020
615
Will never ever use browser-based passwords ever. I use Bitwarden Premium because it supports security keys and it's open source so the code is reviewed and tested for holes by everyone. I don't trust any closed source code near my passwords.
 
  • Like
Reactions: Protomartyr and JB007
Divine_Barakah

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Thales said:
I don't know any other password manager with in-built TOTP authenticator.
Click to expand...
Hi! 1Password is browser-based and offers in-build TOTP authenticator. Dashlane offers that too but QR code needs to be scanned from your mobile phone. Enpass is not browser-based but it offers in-built TOTP authenticator. I guess Remembear offers that functionality but not sure about it.
 
  • Thanks
  • Like
Reactions: Protomartyr, JB007 and Thales
Thales

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
732
The Cog in the Machine said:
Hi! 1Password is browser-based and offers in-build TOTP authenticator. Dashlane offers that too but QR code needs to be scanned from your mobile phone. Enpass is not browser-based but it offers in-built TOTP authenticator. I guess Remembear offers that functionality but not sure about it.
Click to expand...

Thanks. Good to know. (y)
 
  • Like
Reactions: JB007
Thales

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
732
security123 said:
As it doesn't make sense.
Storing two-factor-authentication in the same database/the same location makes 2FA pointless. It's then only a "1FA"
Click to expand...

I disagree. If the password manager is properly protected then it is completely fine to use the in-built TOTP feature.
2FA apps use the same encryption model than password managers. Also we need backup codes to login if we lost access to the 3rd party 2FA app for some reason.
Where should we store the backup codes if we can't store that in our password manager? Should we use another app or encrypted doc? It is complicated and also increase the risk to lose the backup codes.

If I follow your statement then we should use different app for username, passwords, 2FA codes and backup codes. Different apps for everything.
 
Last edited:
  • Like
Reactions: JB007
F

ForgottenSeer 85179

Thales said:
I disagree. If the password manager is properly protected then it is completely fine to use the in-built TOTP feature.
Click to expand...
Doesn't matter. 2FA mean using a second factor. If you use a password manager for first factor (the password), you can't use the TOTP codes from the same vault as it's not a second factor.

Thales said:
2FA apps use the same encryption model than password managers.
Click to expand...
That depends on password manager and the 2FA app

Thales said:
Also we need backup codes to login if we lost access to the 3rd party 2FA app for some reason.
Click to expand...
Every site provide you the backup codes at 2FA setup and recommend saving them secure.

Thales said:
Where should we store the backup codes if we can't store that in our password manager? Should we use another app or encrypted doc?
Click to expand...
You can print them or store in another database which isn't on same device/ in same cloud.
I print all these backup codes and put them in a safe, away from my house.

Thales said:
It is complicated and also increase the risk to lose the backup codes.
Click to expand...
Security is always comfort enemy

Thales said:
If I follow your sentence then we should use different app for username, passwords, 2FA codes and backup codes. Different apps for everything.
Click to expand...
No and this isn't how it works nor what i recommended. Read what 2FA is.

Also you should read about the 2FA future which is the FIDO2 standard. This include WebAuthn but is backwards compatible with FIDO1 standard like U2F.
I'm talking about hardware token.
 
  • Like
Reactions: Thales, enaph, JB007 and 1 other person
ErzCrz

ErzCrz

Level 24
Verified
Top Poster
Well-known
Aug 19, 2019
1,323
Still finding KeepassXC the best solution for me though having to re-connect to the desktop database can be a bit tedious but it works well and built-in TOTP works fine.
 
  • Like
Reactions: Protomartyr and harlan4096

Similar threads

lokamoka820
    • Like
Guide | How To 7 Common Password Manager Issues and How to Fix Them (Beginners Guide)
Replies
4
Views
754
Passwords and passkeys
lokamoka820
lokamoka820
Victor M
    • HaHa
    • Like
    • Applause
Serious Discussion Password Managers are a waste of money
Replies
42
Views
5,083
Passwords and passkeys
LoneWolf.
LoneWolf.
Brownie2019
On Sale! Sticky Password Premium (Lifetime / 1 Device)€19.52
Replies
5
Views
1,629
Discounts and Deals
n8chavez
n8chavez

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top