Advice Request Browser-based vs. Dedicated Password Managers

Please provide comments and solutions that are helpful to the author of this topic.

CyberPanther

Level 6
Thread author
Verified
Well-known
Oct 1, 2019
295
By now, all browsers give you the option to save your passwords. The feature is enabled by default, and it’s a convenient way to store passwords and synchronize them across devices. But is it also safe? In what follows, we present some of the security risks of browser-based password managers and the advantages of using a dedicated password manager.

Pros and cons of browser-based password managers
Storing your passwords in your browser is the most straightforward way to log in to your accounts instantly. It’s an integrated functionality, so you don’t have to download an extra app, and it’s free. In addition, your passwords are kept in sync across all your devices. However, if you tend to use different browsers on your devices, you’ll have to update your passwords for each browser separately when you do your regular password change. For privacy-minded users, that means every six months. It might become a cumbersome task, especially if you tend to use three or more different browsers.

Speaking of password change, you need some creativity to come up with new passwords. Unlike dedicated passwords managers, browser-based password managers do not integrate a complex password generator. Some browsers, such as Firefox, offer suggestions for random passwords, but they do not allow customization, such as choosing a specific length or specific characters.

If you enjoy the flexibility of using different browsers, you should consider a dedicated password manager. Cybersecurity experts recommend using multiple web browsers, each for different activities. It is not only convenient, but it is also beneficial for your privacy and safety. For streaming, your priority might be speed, while for online banking, you might prefer the browser with the best security track record. Following popular wisdom, you shouldn’t put all your eggs in one basket – or keep all your cookies in one browser.

Source: Browser-based password managers vs. dedicated password managers | Avira Blog
 
Last edited by a moderator:

Freud2004

Level 10
Verified
Well-known
Jun 26, 2020
440
I like sitckypassword, but in my office i don't have access because I can't install applications do to administrative privileges, and that is a big problem.
Perhaps browser-based solution is better for me...


1598616536617.png
 

enaph

Level 28
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,787
I like sitckypassword, but in my office i don't have access because I can't install applications do to administrative privileges, and that is a big problem.
Perhaps browser-based solution is better for me...


View attachment 245611
Or switch to a PM that doesn't require you to install Windows app - like Bitwarden for example.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
I can't install applications do to administrative privileges, and that is a big problem.
From a security perspective, blocking users from installing whatever they want is good practice.

Why would you use your own password manager in an Office / Work environment?

Do you have separate identities for Personal vs Work?

As suggested above, use a password manager that is compatible with the browser.
 

Freud2004

Level 10
Verified
Well-known
Jun 26, 2020
440
From a security perspective, blocking users from installing whatever they want is good practice.

Why would you use your own password manager in an Office / Work environment?

Do you have separate identities for Personal vs Work?

As suggested above, use a password manager that is compatible with the browser.


Sometimes I see personal things in the office, like MalwareTips and so, my personal passwords are required. ;)
 

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
708
I used to use Bitwarden for years. One year as free and I'm a paid customer since the TOTP feature has been released, so don't need any 3rd party TOTP authenticator. It is browser based, and awesome
I always switch back to KeepassXC for an unknown reason. Probably because I like it more than any browser based password manager. It also has the TOTP feature and they improved the software and the dedicated browser extension a lot in the last update, so respect.
I don't know any other password manager with in-built TOTP authenticator. Shame!
 
F

ForgottenSeer 85179

I don't know any other password manager with in-built TOTP authenticator. Shame!
As it doesn't make sense.
Storing two-factor-authentication in the same database/the same location makes 2FA pointless. It's then only a "1FA"
 
  • Like
Reactions: JB007

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
Will never ever use browser-based passwords ever. I use Bitwarden Premium because it supports security keys and it's open source so the code is reviewed and tested for holes by everyone. I don't trust any closed source code near my passwords.
 

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
I don't know any other password manager with in-built TOTP authenticator.
Hi! 1Password is browser-based and offers in-build TOTP authenticator. Dashlane offers that too but QR code needs to be scanned from your mobile phone. Enpass is not browser-based but it offers in-built TOTP authenticator. I guess Remembear offers that functionality but not sure about it.
 

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
708
Hi! 1Password is browser-based and offers in-build TOTP authenticator. Dashlane offers that too but QR code needs to be scanned from your mobile phone. Enpass is not browser-based but it offers in-built TOTP authenticator. I guess Remembear offers that functionality but not sure about it.

Thanks. Good to know. (y)
 
  • Like
Reactions: JB007

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
708
As it doesn't make sense.
Storing two-factor-authentication in the same database/the same location makes 2FA pointless. It's then only a "1FA"

I disagree. If the password manager is properly protected then it is completely fine to use the in-built TOTP feature.
2FA apps use the same encryption model than password managers. Also we need backup codes to login if we lost access to the 3rd party 2FA app for some reason.
Where should we store the backup codes if we can't store that in our password manager? Should we use another app or encrypted doc? It is complicated and also increase the risk to lose the backup codes.

If I follow your statement then we should use different app for username, passwords, 2FA codes and backup codes. Different apps for everything.
 
Last edited:
  • Like
Reactions: JB007
F

ForgottenSeer 85179

I disagree. If the password manager is properly protected then it is completely fine to use the in-built TOTP feature.
Doesn't matter. 2FA mean using a second factor. If you use a password manager for first factor (the password), you can't use the TOTP codes from the same vault as it's not a second factor.

2FA apps use the same encryption model than password managers.
That depends on password manager and the 2FA app

Also we need backup codes to login if we lost access to the 3rd party 2FA app for some reason.
Every site provide you the backup codes at 2FA setup and recommend saving them secure.

Where should we store the backup codes if we can't store that in our password manager? Should we use another app or encrypted doc?
You can print them or store in another database which isn't on same device/ in same cloud.
I print all these backup codes and put them in a safe, away from my house.

It is complicated and also increase the risk to lose the backup codes.
Security is always comfort enemy

If I follow your sentence then we should use different app for username, passwords, 2FA codes and backup codes. Different apps for everything.
No and this isn't how it works nor what i recommended. Read what 2FA is.

Also you should read about the 2FA future which is the FIDO2 standard. This include WebAuthn but is backwards compatible with FIDO1 standard like U2F.
I'm talking about hardware token.
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,003
Still finding KeepassXC the best solution for me though having to re-connect to the desktop database can be a bit tedious but it works well and built-in TOTP works fine.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top