I’m feeling a little tempted to trying the keepassxc browser extension after years of copy-pasting passwords, is it worth it? Saving a few clicks seems nice and it reduces the risk of opsec fails like pasting passwords in a chat field or being phished, but I’m a little worried since it needs to talk to processes outside the browser… If there’s a vulnerability in the extension couldn’t it potentially aid in a sandbox escape? Not to mention that the entire passwords database would be compromised.
Unless you have a really high and specific threat model - you would more likely than not already know what to do.
But since you’re asking - I simply recommend stick with Bitwarden or Proton Pass. They are very affordable and the extensions are great and also support passkeys. These extensions are safe, private, and secure.
Extension for KeePassXC is a nightmare to get it to work well for a long time. I do not think it is worth it.
Thanks. Does Bitwarden/Proton not require a desktop “companion” then? if so, that’s cool. I wonder if selfhosting Bitwarden locally is worth it. For now I’m just using the in-browser password manager for password suggestions and comitting (via copy+paste) new passwords to the keepassxc database whenever I make a new account or change a password
As for the rest of your comment - in browser password management is horrendous. Please just use Bitwarden or Proton Pass instead. The extensions work really well.
It’s not good since the clipboard is not encrypted meaning that if a malware gets into your device, they can read what you copied and pasted (which is in this case your password).
Why? I am comitting the changes to the main keepassxc database so no risk of data loss there due to some random browser update. I’m looking into hosting vaultwarden though, seems fun.
If that happens then I’m already fully compromised
Using built-in browser password managers is not recommended:
Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have.
For example, the password manager in Microsoft Edge doesn’t offer E2EE at all. Google’s password manager has optional E2EE, and Apple’s offers E2EE by default.
Browser extensions are generally not recommended either.
Tavis Ormandy (former Google Project Zero member) also thinks the built-in password manager is favourable over extensions: https://lock.cmpxchg8b.com/passmgrs.html
I mean… doesn’t it all come down to threat models again?
rolls eyes
Genuinely not being sarcastic here but there’s always a con to a pro and always some drawback to something. These kinds of hindrances never end… there’s always something.
It all depends on the balance between convenience, privacy and security based on the threat model you have.
Also, no matter how big of an expert you are - in this day and age when Google Chrome is as bad as it is with it’s privacy and lately even security - I am not going to listen to someone who still uses Chrome as a browser (as that linked post says). Just bad advice to use Chrome in 2024.
Also from the linked article:
“If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality”
Really? Same functionality? I’m not sure how old that post is but this is objectively incorrect because password managers do a LOT more than just saving usernames and passwords these days.
So, I’m sorry but your argument may not fully stand and it certainly hasn’t convinced me.
Edit: I now see that linked article is 3 years old. In the world of privacy and security, anything older than 12 months with no update on the matter should be a non starter to even consider following an advice about. Just my opinion.
There’s no easy or definitive answer to all of this.
It securely stores and puts in username&password for you. Everything else is just candy on top.
Not trying to convince anyone. Keep in mind though that Tavis Ormandy is a world class security expert and hacker so I wouldn’t easily dismiss his opinion.
It is a password manager. A piece of software that is meant to store highly sensitive info. There is absolutely no justification of using your browser’s built in one. ESPECIALLY Chrome.
The fact that this person has written that is enough - for me at-least - to not take that person seriously in any capacity. Again, personal views here.
But, the browser is already trusted with the passwords. It’s the web browser. Storing passwords in plaintext is never good but, in a secure system other applications shouldn’t have access to it and the system partition should be encrypted.
Can you explain this? If I am not storing it in the built in password manager, then how is it already trusted? Do you mean just by simply signing into websites it is trusted?
My contention is more with the article saying using Chrome is okay. Using Chrome is never okay. That’s one hardline thinking I will not change of mine.
The browser is already trusted with handling your passwords that you input in to it, if it was malicious your passwords would be compromised regardless of whether you use the builtin password manager or not. I don’t see how trusting the browser with password management is bad due to the activity being privacy sensitive (it can be really bad if you rely solely on it and lose your passwords, hence why I only use it right now as a secondary thing so that I don’t have to retype my passwords every time in websites that refuse to save my logins).
Like I said before, my contention is with Google and Edge more than anything else. Because they sync with their servers and I don’t like that. No one should like or want that. It doesn’t make it private. It may make it “secure” but even that (with the new Chrome gaffe) it is questionable.
Either way, using the built in browser with the highly limited capacities feature and functionality wise compared to dedicated password managers is not good OPSEC. This is not news.
I’ve never had a problem with it, the KeepassXC add on in multiple browsers. There’s just the Browser Integration tab in the KeepassXC application Database Settings to enable.
