Bully for you! Not for me and I bet many others too.
2 Likes
you won’t be able to use passkeys on desktop without them 
On Brave your passwords get synced in an e2ee “sync chain” over which you have full control. Also the passwords are locally stored in your keychain on macOS and Linux (not sure about how Windows handles it), which is as secure as it gets.
This is cool functionality, but still has the potential issue of aiding in a sandbox escape if there’s a vulnerability there (since it needs to talk to things outside the sandbox), no? Is there a reason to trust that Brave can do this more securely than the KeepassXC extension?
1 Like
The problem with this is that you’re now relying on a browser to handle these passwords for you, you’re now entitled to the ecosystem, making browser/ecosystem switching (a little) harder than before. With standalone password managers like 1Password or Bitwarden, you don’t have to rely on a browser, and you can use it on any browser, regardless of the operating system you’re using and regardless of the browser you’re using.
Also, I’ve just done a bit of testing with Brave’s password manager and I was very surprised that you can’t generate passwords directly from Brave’s settings, and if you generate a password from a website, you have no customisation for password generation, it generates a (16 character?) password with no special characters and AFAIK there’s no way to change that. Since Brave is Chromium-based, I guess this is the same for any Chromium-based browser (maybe with the exception of Edge, which is Chromium-based but changes a lot of things about the UI and such).
4 Likes
Just read it. Holy shit. He is right about the breaking of sandbox. On the other hand, Chrome’s password implementation does not have E2EE, afaik. Probably he is fine with Google knowing his passwords. 
There is E2EE but it’s optional as far as I know.
2 Likes
Forgive me for not trusting the “world-class security team” the author thinks works at Firefox, Chrome, etc, especially when the in-built password manager is prone to the same problems that author cites (another case, just for fun in firefox android). Also, no password manager worth the name would accidentally make your passwords disappear because they were building a new feature.
Now lets come to criticisms:
- Most of the critique in the blog is around poor JS implementations and infrastructure security, both of which are also problems in browsers. It is the problem of the tech stack (JS, web), not the tool (browser password managers or password extensions), as shown in security audits of openpgpjs
- Next big critique is implementation, and I agree that most won’t actually implement it well. But that should not discourage users from the services that implement is well. I would trust maintainers of openpgpjs to actually know how to implement this. Bad implementation in on the provider, not the protocol (otherwise similar critiques are available against FIDO2).
100%. Someone’s threat model may not even allow passwords on notebooks, while for others it may allow a sticky note on monitor with the password scribbled on.
My recommendation is to see your threat model. I use a password manager extension, because I have offline on-person mandatory MFA and account monitoring that would stop people from taking over accounts. So, it allows me to not type 32-64 characters of random gibberish that are my passwords, and also not have to clean my clipboard or worry about snooping of clipboard history.
Offtopic
Ideally, we would NOT depend on passwords as the ultimate defense. Password managers allow people to generate and store hard to guess passwords, that’s it. You should ideally always have a MFA method that requires physical possession (hardware keys, passkeys, even offline totp for lower threat models)