When using a password manager, I could use the browser extension, or I could copy, drag or autotype the username and password. I have looked for an answer, but the information I have come across is always pointing out the risks with one or the other but never comparing them.
My concern is having my password(s) stolen. So is it better to use a browser extension (with the risks of extensions) but have some protection from phishing, or is it better to copy/drag/autotype (and smaller attack surface) but not have the phishing protection.
I should point out that so far while I have received multiple phishing attempts, I have always caught it before entering any details. Of course sooner or later I may miss something.
I have always thought of browser password managers as less secure than a dedicated password manager. However I note that EFF advice contemplates use of browser based managers . See Choosing a Password Manager | Surveillance Self-Defense
This even suggests that browser extensions for dedicated password managers are a weak/vulnerabile point.
You have to weigh security considerations and usability. Non-browser password managers offer features you won’t get on browser pw managers. I need some of these features, so I stick with a non-browser pw manager.
I would stay away from using browser’s integrated password manager.
First off, if your device say desktop is shared with other family members, you will need to either
a) set a master password for browser (not everyone has) or
b) have separate browser profile (also locked with password) or
c) have a dedicated browser for yourself (prob. A portable veraion stored in a flash drive or veracrypt file vault)
Second, browser’s integrated password manager are pretty well known for being insecure (sorry for not quoting source here as I dont have the time to do so atm). While with password managers like KeePass, they have much less attack surface and much more secure, you can even use UTF-8 passwords, mine got an entropy of over 250 but fairly easy to type password. No need a 7 word passphrase.
Third, browser’s integrated password manager lacks functionalities and OS integration (esp. Mobile) offered by dedicated password managers like KeePassXC / KeePassDX.
Forth, not sure about bitwarden, but with KeePass works and store locally so every entry is always saved and backed up even when you offline. Enabling file versioning you can have even easier backup and recovery options.
Fifth, you can easily backup your family members password vaults easily without knowing their credentials, (as long as they remember their vault password , or still have the passkey).
Thanks for your detailed reply. I’ve used Keepass for years but more recently have been trying KeepassXC which has a native browser integration and browser extensions . Having said that I’m not entirely sure if the browser integration ultimately saves that much over Auto-type and the basic Keepass.
Can I ask if you recommend/prefer KeepassXC over basic Keepass perhaps with one of the Keepass extensions mentioned on the Keepass site ?
I use different devices with different OSs, and on each I use different browsers. I also use apps that require logins, so they’re not in browser at all. I use 1Password because it is a platform that works with all devices, browsers and OSs/apps.
I don’t need to do any of these because I don’t share my system’s user account with anyone. If you let someone use your system’s user account, at that point, the browser sharing would be less of an issue.
If one need to share their PC with others, they should create a new user account. A guess account is also an option.
Let me quote, then (04/02/2024):
A team of Greek researchers has published a study highlighting sensitive data leak risks in password managers due to the lack of encryption in all steps of data storage and processing.
Contrary to what most people’s belief, security experts and security researchers agreed that password manager’s security is a joke compared to the browsers’ password managers.
I find the PM I recommended is rather secure. I did not say any random PM could do the job.
One more point to note, to achieve the attack you linked, you will need to first compromise the browser, then compromise the system, then try compromise the PM, seems it poses a much higher bar then just compromising the browser.
Despite what this smart guy has to say; my belief is all browser-based password managers are less secure than a dedicated app. If only because my browsers are open more often and for far longer than my PM. So I don’t use them for anything important or non-trivial. InfoStealers and Password extractors are widely available.
I’m feeling a little tempted to trying the keepassxc browser extension after years of copy-pasting passwords, is it worth it? Saving a few clicks seems nice and it reduces the risk of opsec fails like pasting passwords in a chat field or being phished, but I’m a little worried since it needs to talk to processes outside the browser… If there’s a vulnerability in the extension couldn’t it potentially aid in a sandbox escape? Not to mention that the entire passwords database would be compromised.
Unless you have a really high and specific threat model - you would more likely than not already know what to do.
But since you’re asking - I simply recommend stick with Bitwarden or Proton Pass. They are very affordable and the extensions are great and also support passkeys. These extensions are safe, private, and secure.
Extension for KeePassXC is a nightmare to get it to work well for a long time. I do not think it is worth it.
Thanks. Does Bitwarden/Proton not require a desktop “companion” then? if so, that’s cool. I wonder if selfhosting Bitwarden locally is worth it. For now I’m just using the in-browser password manager for password suggestions and comitting (via copy+paste) new passwords to the keepassxc database whenever I make a new account or change a password
As for the rest of your comment - in browser password management is horrendous. Please just use Bitwarden or Proton Pass instead. The extensions work really well.
It’s not good since the clipboard is not encrypted meaning that if a malware gets into your device, they can read what you copied and pasted (which is in this case your password).
