Password manager browser extensions

Forgive me for not trusting the “world-class security team” the author thinks works at Firefox, Chrome, etc, especially when the in-built password manager is prone to the same problems that author cites (another case, just for fun in firefox android). Also, no password manager worth the name would accidentally make your passwords disappear because they were building a new feature.

Now lets come to criticisms:

  1. Most of the critique in the blog is around poor JS implementations and infrastructure security, both of which are also problems in browsers. It is the problem of the tech stack (JS, web), not the tool (browser password managers or password extensions), as shown in security audits of openpgpjs
  2. Next big critique is implementation, and I agree that most won’t actually implement it well. But that should not discourage users from the services that implement is well. I would trust maintainers of openpgpjs to actually know how to implement this. Bad implementation in on the provider, not the protocol (otherwise similar critiques are available against FIDO2).

100%. Someone’s threat model may not even allow passwords on notebooks, while for others it may allow a sticky note on monitor with the password scribbled on.

My recommendation is to see your threat model. I use a password manager extension, because I have offline on-person mandatory MFA and account monitoring that would stop people from taking over accounts. So, it allows me to not type 32-64 characters of random gibberish that are my passwords, and also not have to clean my clipboard or worry about snooping of clipboard history.

Offtopic

Ideally, we would NOT depend on passwords as the ultimate defense. Password managers allow people to generate and store hard to guess passwords, that’s it. You should ideally always have a MFA method that requires physical possession (hardware keys, passkeys, even offline totp for lower threat models)

How do you account for the difference between using a browser-based native password manager and a dedicated password manager extension in terms of threat assessment? It is universally agreed that extensions increase the attack surface and might interfere with the browser’s sandboxing. Similarly, browser-based managers can easily be extracted by info stealers or similar threats. I would like to know how a strike of balance were made for PG suggestions in this regard. I would also love to know if the presence of an onboard TPM and using it (via trusted path) to authenticate stored passwords in the browser makes any difference?

Would love expert opinions and apologies if my judgement is wrong as Iam not very knowledgeable in this regard.

Asking for brave browser BTW.

Thanks

If I understand correctly, you’re trying to compare using a password manager web app versus a browser extension? There’s technically a give and take with each but I strongly prefer the browser extension. I avoid web-based cryptography because it’s almost snake oil. By using a browser extension you’d potentially increase your browser attack surface and “fingerprintability”, but it’d better protect you from phishing and typosquatting and isn’t as weak as web app crypto.

If you don’t want to risk weakening your browsers privacy or security by any means necessary, you’re better off just using a native desktop application.

As far as extensions go, password managers are ok to use. For autofill, don’t let it enter login info automatically - make sure to set it so that it’s somewhat manually entered where you have to interact with it by clicking on a popup that appears over the login field. This way your login info isn’t captured by hidden fields on a malicious site.

Using any password or banking extensions just became more dangerous because a polymorphic extension can steal your credentials from right in front of your eyes and most people probably wont even notice until its too late.

Yeah, this is exactly why I came up with this question. Just like most 3rd party AVs increasing the attack surface due to their nature of operation, I sometimes feel like additional extensions, including password managers does the same to browser inbuild security.

You’re absolutely right that browser password managers are often seen as less secure than dedicated tools — and that extensions can introduce risks. The EFF’s nuanced take reflects that tradeoff between usability and trust boundaries.

But there’s also a third way that avoids both risks: using the browser without storing anything at all.

Some tools run fully in the browser but never save, sync, or auto-fill anything — instead, they generate passwords deterministically from inputs like your master passphrase and the site name.

In that case, there’s no stored database to steal, no browser autofill leaks, and no extension API to exploit. It’s essentially a password manager without storage — built for users who prioritize privacy and want full control.

It’s not as mainstream, but for people with a strong threat model or who are privacy-conscious, it’s worth looking into.

Three words polymorphic browser extensions

As password managers become an essential tool for online security, I am curious to know how what is the best way to use them?

Password managers help us generate and store unique, complex passwords for each online account. However, with the rise of password manager usage, new security concerns have emerged. Browser extensions, while convenient, may introduce new attack surfaces, such as clickjacking. On the other hand, desktop apps provide a more secure environment but may lack the seamless integration of autofill and passkey features.

Browser extensions are convenient: autofill, one-click logins, and passkey handling in-browser. But they add a browser-side attack surface (e.g., clickjacking, malicious scripts, or compromised pages abusing extension UI).

Desktop apps (native Windows/macOS apps) reduce that browser attack surface. They often require manual copy‑paste or a separate helper for filling, and passkey integration on Windows can be harder or unavailable. Passkey support is still in beta in Bitwarden for Windows.

https://bitwarden.com/blog/bitwarden-launches-passkey-management/

I’ve been using a combination of the web extensions and native apps. I have been under the impression such a web extension does not make me more fingerprint-able. If it does I would be happy to switch to native app only. Or web app but I am under the impression native > web for apps I trust and especially ones which are doing encryption.

Please correct me if I’m wrong on any of that folks!

I have been trying to figure out something myself about passkeys. As I understand it Bitwarden implements them such that they are then hidden behind only one credential (your master password). Isn’t this worse than OTP and normal password where it is locked behind two credentials?

Personally I used to use the browser extensions a lot, but one day I forgot to install the extension on whatever browser I was daily driving and didn’t skip a beat.

For someone like me who understands that keeping your password manager is technically better than using an extension, I was happy to find that I didn’t mind the change, but I think for most people it’s not good. Like, many people have already had to do a lot of work just to get on a password manager. That last thing they need to is accept more friction to use it. So that coupled with the fact that using extensions is still safe means that you probably can’t go wrong either way.

You should be using the extension.

I meanwhile don’t.
Just desktop app, quick app switching with keyboard shortcuts makes it fully keyboard compatible most of the time. :+1:t2:

Not sure if the best from a security POV, but I do have my own things on top of it:

  • email aliasing
  • hardware key

The least attack surface the better IMO. And the browser is IMO a no-mans land.

Desktop app for me. I got used to switching from browser to password manager when my main device was an android tablet and I don’t really see a reason to change.
I often will drag the browser window to the left and the PW to the right to make copy/paste easier as autofill isn’t always the smoothest experience.

I would say that this kind of extension does make your browser more finger-printable, because it prints contents on the website. For that reason I use only the desktop app. Please correct me if I am wrong.

Thank you.

I use both. For the extension, you can usually expand it to its own window, which is nice, and can generally feel to replace the native one.

I, however, like the easy ability to launch a dedicated app.

Having such a sensitive things like the password manager as a web exctention is a security risk

Here’s a decent read on the topic: Why security experts recommend standalone password managers over browser-based options | Bitwarden

I think it’s more of a circular benefit graph than a linear scale of better/worse

A lot of password manager standalone programs are built on electron, for example, which has documented security vulnerabilities. A lot of reasonable threat models may consider that an unacceptable risk, though you could mitigate it by running it in a virtual machine

By using JS to autofill sites by URL, you are adding an anti-phishing mitigation to your setup, as you won’t unwittingly provide credentials to a fraudulent site

…But this same autofill feature can introduce a supply chain risk, if a bad actor manages to hijack the extension & pushes a malicious update…

…And every browser extension makes your browser fingerprint more identifiable, thus reducing privacy…

… and so on & so forth. There is no ‘better’ or ‘worse’. Dont address this tradeoff in isolation. Begin with a threat model for your situation, compare the pros/cons against each, select the one that better fits

I would recommend a pass manager with an app that you can interact with without opening the browser. You can keep the app running in the background. Opening the chrome web app (through extension) gets extremely tiring pretty soon. I used to use Dashlane and dealing with putting in master password on every launch got very frustrating. Also it used to fail to connect many times and I had to open the whole browser to make it work.

Correct me if I am wrong, but I see following issues with password managers:

  1. Are you sure that your password manager generates cryptographically secure passwords? I mean truly random password generator? Or pseudorandom?
  2. As I know, if pseudorandom fenerator used, anyone, if they got certain amount of such passwords predict (even approximately) other passwords, right?

And completely separate concern is browser extensions. What if browser got compromised (ex 0-day vuln)? This means that extension data in UNLOCKED state cud possibly leak. Yes, I know that you will tell to use secure browsers etc, but shit happens, right?

So for now I have following opinion:

  • Slightly modify generated password before saving in your password manager (to make it really random)
  • NEVER use extensions?

Correct me if I am wrong.