I’ve seen this question asked, https://discuss.privacyguides.net/t/password-manager-safer-with-browser-extension-or-copy-drag-auto-type/11466?u=seek.veritas, and it is relevant to me as well. I’m new to the privacy and security space and am curious as to if I should be using a password manager extensions (along with other types of extensions (email aliasing, etc.) for the convenience sake. I’ve been doing this method for awhile as I value the convenience but wanted to make sure that this wasn’t a huge privacy and security risk. What other options are there? Would I either have to use the web or desktop versions and copy/paste? Seems monotonous.
1 Like
I’ve been wondering this as well, but I can’t find much discussion.
Extension should be safer, it won’t auto-fill fishing site, while you can. And keeping passwords in clipboard is not good practice either.
4 Likes
Autofilling websites with your personal data is only one thing that web browser extensions can do. If you look at the most popular extensions you’ll see that it’s unbelievable how many things extensions can do now.
In one way I think they’re safer than installing 3rd party Apps to Windows because they’re vetted by the Firefox community:
https://addons.mozilla.org/en-US/firefox/search/?promoted=recommended&sort=users&type=extension
It’s a compromise of security vs privacy.
Extensions pros
- super simple to install
- sandboxed to the browser
- great usability on websites
Extensions Cons
- increases fingerprint uniqueness reducing privacy
Desktop Pros
- does not increase fingerprint
- does not interface with the browser
Desktop Cons
- copy/paste is not as seamless
- if closed source means unable to audit
- threat to os instead of just browser (but browser can still hold a lot of info).
Generally, I try to install open source software, preferably GPL licensed. For example let’s take a password manager like Bitwarden. They have an extension and a desktop app. Extension makes the fingerprint more unique but way easier to use.
Desktop app is open source, so I don’t have massive privacy or security concerns with that. I like the extension usability so I use that a lot.
2 Likes
There is one valid case of this: for the desktop app, only the Windows version supports FIDO2 WebAuthn.
IMO, login creation is much more streamlined with the extension than with the desktop app.
No extensions, I want.
Be careful of extensions, you need.
I put all the extensions that I don’t trust in a separated browser profile. It’s a pointless idea for some extension types, though, a password manager, for example.
1 Like
I would like to understand why. I get it for content blocking / changing extensions because you could theoretically check what content has been blocked or changed. I think that’s why PG just recommends to use the default filter lists on uBlock Origin rather than enabling all of them. Other extensions like Dark Reader, Bypass Paywalls, or Greasemonkey might also be fingerprintable, at least in theory (not sure if anyone really bothers). Or extensions that change the user agent string or accept headers (e.g. the “Don’t Accept image/webp” extension).
But an extension that doesn’t change how the content of the website? How would the website owner even find out about it? I mean stuff like Bitwarden, History Cleaner, Treestyletabs?
1 Like
Check this if you use chromium based browser Extension Detector
And this about password extensions Password Managers.
1 Like