Worth it to separate logins from passwords?

I have a local password manager with my all my passwords. For added security, I have not put my logins (all unique for each website) in it, but keep them in the browser instead. It’s a bit more effort, but feels like a good practice.
Am I right or is this needless overkill?

what do you mean by “logins”…? email/username? it does sound like overkill, potentially worse if your browser autofill storage isn’t as secure as your password manager, encryption-wise.


Yes, usernames. Browser is Firefox; how secure is its logins storage? I understand the idea of the weakest link in a chain, but isn’t there an advantage to having to splitting credentials into two separately encrypted parts (with different passwords)?

1 Like

You just made your sign-in needlessly complex and bothersome to use but the underlying protection is basically the same so it feels like no gain of protection with sounds a bit annoying to use.

A hardware key as a supplemental requirement to unlock the password database may be better if you want to actually increase the security?

Already have that :slight_smile: Just thought separating username and password would add a layer of security. Feels like it’s just me though.

Technically it will not give you any reasonable additional protection. Just use aliases and good password manager.

I will not recommend using built in browser password manager.

Do you use a master password for firefox?

Yes, I do.
But I took the above advice and moved my usernames to the password manager.
Just out of curiosity: how much weaker are browser password managers compared to the standalone ones recommended by PG?

The teal ‘Info’ box at the top of the following page answers your question: The Best Password Managers to Protect Your Privacy and Security - Privacy Guides

Thanks, good to know.

I assume all password managers that come with the browser are weak.

If this app can do it so can malware.

1 Like

If you use a primary password with firefox password manager, then presumably you would be OK because the passwords would be encrypted with said password.

Indeed. Not sure about usernames though. Haven’t checked if those are encrypted with firefox but it would be pretty funny if they weren’t and this person’s previous approach actually was worse for security.

Tavis Ormandy has a very different opinion. See Password Managers.

So can malware for non-browser password managers, if you unlock to actually them. A compromised client device is game over for your passwords.

That’s a good read Thanks!
My use-cases preclude any online or browser-based PWM so its been Keepass since ~2018

It seems good practice, as not a single, but two sources should be compromised to use your passwords. Sure it is inconvenient. If you use 2fa app it is a 3rd service atop of those two.

That is interesting details! Before switching to Bitwarden I stored passwords in browsers, and there were always the problem of syncing and different passwords, outdated passwords, etc… I still use browsers to save passwords, but I can purge entire database anytime now, as everything is in Bitwarden as well. I still have most important passwords only memorized and not stored anywhere.

Yes, I do not think it is insecure. On mobile both browser and Bitwarden passwords are behind a fingerprint scan, so it is on par. On desktop there is login to PC, but Bitwarden adds additional code over browser (Firefox has master password, on par if using Firefox). After all Bitwarden is all about convenience, sync, online backup, usernames generation, etc.