Whenever I talk about password managers I often get asked by people about their browser password manager and whether that is a secure method of storing passwords. They’re not really the best solution. Here’s why.
They store passwords. Surely they must be secure?
The password managers that are built into Chrome, Edge and Firefox are very simplistic and while they do stores things encrypted, the encryption can be easily broken.
The thing is, these password managers are very easy to use and browsers are great at pushing them on people. Putting up nice friendly notices going “Do you want me to remember this password?” “Do you want me to remember this credit card number?” Then later on when you come back to sign into the site it will pop the username and password into the page for you. It’s all very convenient. But convenience comes at the cost of security in this case.
How is a browser password manager insecure?
If you think about it, these password managers have no real security in place. So if somebody has access to the browser, when the device is unlocked, they also now have access to your password vault.
If you were using a proper password manager they would need to know your master password and also have access to your multi-factor authentication (MFA) method. That’s because password managers have proper security on their password vaults.
What do you recommend?
The world will be a much better place when passkeys are more widely used.
Until then, I always recommend using a full-featured password manager such as Bitwarden or 1Password. These are designed to be fully secure and keep your passwords, payment card information and secure notes all nice and securely saved. There are other password managers available. Some of these might be classified as being more secure or private than the two I have mentioned. However there are some trade-offs with them in that they may need someone more technical to set them up and use them. This might be off-putting to normal people as it can be inconvenient.
I’ve got a password manager in another application. How good are they?
Some people come to me and say that their anti-virus package or their VPN has a password manager as an add-on feature. I am cautious about using such features because they may not have been developed with the same level of security as a proper password manager. They are likely only being offered as a way to lock somebody into continuing to subscribe to the anti-virus or VPN.
This is because it is easy to switch anti-virus or VPN providers. But when you are are using a password manager it is much more difficult to move and switch provider.
OK! OK! We’ll use a proper password manager. Any tips?
Some quick tips for setting up your password manager as securely as possible:
- Choose a master password that is at least 20 characters long. Perhaps choose three or four completely random words to make up this master password. Maybe include some spaces between the words and an occasional number and special character.
- You should also secure the password manager with a multi-factor authentication method. Ideally it should be an authentication app that generates codes or a hardware security key that you need to trigger the authentication.
- Set the password manager to generate passwords of at least 40 characters, with all the cases, numbers and special characters turned on so that the passwords are nicely complicated. Watch out though for some websites that have limited the number of characters you can use … some as low as 10 or 12 characters, which is ridiculous.
Anything else I need to think about with a proper password manager?
Some security people think that using the browser add-on or plugin for the proper password manager is NOT very good security practice. Yes, there are risks associated with the add-on/plugin, but I think their convenience for the normal person makes password manager use more likely. But it all really depends on your threat model. If you think you’re low risk then using the add-on/plugin is probably also low risk.
Let’s be careful out there.
How can L2 Cyber Security help you?
We offer a full range of training programmes, which can be delivered online or in-person.
Contact us for more information at info@L2CyberSecurity.com.