I'm a little disappointed in the conclusion because there are more secure password managers out there that still offer the same level of convenience as the browser built-in password manager. Yes, if you use a password manager that's implemented entirely as a browser extension, you may as well use the browser's built-in password management features. However, if you're an advanced user and are comfortable using a separate password management application, there are options out there that don't force you to choose between a difficult-to-use app and the convenience of something in-browser.
For example, exploiting a browser-based password manager likely means escaping the sandbox that contains web pages and accessing the shadow DOM. But this is still a larger surface area than 1Password, where the password selection menu (on Windows at least...) is actually rendered by an entirely separate process on the system. (I.e., clicking the icons that the extension displays triggers the 1Password desktop application to display UI at the cursor's current position. Picking a password from this UI will transmit it to the browser extension for filling. The password is only present in the browser's memory once you've interacted with the desktop application's UI.)
As always, do your research. Don't get suckered into paying a subscription fee for a browser extension that offers the same functionality your browser has built-in. But realize that there are other options out there that may actually be worth investing in.
Disclaimer: I've been a happy 1Password customer for a few years now.
This somewhat overlooks the main threat model that password managers solve - leaked credentials.
People can’t remember 80 passwords so they reuse the same one, that password eventually gets leaked and 9/10 times it doesn’t get leaked due to a targeted attack or a compromised machine but rather due to a breach of a service you signed up too.
Sure password managers have issues, they don’t solve user related errors and can even add to the attack surface of a machine they are running on but that’s really not important...
Using password managers and generating different passwords for each service reduces the blast radius from any breach.
This is why I don’t care if the password manager has the best encryption, or does it even encrypts at all or does it uses the clipboard vs some more secure side channel. Yeah that’s nice but that’s not in my threat model.
Which is why I don’t care if your password manager is a spreadsheet, it’s a terrible choice for a business because their threat landscape and the fact that a spreadsheet won’t allow you to audit who has access to what but for you or your mom even that is better than using the same password everywhere else.
Heck at home print your passwords and store them somewhere safe... put them on a post note for all I care as long as you live alone or at least not with anyone you wouldn’t want stumbling on that list...
As it looks like Tavis isn't hanging out and responding to comments here, I thought it'd be worth linking to a question and response he gave on Twitter as most comments revolve around this point.
> @diractelda: Based on your thoughts, it seems a more accurate statement is "Don't use a password manager that interacts with your browser automatically unless it's the built in password system. Non-integrated password stores are fine."
> @tavis: Yep, that's a fair summary, I was just trying to be punchy
Well that thread has an unfortunate answer to my biggest question at the end of the article: what about iCloud Keychain?
>> @colmmacc: Safari seems conspicuously absent from the list, but it has more users than Firefox or Edge. Is that deliberate? superficially it has the chrome problem solved and T1/T2 integration for the password manager across iOS and OS X.[1]
> @taviso: Well, it's deliberate because I don't know how it works, not because I think there's something wrong with it! It sounds reasonable from the docs, but I haven't looked at the implementation.[2]
As I said in thread, that’s a weird response given the opening paragraph of the article:
> I’ve spent a lot of time trying to understand the attack surface of popular password managers. I think I’ve spent more time analyzing them than practically anybody else, and I think that qualifies me to have an opinion!
I mean, I think Tavis is qualified to have an opinion regardless. But just blanket ignoring a competitor’s solution that addresses all of the problems in the article, while claiming to have more familiarity with the space than practically anyone else... that doesn’t sit well with me.
> If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.
Unfortunately, it also means I can basically never switch web browsers again, so it's an absolute non-option for me. I don't want to be locked into Chrome forever.
I think the only reasonable way to achieve Tavis' conclusion would be for browsers to start providing actual password management APIs for extensions. I agree that locking in all my passwords with my browser vendor would be unacceptable.
I use Firefox on PC and Chrome on Android. Firefox Lockwise.in Android implements an Android auto complete API to add autocompletion for passwords everywhere in Android.
Here's a the best solution I've found for those looking for password manager recommendations. It's secure, free open source, easy to use, and syncs to all of your devices
1. Password manager for PC / Laptop: KeePassXC. It's not built into your browser, it's a seperate application. It's totally open source, and trusted by many. It also supports two factor authentication, I use a passphrase and a key file. Supports TOTP. Has a ton of "premium" features, totally free. It's awesome.
2. Syncing application: Google Drive. Sync your KeePass database using Google Drive (or whatever other sync application you want). KeePassXC supports merging databases if there's ever a conflict, as rare as those are. This is secure, because the KeePass database file is encrypted, and Google Drive / Google will never see the unencrypted database.
3. Password manager for phone: KeePass2Android. Not sure what the options are for Apple, but I'm sure they exist. Allows you to open your KeePassXC database from Google Drive.
4. Browser support: KeePassXC-Browser. Allows you to autofill your username / password / TOTP from your KeePassXC application to Chrome / Firefox.
Totally free, secure, convenient, and syncs to all your devices. Also comes with excellent redundancy for your password database so you'll never lose it. I've been using this setup for years flawlessly.
auto-type is much more secure than using the companion keepassxc browser extension to fill your passwords since it didn't need a connection between your browser and your password manager. it also removes the chance of some dodgy website having a username and password box off screen and using it to trick the atuofill feature.
one minor inconvenience with auto-type is that your passwords don't auto fill by themselves, but I have it set to the hotkey alt+x which makes it quick to trigger with my thumb and after doing it this way for nearly 2 years now i barely notice
another downside with auto-type is that not all websites put their full names in the browser title bar so auto-type won't show you your related passwords in some cases. to fix that you can install a browser extension that puts the full web url in titlebar
https://github.com/erichgoldman/add-url-to-window-title
My setup is almost identical, though I skip the browser plugins and let the password manager auto-paste into the browser. Keepass inside GDrive, job done. Very occasionally I'll make a copy out to a portable drive.
I've been running this setup for about a decade,since some big breach (I forget which one) made it clear to me that using the same or similar passwords across multiple sites was not gonna fly any longer.
The initial time investment was surprisingly heavy - I iterated through every online login I could find for myself (searching through email history mostly for signups confirmations) and changed the password on every account I had. Took about two full days.
> 4. Browser support: KeePassXC-Browser. Allows you to autofill your username / password / TOTP from your KeePassXC application to Chrome / Firefox.
I believe the point the article is making is that any browser extension to auto fill is inherently insecure for architectural reasons.
I find it odd someone so serious about password managers would recommend KeePassX which hasn't seen a release since 2016. Perhaps they meant the KeePassXC fork.
The major problem with the built-in password managers is that they don't store more than the password. If there's a site that has security questions, I use LastPass to keep track of the security questions and my answers. I have to do this because I don't give real answers to security questions.
A minor annoyance is that Safari will not let me treat sites which use multiple domains as equivalent. So Discount Tire uses dt.com and discounttire.com but Safari flags this as a security problem because I'm using the same password with both. LastPass lets me set them as equivalent domains, though the process is probably too difficult for most people.
LastPass made free users decide whether to use it either on computers or phones & tablets but not both. Because I use FireFox on my Mac, I used LastPass on computers. I rely on Safari to sync for my phone and tablet. I think it's inevitable that LastPass will continue making life more difficult for free users and I may end up with a flat file or Apple Notes file to store the security questions and answers.
> I think it's inevitable that LastPass will continue making life more difficult for free users and I may end up with a flat file or Apple Notes file to store the security questions and answers.
Why not just pay for it? If it prevents a hack which impacts your finances, then its more than worth it and not worth the waste of your time trying to avoid paying them.
> I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.
I haven't used the browsers built-in password manager for years, so I don't know what features they have, but I find it hard to believe that they can provide the same functionality as a dedicated password manager.
Some of the top features of dedicated password managers include:
* Generating random passwords/passphrases (this is pretty basic)
* Storing and generating two-factor authentication codes (TOTP)
* Filling out passwords into mobile apps as well as websites
* Storing security questions, back up codes, any other site specific data that needs to be secure
* Storing credit card information
* Platform agnostic syncing
* Sharing passwords with friends, co-workers, or family
* Weak password checking / HIBP integration
I'm sure that the browser password manager can do some of these things, but I doubt it can really do all of them.
Please don't put TOTP codes or back up codes in password managers. The whole point of 2FA is to have two factors protecting you. If you do that, you're back to 1 factor (your password manager master password).
Plus, at least for Safari, it's only protected by the computer password, which is much less secure than the kind of pass phrase that password managers ask for. My mother-in-law has her computer password on a post-it that is stuck to the monitor. Using that, I can go into her browser preferences and see the plaintext value of all her browser-stored passwords. I never use it, myself.
The blog suggest using Chrome's password manager. I used MacOS KeyChain as my primary store and Chrome's password manager for my secondary store for years and finally gave up because KeyChain didn't work with Chrome or sync with anything (unless maybe I used iCloud) and Chrome only synced with and worked with Chrome and too often it didn't save passwords properly. For all other browsers, apps, or uses, Chrome password manager is useless.
Fortunately I could export Chrome to CSV and use some third party applescript to export KeyChain and import into KeePassXC. It's not perfect but it's better than the built in stuff.
Maybe W3C could standardize a protocol for password managers so we don't have this insane vendor lock in.
For what it’s worth, the keychain now syncs with iCloud and across all your Apple devices and it’s end to end encrypted by your system or phone passwords.
The password interface in iOS has improved a whole bunch (tells you about weak passwords, reused passwords, etc) but doesn’t support attaching a TOTP to an entry.
Which may or may not be a big deal now what everyone is moving to U2F etc.
Personally using a browser based password manager is too restrictive in that you need a browser to access passwords.
I use passwords in a lot of places outside of browsers and often the interface I'm using has no browser capabilities.
Understand using browser based password management if you only ever use passwords on the web. But I'm sure a lot of others, like me, need them outside of that context.
Chrome's password manager syncs to your Google account, which will allow you to use it apps on your (android) phone. I would suspect that Apple's ecosystem has similar functionality.
In the case of Firefox, at least, the Lockwise application allows you to use your credentials even outside of the browser, on mobile devices. On the desktop, both Firefox and Chromium allow you to copy passwords so you can paste them in any application.
"a lot of others" seems unsubstantiated. I'll argue the majority of folks (even technical) rarely need access to passwords outside of the browser. The only times I need a password outside of chrome is my Macs password, and dockerhub but I've memorized just those two.
Occasionally I need the password for Microsoft or intelliJ accounts, but even then I just use my phone to lookup the password in my manager visually and then type it, I'm never letting any password I care about go into my Macs clipboard!
I use Bitwarden, and to my knowledge the issue raised in this article does not apply to it -- all interaction is through the extension's icon, with no UI elements injected into the page itself.
Combined with being completely open-source (including backend), full-featured even in the free version, and $10/year pro version (with features like sharing, encrypted storage, etc.), I can recommend it to practically anyone.
BW has had other issues before. For example, it tends to send your credentials with basic auth requests without your knowledge and without a setting to turn it off. The code executed in your browser can also be manipulated to exfiltrate your entire password store once you unlock it if someone gains access to whatever account Bitwarden uses to publish their addon.
Bitwarden is certainly one of the better password managers in my book (seriously, some of its competitors don't even let you add arbitrary fields to credentials!) and has proven to be reasonably secure. However, you cannot ignore the vulnerability the browser extension model or any auto-update model might bring to something as sensitive as a password manager.
I'm using it myself in combination with a self-hosted bitwarden-rs instance (used to run the native version but its performance was just terrible) and I can't say I regret the decision.
I do wish that browser would expose an autofill API to password managers, though, so addons wouldn't need to inject Javascript or do other funky stuff to get passwords filled in.
I use Bitwarden too, and I self-host it so that vector of attack becomes much smaller. But while Bitwarden doesn't add elements to the page it does alter existing page elements by auto-filling your credentials. If I get it properly the gist of the article is the ability to spoof the fields that receive those credentials.
Copying out of Bitwarden and pasting into the visible fields would get around that instead of using its auto-fill.
I would NOT recommend the chrome password manager. If you sync your passwords, they will not be stored encrypted at the google side. You need to specifically set password encryption in the settings.
I've also spend a lot of time with understanding password managers in my master thesis. What I can recommend is: https://pfp.works/
The creator was auditing password managers like LastPass, found a lot of issues, and used his knowledge to create pfp, which does it right imho.
The instructions on PFP website for how to do various things, they often begin with the following steps:
> Click PfP icon on any website
> Enter your master password
Can't a website just fake a PFP icon to induce you to reveal your master password, and now the website owner has access to all of your generated passwords? Isn't this exactly the type of attack that caused taviso to write OP?
The built-in browser password manager is the only one that ever made sense for me. You want the machine to verify the domain for you so you don't enter your credentials into some other site (no copying and pasting) and all third-party scripts are always clunky.
I use Firefox with Lockwise[1] for Android and pass[2] as overflow for more involved secrets. This is a solo solution though that doesn't solve sharing these secrets with others.
I get that nowadays the alternative to password managers is browsers. But they were mostly developed when the real alternative was trying to remember all those passwords, or duplicate them, or write them down somewhere.
I used to have random passwords scattered over multiple browsers, because I change browsers.
Then I got a password manager, and imported all my chrome passwords... and there were hundreds of them. All the old ones, all the weird little ones that I never cared about. It took me ages to clean this data set and delete all the crap.
So no... never going back to storing passwords in the browser, thanks. I realise that technically a malicious site could possibly mess with my password manager. But I'm more worried about what the browser is doing.
It's curious that we haven't seen dedicated effort towards a consistent password autofill API in browsers, like what is present in Android. Even the Credential Management API seems to have not picked up traction for passwords, though it was extended for use with FIDO2 security keys.
I use unix pass as my "source of truth" and then individual browser password managers (mostly Firefox) as a local "cache" for sites where it is painful to manually go out to pass too often. Honestly it works brilliantly, pass syncs using git which I do to a bare ssh repo on a server I control (although it would be perfectly safe to put on github tbh).
I really feel like people overthink this sometimes.
I have a bash script which takes in name of the website and generates a 64 character long random string(lower,upper,number,symbol), then puts that in a text file and then encrypts it with gpg using aes256 and puts that file in a dropbox synced directory. Whenever I need to use one, another option retrieves the password, and if I want to use my phone, I just use yet another option which uses qrencode to generate a QR code of the password and then display it using `display` by imagemagick so my phone can scan that to copy the password into clipboard. That's the most safe solution I came up with without trusting third-party solutions. Only downside is dependency on a Linux-powered PC.
> If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.
What would be really great if the major browser vendors would get together and come up with a way to reliable, secure, cross-browser syncing of passwords.
The main reason I use a password manager instead of the browser’s password storage is because I use different browsers both on the same device and an different devices. I might use Firefox in my Linux desktop and Safari on my Mac. Using a third-party password manager allows me to have the same set of shared passwords on both.
I share the conclusion and for those friends and family who use chrome across devices I've been recommending to just activate 2FA (not sms) and use the built in password manager.
But relying on chrome as password manager - even on Android - has drawbacks as it seems not to support all apps and fields one needs to.
I personally use bitwarden because it seems to work - when I enable all assistive tech - on 99% of situations. I also don't use chrome anymore so using Google password manager isn't as useful.
> Second, everyone needs to be using unique passwords. You don’t have to use a password manager to do that, whatever system works for you is fine. If you want to use a notebook in a desk drawer, that’s totally acceptable.
You don't need a notebook for unique passwords. Just use the service's name. Unless you also meant unguessable, in which case a notebook is probably going to be insufficient because your brain-powered password generator will soon run out of entropy.
> The tech press can review usability and onboarding experience, but can’t realistically evaluate any security claims, so how do you propose users tell the difference?
"Security at the expense of usability, comes at the expense of security." Users don't need to know the difference because the only danger they need to protect themselves from is "my gmail was hacked" and the only requirement for that is that they use an un-guessable password saved somewhere unsophisticated attackers can't access. Any password manager accomplishes this.
> An attacker (or malicious insider) in control of the vendor's network can change the code that is served to your browser
Password managers have servers sending code over to the browser? After the installation process?
> Password managers have servers sending code over to the browser? After the installation process?
Yes, LastPass is all web based IIRC, even 1Password switched to a web based offering when they switched to a subscription model. I'm still a happy customer of their previous product which was a one time purchase and uses software installs instead, database synced with w/e you want (Dropbox, GDrive, etc)
> This problem is pervasive among online password managers, you can never be sure if you’re interacting with a website or your password manager.
Isn't this true for any scenario, password manager or not? If a site has been compromised without you knowing and you enter your password from memory, paste, or a password manager, that password is at risk.
Is the author saying that he is able to access ALL passwords in the password manager via a single malicious site?
[+] [-] kbuck|4 years ago|reply
For example, exploiting a browser-based password manager likely means escaping the sandbox that contains web pages and accessing the shadow DOM. But this is still a larger surface area than 1Password, where the password selection menu (on Windows at least...) is actually rendered by an entirely separate process on the system. (I.e., clicking the icons that the extension displays triggers the 1Password desktop application to display UI at the cursor's current position. Picking a password from this UI will transmit it to the browser extension for filling. The password is only present in the browser's memory once you've interacted with the desktop application's UI.)
As always, do your research. Don't get suckered into paying a subscription fee for a browser extension that offers the same functionality your browser has built-in. But realize that there are other options out there that may actually be worth investing in.
Disclaimer: I've been a happy 1Password customer for a few years now.
[+] [-] dogma1138|4 years ago|reply
People can’t remember 80 passwords so they reuse the same one, that password eventually gets leaked and 9/10 times it doesn’t get leaked due to a targeted attack or a compromised machine but rather due to a breach of a service you signed up too.
Sure password managers have issues, they don’t solve user related errors and can even add to the attack surface of a machine they are running on but that’s really not important...
Using password managers and generating different passwords for each service reduces the blast radius from any breach.
This is why I don’t care if the password manager has the best encryption, or does it even encrypts at all or does it uses the clipboard vs some more secure side channel. Yeah that’s nice but that’s not in my threat model.
Which is why I don’t care if your password manager is a spreadsheet, it’s a terrible choice for a business because their threat landscape and the fact that a spreadsheet won’t allow you to audit who has access to what but for you or your mom even that is better than using the same password everywhere else.
Heck at home print your passwords and store them somewhere safe... put them on a post note for all I care as long as you live alone or at least not with anyone you wouldn’t want stumbling on that list...
[+] [-] throwaway192874|4 years ago|reply
> @diractelda: Based on your thoughts, it seems a more accurate statement is "Don't use a password manager that interacts with your browser automatically unless it's the built in password system. Non-integrated password stores are fine."
> @tavis: Yep, that's a fair summary, I was just trying to be punchy
https://twitter.com/taviso/status/1401253440622235649?s=20
[+] [-] eyelidlessness|4 years ago|reply
>> @colmmacc: Safari seems conspicuously absent from the list, but it has more users than Firefox or Edge. Is that deliberate? superficially it has the chrome problem solved and T1/T2 integration for the password manager across iOS and OS X.[1]
> @taviso: Well, it's deliberate because I don't know how it works, not because I think there's something wrong with it! It sounds reasonable from the docs, but I haven't looked at the implementation.[2]
As I said in thread, that’s a weird response given the opening paragraph of the article:
> I’ve spent a lot of time trying to understand the attack surface of popular password managers. I think I’ve spent more time analyzing them than practically anybody else, and I think that qualifies me to have an opinion!
I mean, I think Tavis is qualified to have an opinion regardless. But just blanket ignoring a competitor’s solution that addresses all of the problems in the article, while claiming to have more familiarity with the space than practically anyone else... that doesn’t sit well with me.
1: https://twitter.com/colmmacc/status/1401336209746673666?s=21
2: https://twitter.com/taviso/status/1401373666328203264?s=21
[+] [-] movedx|4 years ago|reply
[+] [-] Wowfunhappy|4 years ago|reply
Unfortunately, it also means I can basically never switch web browsers again, so it's an absolute non-option for me. I don't want to be locked into Chrome forever.
[+] [-] shawnz|4 years ago|reply
[+] [-] shp0ngle|4 years ago|reply
[+] [-] Ayesh|4 years ago|reply
[+] [-] jsnell|4 years ago|reply
[+] [-] wyclif|4 years ago|reply
[+] [-] Dedime|4 years ago|reply
1. Password manager for PC / Laptop: KeePassXC. It's not built into your browser, it's a seperate application. It's totally open source, and trusted by many. It also supports two factor authentication, I use a passphrase and a key file. Supports TOTP. Has a ton of "premium" features, totally free. It's awesome.
2. Syncing application: Google Drive. Sync your KeePass database using Google Drive (or whatever other sync application you want). KeePassXC supports merging databases if there's ever a conflict, as rare as those are. This is secure, because the KeePass database file is encrypted, and Google Drive / Google will never see the unencrypted database.
3. Password manager for phone: KeePass2Android. Not sure what the options are for Apple, but I'm sure they exist. Allows you to open your KeePassXC database from Google Drive.
4. Browser support: KeePassXC-Browser. Allows you to autofill your username / password / TOTP from your KeePassXC application to Chrome / Firefox.
Totally free, secure, convenient, and syncs to all your devices. Also comes with excellent redundancy for your password database so you'll never lose it. I've been using this setup for years flawlessly.
[+] [-] mackrevinack|4 years ago|reply
one minor inconvenience with auto-type is that your passwords don't auto fill by themselves, but I have it set to the hotkey alt+x which makes it quick to trigger with my thumb and after doing it this way for nearly 2 years now i barely notice
another downside with auto-type is that not all websites put their full names in the browser title bar so auto-type won't show you your related passwords in some cases. to fix that you can install a browser extension that puts the full web url in titlebar https://github.com/erichgoldman/add-url-to-window-title
[+] [-] FooHentai|4 years ago|reply
I've been running this setup for about a decade,since some big breach (I forget which one) made it clear to me that using the same or similar passwords across multiple sites was not gonna fly any longer.
The initial time investment was surprisingly heavy - I iterated through every online login I could find for myself (searching through email history mostly for signups confirmations) and changed the password on every account I had. Took about two full days.
[+] [-] paulryanrogers|4 years ago|reply
I believe the point the article is making is that any browser extension to auto fill is inherently insecure for architectural reasons.
I find it odd someone so serious about password managers would recommend KeePassX which hasn't seen a release since 2016. Perhaps they meant the KeePassXC fork.
[+] [-] kiririn|4 years ago|reply
Strongbox is fantastic on iOS
[+] [-] jdeibele|4 years ago|reply
A minor annoyance is that Safari will not let me treat sites which use multiple domains as equivalent. So Discount Tire uses dt.com and discounttire.com but Safari flags this as a security problem because I'm using the same password with both. LastPass lets me set them as equivalent domains, though the process is probably too difficult for most people.
LastPass made free users decide whether to use it either on computers or phones & tablets but not both. Because I use FireFox on my Mac, I used LastPass on computers. I rely on Safari to sync for my phone and tablet. I think it's inevitable that LastPass will continue making life more difficult for free users and I may end up with a flat file or Apple Notes file to store the security questions and answers.
[+] [-] lamontcg|4 years ago|reply
Why not just pay for it? If it prevents a hack which impacts your finances, then its more than worth it and not worth the waste of your time trying to avoid paying them.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] pimlottc|4 years ago|reply
[+] [-] thekyle|4 years ago|reply
I haven't used the browsers built-in password manager for years, so I don't know what features they have, but I find it hard to believe that they can provide the same functionality as a dedicated password manager.
Some of the top features of dedicated password managers include:
* Generating random passwords/passphrases (this is pretty basic)
* Storing and generating two-factor authentication codes (TOTP)
* Filling out passwords into mobile apps as well as websites
* Storing security questions, back up codes, any other site specific data that needs to be secure
* Storing credit card information
* Platform agnostic syncing
* Sharing passwords with friends, co-workers, or family
* Weak password checking / HIBP integration
I'm sure that the browser password manager can do some of these things, but I doubt it can really do all of them.
[+] [-] marcan_42|4 years ago|reply
[+] [-] tunesmith|4 years ago|reply
[+] [-] Kiro|4 years ago|reply
[+] [-] cosmotic|4 years ago|reply
Fortunately I could export Chrome to CSV and use some third party applescript to export KeyChain and import into KeePassXC. It's not perfect but it's better than the built in stuff.
Maybe W3C could standardize a protocol for password managers so we don't have this insane vendor lock in.
[+] [-] foobarbazetc|4 years ago|reply
The password interface in iOS has improved a whole bunch (tells you about weak passwords, reused passwords, etc) but doesn’t support attaching a TOTP to an entry.
Which may or may not be a big deal now what everyone is moving to U2F etc.
[+] [-] rendall|4 years ago|reply
That's not what the article said
[+] [-] pleb_nz|4 years ago|reply
I use passwords in a lot of places outside of browsers and often the interface I'm using has no browser capabilities.
Understand using browser based password management if you only ever use passwords on the web. But I'm sure a lot of others, like me, need them outside of that context.
[+] [-] askvictor|4 years ago|reply
[+] [-] noisem4ker|4 years ago|reply
[+] [-] ramraj07|4 years ago|reply
Occasionally I need the password for Microsoft or intelliJ accounts, but even then I just use my phone to lookup the password in my manager visually and then type it, I'm never letting any password I care about go into my Macs clipboard!
[+] [-] PufPufPuf|4 years ago|reply
Combined with being completely open-source (including backend), full-featured even in the free version, and $10/year pro version (with features like sharing, encrypted storage, etc.), I can recommend it to practically anyone.
[+] [-] jeroenhd|4 years ago|reply
Bitwarden is certainly one of the better password managers in my book (seriously, some of its competitors don't even let you add arbitrary fields to credentials!) and has proven to be reasonably secure. However, you cannot ignore the vulnerability the browser extension model or any auto-update model might bring to something as sensitive as a password manager.
I'm using it myself in combination with a self-hosted bitwarden-rs instance (used to run the native version but its performance was just terrible) and I can't say I regret the decision.
I do wish that browser would expose an autofill API to password managers, though, so addons wouldn't need to inject Javascript or do other funky stuff to get passwords filled in.
[+] [-] troyvit|4 years ago|reply
Copying out of Bitwarden and pasting into the visible fields would get around that instead of using its auto-fill.
[+] [-] closeneough|4 years ago|reply
I've also spend a lot of time with understanding password managers in my master thesis. What I can recommend is: https://pfp.works/
The creator was auditing password managers like LastPass, found a lot of issues, and used his knowledge to create pfp, which does it right imho.
[+] [-] baobabKoodaa|4 years ago|reply
> Click PfP icon on any website
> Enter your master password
Can't a website just fake a PFP icon to induce you to reveal your master password, and now the website owner has access to all of your generated passwords? Isn't this exactly the type of attack that caused taviso to write OP?
[+] [-] anka-213|4 years ago|reply
You still need to trust that the software is secure.
[+] [-] dxld|4 years ago|reply
[+] [-] whereistimbo|4 years ago|reply
[+] [-] blfr|4 years ago|reply
I use Firefox with Lockwise[1] for Android and pass[2] as overflow for more involved secrets. This is a solo solution though that doesn't solve sharing these secrets with others.
[1] https://www.mozilla.org/en-US/firefox/lockwise/
[2] https://www.passwordstore.org/
[+] [-] marcus_holmes|4 years ago|reply
I used to have random passwords scattered over multiple browsers, because I change browsers.
Then I got a password manager, and imported all my chrome passwords... and there were hundreds of them. All the old ones, all the weird little ones that I never cared about. It took me ages to clean this data set and delete all the crap.
So no... never going back to storing passwords in the browser, thanks. I realise that technically a malicious site could possibly mess with my password manager. But I'm more worried about what the browser is doing.
[+] [-] ferdowsi|4 years ago|reply
[+] [-] scrollaway|4 years ago|reply
[+] [-] zmmmmm|4 years ago|reply
I really feel like people overthink this sometimes.
[+] [-] _aqmj|4 years ago|reply
[+] [-] RcouF1uZ4gsC|4 years ago|reply
What would be really great if the major browser vendors would get together and come up with a way to reliable, secure, cross-browser syncing of passwords.
The main reason I use a password manager instead of the browser’s password storage is because I use different browsers both on the same device and an different devices. I might use Firefox in my Linux desktop and Safari on my Mac. Using a third-party password manager allows me to have the same set of shared passwords on both.
[+] [-] 627467|4 years ago|reply
But relying on chrome as password manager - even on Android - has drawbacks as it seems not to support all apps and fields one needs to.
I personally use bitwarden because it seems to work - when I enable all assistive tech - on 99% of situations. I also don't use chrome anymore so using Google password manager isn't as useful.
[+] [-] NewEntryHN|4 years ago|reply
You don't need a notebook for unique passwords. Just use the service's name. Unless you also meant unguessable, in which case a notebook is probably going to be insufficient because your brain-powered password generator will soon run out of entropy.
> The tech press can review usability and onboarding experience, but can’t realistically evaluate any security claims, so how do you propose users tell the difference?
"Security at the expense of usability, comes at the expense of security." Users don't need to know the difference because the only danger they need to protect themselves from is "my gmail was hacked" and the only requirement for that is that they use an un-guessable password saved somewhere unsophisticated attackers can't access. Any password manager accomplishes this.
> An attacker (or malicious insider) in control of the vendor's network can change the code that is served to your browser
Password managers have servers sending code over to the browser? After the installation process?
[+] [-] throwaway192874|4 years ago|reply
Yes, LastPass is all web based IIRC, even 1Password switched to a web based offering when they switched to a subscription model. I'm still a happy customer of their previous product which was a one time purchase and uses software installs instead, database synced with w/e you want (Dropbox, GDrive, etc)
[+] [-] chrisan|4 years ago|reply
Isn't this true for any scenario, password manager or not? If a site has been compromised without you knowing and you enter your password from memory, paste, or a password manager, that password is at risk.
Is the author saying that he is able to access ALL passwords in the password manager via a single malicious site?