Browser password managers - a good idea?

With the blogs in this series I want to reach not only my typical audience, security professionals, but especially less security aware people to help them improve their personal security. If you think the content is helpful for people you know, share it with them!

Browser password manager security

The German Federal Office for Information Security recently performed a security audit of the following browsers: Firefox 68, Chrome 76, Internet Explorer 11 and Microsoft Edge 44*.

Part of the audit was about password manager security. The following criteria were tested:

  • The passwords must be stored encrypted
  • The browser's built-in password vault must be secured with a master password
  • The passwords can be deleted from the password manager vault

Chrome, Internet Explorer and Edge failed the test because for none of them you can set a master password. This is a serious risk. It implies that whenever someone has access to your device he can get all your passwords and login to your applications. This doesn't have to be a person that has physical access to your machine, password stealing malware is probably a more prevalent risk.

The only one that satisfied these minimum security requirements is Firefox. You can enable a master password via about:preferences#privacy and then scroll down until you find the section "Logins and Passwords".

Enable a master password in Firefox

For every new Firefox session you must provide this master password before Firefox will give you access to your stored passwords.

Google recently launched a password manager that you could use instead of the browser's built-in password vault. This password manager stores your passwords in the cloud and is accessible when you're logged in with your Google Account.

Google's password manager has several serious weaknesses, for instance the following ones:

  • If you use your Google account regularly your user session stays active and your password manager is always logged in. So if anyone has access to your machine he can easily get access to all the passwords stored in the password manager.
  • The password to access the password manager (your Google account password) is stored on Google's servers. This means that this password could be stolen by attackers. A cloud based password manager should never store passwords on their servers to prevent potential theft.
  • Users that use a weak or leaked password for their Google account and no multi-factor authentication (which is more than 90%) will put themselves even more at riks when they start using Google's password manager. When their Google account is taken over criminals can easily steal all passwords stored in the password manager.**

If you want to use a cloud based password manager you should really look into more secure alternatives. In this post you can find some tips that can help you choose.

*Safari, the second most used browser (16,3% market share worldwide) wasn't audited. In Safari you could use iCloud keychain. For more info on how this works, read this arcticle.

**This is the default, insecure behavior. Users can encrypt all synced data with their own sync passphrase which is not sent to Google. In that case an attacker can not read the passwords unless he's able to also steal the encryption passphrase from the user's device. Whilst this is a security improvement, chances are small that average users will enable this not well known option, leaving them vulnerable.

Other important features of a password manager

A good password manager shouldn't only store your passwords securely. It must also help you to create unique passwords. People that use a password manager that doesn't provide this functionality will most likely continue using weak passwords.

Third party password managers, like 1Password, Dashlane or Lastpass have tools to generate random passwords, but Firefox doesn't foresee this yet (planned for version 70) and in Google you can only use it when you enable the sync feature.

Another feature that's really useful to have integrated in a password manager is detection of weak passwords. This is already available in Google's password manager and will shortly be available in Firefox.

Conclusion

The security of most browser's built-in password managers is still inadequate. At the moment Firefox is the most secure. The built-in password managers of the discussed browsers and Google's (cloud-based) password manager still can't compete with most third party password manager. Both when it comes to security and integration of necesssary features.

If you want to use a built-in password manager Firefox is the best choice at the moment. If you want to use a cloud-based password manager I recommend you to do some research and choose a third party password manager that is most suitable for you. If a password manager is nothing for you use a password book that you keep close to you.

Keep in mind that the goal is to create strong passwords and store them in a secure way. Which tool you use is irrelevant, as long as it supports you to reach that goal.

That's all folks. Tomorrow I'll be back with more security tips, in the meantime stay safe online!

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life