All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Learn more.
Your browser wants to manage your passwords. Maybe it’s to make your browsing experience more seamless in the hotly competitive browser wars, or maybe it’s a response to the popularity of password managers. Regardless of the reason, you’ve undoubtedly seen hundreds of pop-ups offering to save your credentials as you browse online.
A few years back, that wasn’t the best idea, but times have changed. The world’s most popular browser, Google Chrome, now has a fairly robust password management tool, as does Apple’s Safari, including security options that shut down the most common criticisms of browser-based password managers. If you aren’t using a password manager, and you’re reusing the same few passwords with an extra capital letter or exclamation point, storing unique passwords in your browser is more secure than what you’re doing. Still, browser-based password managers pose an inherent problem, one that isn’t solved with better authentication methods or superior encryption.
Improvements in Browser Password Managers
Your browser’s password manager isn’t as secure as a commercial, third-party password manager, or so the story goes. There’s some truth to that sentiment, but it requires nuance. In reality, your browser’s password manager is very secure, and using it is far superior to jotting down passwords in your notes app or using the same password across websites.
I’ll get to the security issues next, but we need to start with where browser password managers are today. I’ll be looking at Chrome and the Google Password Manager, not to pick on Google, but because it’s overwhelmingly the most popular browser in the world. Google has also continually updated Chrome’s password manager, and it’s in a much better place than it used to be.
First, encryption. The main difference between Google’s Password Manager and a commercial password manager isn’t what encryption is used, but rather how it’s used. A password manager like Proton Pass uses zero-knowledge encryption. That means that, although the service holds your encrypted passwords, it doesn’t hold the key to decrypt those passwords.
Google via Jacob Roach
By default, Google manages your encryption key, but it allows you to set up on-device encryption, which functions similarly to a zero-knowledge architecture. Your passwords are encrypted before being saved on your device, and you manage the key. Regardless of how the encryption works, Google uses AES, which is still the gold standard for security among password managers.
It was trivial to decrypt Chrome passwords previously, requiring little more than a Python script and knowledge of where the files are stored. But even there, Google has pushed the security bar up. App-bound encryption has invalidated those methods, and cracking passwords is far more involved than it used to be. Further, Google has integrated with Windows Hello. If you choose, you can have Windows Hello protect your passwords each time you log in by asking for your PIN or biometric authentication.
Other browsers aren’t as secure. Firefox, for instance, makes it clear that, although passwords saved in Firefox are encrypted, “someone with access to your computer user profile can still see or use them.” Brave works in a similar way, though I suspect most people using Brave are using a third-party password manager (and probably a VPN) already.
Regardless, storing your passwords in even a less secure browser like Firefox is leaps and bounds better than not using a password manager at all. And the browsers at the forefront of market share, Chrome and Safari, have vastly improved their security practices over the past few years. The problem isn’t encryption—it’s putting all your eggs in one basket.
Let’s Talk OpSec
OpSec, or operational security, is normally a term used when talking about sensitive data in government or private organizations, but you can look at your own security through an OpSec lens. If you were an attacker and wanted to swipe someone’s passwords, how would you go about it? I know where I’d look first.
Even with better security measures, the goal of a browser-based password manager is to get people using password managers. That has to be balanced against how easy the password manager is to use. In a blog post announcing changes to Google’s authentication methods from Google I/O this year, the company mentions reducing “friction” seven times, while “encryption” isn’t mentioned at all. That’s not a bad thing, but it’s a testament to how these tools are designed.
You don’t need to pick out words from a blog post to see this focus. Google gives you the option to turn on Windows Hello or biometric authentication with the Google Password Manager. Each time you want to fill in a password, you’ll need to authenticate. That’s undoubtedly more secure than not authenticating each time, but the setting is turned off by default. It creates friction.
Photograph: Simon Hill
Without this setting turned on, anyone with access to a logged-in PC could pop into your browser, head to the settings, and see (and even export) your passwords in plaintext. If I had access to someone’s PC and wanted to steal passwords, the first place I’d head is the browser password manager.
More concerning is the target on the back of your Google account. Just a couple of months back, Gmail suffered a data breach, and although no sensitive information was stolen, Google urged 2.5 billion users (around a third of the global population) to update their passwords. If an attacker can successfully take over your account, it’s not a great idea to give them your passwords in addition to unbridled access to your email and any services you’ve linked your Google account to.
Account takeovers happen, largely due to phishing, according to Google. Again, looking through an OpSec lens, it’s not the best idea to lock the passwords for all your accounts behind an account that’s a high-value target. That’s not a dig at Google. It’s just the reality of having a single account that’s so pervasive in online life.
There are ways to prevent an account takeover from happening, including multi-factor authentication (MFA) and device-bound authentication methods like passkeys. Both Google and Apple offer these options to increase your account security. If we’re looking at risk mitigation, however, storing your passwords in a third-party password manager gives you another layer of protection beyond locking down a single, high-value account.
Beyond Security
Security is first and foremost when looking at password managers, but let’s not miss the forest for the trees. A commercial password manager comes with a lot more features and functionality.
Proton Pass, for instance, gives you access to email aliases to reduce the likelihood of your email address leaking in a breach. 1Password gives you Travel Mode to clean up your vaults while traveling. Bitwarden lets you take your entire vault off the internet if you want, with a self-hosted option. That’s not to mention the variety of data you can store in a third-party password manager, including encrypted documents and notes, and custom entries for whatever other data you want to store.
A dedicated password manager like NordPass allows you to share your entries. You can share passwords stored in the Google Password Manager and iCloud Keychain, but only within their own ecosystems. With a third-party password manager, I can, for example, share my Wi-Fi password with someone even if they don’t have an account.
Using any password manager is better than using none, so if you’re avoiding your browser’s password manager because you’ve heard it’s unsafe, and as a result, use the same password across websites, stop. Your browser is more secure. But for folks who don’t mind a bit of friction for better security, a third-party password manager is the way to go.
