The Risks of Using a Browser Password Manager

When it comes to passwords, having a long, randomized string of characters isn’t enough. Where to store passwords also plays a role in their security and privacy. Browser password managers are a popular option for many individuals and small-business employees looking to practice basic password safety, easily storing strong passwords for every account. However, browser password managers are rarely your best option.

Most web browsers include a password manager, whether it’s Google Chrome, Mozilla Firefox, Opera, Safari, or Microsoft Edge. Users tend to gravitate towards browser password managers because they require little to no setup. As soon as you sign up or sign in to an account, most browsers offer a pop-up asking whether you’d like the browser to save your logins for you.

Built-in browser password managers usually come with an autofill function. When you navigate to a familiar website’s login page, the browser automatically fills in your username and password. That way, you’re only one click away from signing in.

However, that same simplicity can also be a detriment. Browsers tend to offer the most bare-bones functionality of a password manager. Your credentials are also typically only protected by the same email and password combination of your browser account, and browsers also might not sync your credentials across multiple devices. Let’s take a closer look at some of these drawbacks.

Despite the surface-level convenience of browser password managers, there are many reasons why security-conscious individuals and businesses opt for alternative solutions.

There are several drawbacks and risks to using your everyday browser as a password manager:

A browser’s job is to allow you to surf the web, and many don’t offer a zero-knowledge architecture that would maintain the privacy of your data, including passwords. Thus, you never truly know what the organizations that own the browsers will do with your sensitive data. Also, many browsers’ business models rely on data collection and user tracking, which conflicts with ensuring user privacy.

Furthermore, many browsers are vulnerable to malware attacks through phishing schemes, and hackers usually target them due to the lack of an active security team and the thousands of people using them for their logins. Unverified browser extensions and add-ons can even add JavaScript to specific web pages and read their contents, allowing them to outright steal your passwords.

If you lend anyone your mobile device or desktop, or it gets stolen, that person can easily navigate to the password repository in your browser and gain access to all your credentials. Simply having a passcode on your device isn’t enough to deter all attempts, as it’s easy for a skilled individual to export your logins or install a keylogger spyware without you noticing.

While the functionality may exist for your browser password manager to sync across multiple devices, there’s no cross-platform compatibility—which means you’re confined to using the same browser. For example, you can’t access Safari passwords on an Android or Windows device.

Even within the same platform, the syncing itself isn’t always reliable, and new logins don’t always immediately show up on all your connected devices. This can be particularly frustrating if you’re constantly switching between devices for specific apps and websites, or if you have a spotty internet connection.

A browser password manager only has access to the sites and web apps loaded through it. You can’t as easily use it to store passwords from desktop apps and dedicated software. It’s the same on a mobile phone. You’d need to manually copy and paste your passwords to and from the browser every single time you log in.

Browsers make it very difficult to securely share passwords, whether it’s sharing logins with your friends and family or needing to grant a colleague access to an account. Without a dedicated password-sharing function, you’d have no choice but to send passwords over unsecured channels, like email or messaging apps, such as Slack and WhatsApp.

For admins in the business setting, managing browser-based passwords is incredibly difficult. They have no efficient way of implementing changes when an employee joins or leaves the team. Also, if everyone is saving logins to their personal browser, admins can’t monitor which apps and websites the employees have up-to-date access credentials to.

Web browsers are often in the news for data breaches that target their built-in password managers. Furthermore, you’d have no way of knowing whether your passwords were included in a breach or leak until the company reports on it, and by then, a malicious individual could have already used your data to access and take over some of your accounts, whether it’s your bank or your organization’s social media.

Native password managers aren’t your only option for password management. There are many purpose-built alternatives depending on your everyday needs and technical experience.

Unlike the browsers themselves, password manager browser extensions are specifically designed to keep your passwords safe. They operate similarly to built-in password managers, requiring little intervention after the initial setup, but they offer more security features.

Password manager extensions, like the Dashlane browser extension, include all the necessary functionality and security measures of an external password manager—encryption, cross-device syncing, secure sharing, and more—without sacrificing the convenience of a browser-based solution.

For employees who conduct the majority of daily work on a single company-provided smartphone or tablet, a mobile app password manager might be your best option. For those who use multiple devices, a web app is a more versatile alternative. In either case, the app runs in the background and takes care of saving and autofilling your passwords as needed across multiple apps and websites.

Local password manager software is one of the most secure ways to store passwords offline. It works like a dedicated password manager, but it stores your credentials locally on your device, instead of the cloud or an external piece of hardware.

By keeping your logins offline, password manager risks of a data breach or malware are minimized. However, you may need to manually sync your passwords across devices, and you lose access if your device is lost, stolen, or simply needs to be charged.

A stateless or token-based password manager is another one of the best ways to store passwords offline, particularly for employees. It uses an external device, such as a USB stick or NFC (Near-Field Communication) dongle, to access your accounts. Since your passwords are regenerated at every login, the risk of a web-based data breach or malware is lower. However, you must have the device with you to access your accounts, which is inconvenient if it’s misplaced or broken.

When asking yourself, “are password managers safe,” the answer depends on the password manager’s security protocols and functionality. For the most robust solution, look for the following features:

With Dashlane, you don’t have to choose between convenience and security. User-friendly features such as autofill, SSO, cross-device syncing, and passwordless login make it easy to incorporate into your online routine, while admin security features like intuitive provisioning, Dark Web Monitoring, and Password Health scores safeguard your credentials. You can also rest assured knowing your credentials are encrypted and protected by zero-knowledge architecture so that nobody, including Dashlane, can access your private information.

With surveys showing 63% of people reuse old passwords and 61% of data breaches involve compromised credentials, there’s significant room for improvement in secure credential management. Learn the most effective ways to make security your top priority around the clock.

Dashlane

Dashlane is a web and mobile app that simplifies password management for people and businesses. We empower organizations to protect company and employee data, while helping everyone easily log in to the accounts they need—anytime, anywhere.

Read more