I read an interesting article about Password Managers
Tavis Ormandy, a well known researcher working on
Google’s Zero-Day project. The article considered whether it is better to use the
intrinsic password manager already built-in to your web browser (most web browsers now offer to save your passwords) or to use an
extrinsic third-party app like Bitwarden
Let’s review the arguments he presented in his article and determine if it is safe to use a browser’s built-in password manager.
Objections to third-party Password Managers
Travis has clearly spent a lot of time trying to understand the attack surface of popular password managers. He provides a number of objections against using third-party apps and concludes it is better to instead use the one already built into your browser. Below is a summary of his objections:
- Integrating third-party apps with your web browser adds a level of risk
- Likewise, syncing data across devices using an untrusted intermediary again adds a level of risk
- Third-party password managers populate login fields with user credentials which is really tough to do in a secure way
- Most web browsers use a sandbox security model to protect you while browsing. Browser extensions break this sandbox design
- Using a third-party password manager requires you to trust the vendor to maintain their infrastructure and keep it safe
Travis argues that password managers built-in into your browser provide the same functionality, and can sidestep the fundamental problems with third-party apps highlighted above. Specifically, he suggests that built-in password managers can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and are very easy to use.
Counter arguments for using third-party Password Managers
While I do not disagree with any of the arguments presented by Travis, there are equally valid reasons why a third-party password manager can still be a good option for many people as detailed below:
- It is true that the use of a third-party password manager does add an element of risk, however, the same can be said of any browser extension. Unless someone refuses to use any extensions this cannot be used as an argument for not using a third-party password manager.
- Built-in password managers can restrict a user to using a single browser. However, majority of people do not use a single browser, but instead use multiple browsers across multiple devices or platforms. In fact, compartmentalising activities across different browsers can be a good strategy to improve privacy as discussed here .
- The use of a third-party password manager does require the trust of an untrusted intermediary, however, to date there has been no evidence to suggest that the most carefully and well-designed 3rd-party password managers have introduced any exploitable vulnerabilities.
- Password managers are often used to store more than passwords to websites. Many people use the secure notes field to store additional information or store passwords of offline applications.
Having expounded the arguments presented by Travis Ormandy and also considered some arguments for using a third-party password manager we can now try to answer our original question:
Is it safe to use a browser’s built-in password manager
If you use one of the mainstream web browsers (Chrome, Firefox, Safari) exclusively then you will be
completely safe using its built-in password manager. As Travis points out they isolate your browsing really well and have world-class security teams maintaining them. However, equally, if you use multiple browsers and would like the ability to synchronise data across multiple devices then the most carefully and well-designed 3rd-party password managers are also safe and only introduce a limited element of risk.
Finally, it would be remiss of me not to mention that we really should be using unique passwords for all our accounts. You don’t have to use a password manager to do that, whatever system works for you is fine. See my previous article for more information.