Since the 1990s, password management software has been available, and in the early 2000s, the main browsers(Opens in a new tab) included password management as a built-in capability. Since then, PCMag has urged users to move their credentials from unsafe browser storage to a reliable password manager. When that time came, we might mention password managers that could extract credentials from your browser, erase them from the browser, and disable future browser-based password collection. That doesn't seem secure at all!
Happily, browsers have improved and no longer leave your credentials as vulnerable to outside interference. For example, you'll likely need to manually export passwords from the browser and import them into your new product if you want to convert to a dedicated password manager(Opens in a new tab).
But have browsers advanced sufficiently for us to advise keeping your passwords in them? Should you specifically utilise Chrome's simple built-in Google Password Manager? Experts maintain that the answer is still a resounding negative.
Even Dedicated Password Managers Can Leak
Trust is crucial for a business that relies on password management. Serious competitors encrypt your data using zero-knowledge techniques so that neither the password business nor the government, nor anybody else, will ever be able to decode it.
Yet, implementation mistakes may jeopardise the security of passwords. A key LastPass employee's computer was infiltrated by hackers in a series of exposes that began in August of last year, and they were able to acquire an undetermined number of encrypted data vaults. What's worse, several crucial data components, such login domains, weren't secured. Now it's challenging to believe in LastPass(Opens in a new tab).
The techie's preferred password manager is KeePass(Opens in a new tab), in large part because of its limitless customizability. Yet, it has come to light that the ability to customise is also somewhat of a weakness. All of your Keepass passwords are vulnerable to theft by anybody who obtains access to your computer, whether via the use of a Remote Access Trojan (Opens in a new tab) or simply sitting down while you're away (Opens in a new tab). Making an action that will run in Notepad is a straightforward process.
exports the passwords to plain text, after which the data is sent to an online drop. It's true that getting the necessary access could be difficult, but it is still feasible to use the exploit. (Opens in a new window) (Opens in a new tab). Rather, it was conceivable. The ability to export passwords without entering the master password was eliminated in the most recent KeePass release, 2.53.1.
How to Enable or Disable Google Password Manager
Let's cover how to terminate Google Password Manager (or restart it, if you like) before discussing whether you should use it. To begin with, confirm that Sync is turned on in each Chrome instance where you want to share passwords. Choose Settings from the three dots menu in the top right corner of the Chrome window. If it isn't already chosen, click the You and Google option at the top of the left-rail menu. You may toggle synchronisation on or off in the dialogue box that appears.
Just underneath You and Google, choose Autofill, then select Password manager. Turn on Offer to Save Passwords and Auto Sign-in if you wish to utilise Google Password Manager. Turn them off if not.
Read How to Master Google Password Manager for more information (Opens in a new tab). From a security standpoint, we do not advise it, but we are aware that some individuals may forgo safety in favour of convenience.
What the Experts Say About Browser Password Managers
I consulted professionals from many well-known commercial password manager firms, including Craig Lurey, co-founder and CTO of Keeper, Tomas Smalakys, CTO of NordPass
, and Michael Crandell, CEO at Bitwarden, to enhance my own expertise and experience
Browser Password Managers Are Convenient But Dangerous
Smalakys began his essay with a caution against using a browser's built-in password manager, noting that "Internet users continue to fall into the 'But it's easy!' trap despite ongoing cybersecurity experts' warnings about browser password managers' weaknesses." Lurey concurred, noting that a recent Keeper blog post(Opens in a new window)(Opens in a new tab) outlined a lengthy list of reasons why browser password managers aren't secure.
Devoted password managers can protect your data without ever knowing your master password thanks to zero-knowledge encryption. According to Lurey, Google's password manager does not employ zero-knowledge encryption. "Google can basically see anything you store. On-device password encryption is a "optional" feature that they have, however even when it is, the decryption key is retained on the device.
Smalakys agreed that browser data isn't as secure as data kept in a password manager. Internet users are duped into downloading new extensions that may quickly extract data saved on a browser by hackers using social engineering techniques, he added. He said, "Although there is nothing improper about storing passwords in the cloud, a business must guarantee that user data is encrypted before it is saved in the cloud. Internet consumers should pick a service provider that ensures end-to-end encryption as a result.
Any password manager is preferable to none, said Crandell, but he added a warning: "The drawback of browser-based password managers is that they function only within a walled garden. You're out of luck if you ever need to work in a different browser or a setting that that browser can't access.
Password Managers Have More Features
The built-in password manager in Chrome doesn't live up to the requirements of specialised password management apps, according to a laundry list of minor flaws provided by Lurey. First off, it only works with Chrome; if you use another browser, you're out of luck. There is no option for creating a digital heir for your password collection or for securely exchanging passwords(Opens in a new tab). Personal information like addresses, account numbers, and credit card numbers are not stored by the browser; only passwords are.
Moreover, Crandell emphasised the dearth of crucial functionality in browser-based password systems. Such systems, according to him, do not support "secure password sharing with colleagues and family, support for biometric login and security keys, reports on whether your passwords are weak, frequently used, or have been compromised, integration with systems at work like SSO, and many other features."
Many browsers do not need a master password or multi-factor authentication (MFA)(Opens in a new tab) approval, according to Smalakys. Google does not mandate MFA, but it does permit it. There isn't a master password, in fact. Anybody with access can log into your accounts if Chrome is open on your desk. If you allow someone else to use your phone, the same applies.
Browsers Lock You In
Crandell cautioned against entering the walled garden of any one large corporation. Working freely across all settings and platforms, including browsers, mobile devices, and desktop operating systems, is crucial.
Smalakys brought out the risk of linked accounts. According to him, the security of a Chrome browser situation depends on how secure the Gmail account that is attached is. "If this Gmail account is hijacked, a hacker might easily obtain all the passwords saved for other accounts on the browser." The user must have complete faith in Google to preserve their information, according to Lurey, who made a similar observation. All of your passwords are compromised if your Google account is compromised.
The primary purpose of a browser is surfing; password security is an afterthought. In order to assure security, "dedicated password managers are investing all of their work into designing a password manager that is safe and undergo independent audits," Smalakys said. Similar thoughts were expressed by Crandell, who said that leading password managers are more feature-rich because they "concentrate 100% on providing both optimal safety and the myriad use cases for passwords."
Bottom Line, Get a Real Password Manager
The zero-knowledge encryption methods that shield password information from everyone—including the password management company—are not used by Google Password Manager. Not even a master password is employed. Several functions available with dedicated password tools are not available with built-in browser features. Moreover, only Chrome supports Google's password mechanism (or, to an extent, Android). These are just some of the benefits of using a true password manager rather than Chrome.
The fact that Google Password Manager is a free feature of a free browser is quite useful. Yet that's not a good enough excuse to accept passwords with insufficient security. Use one of the several free password managers(Opens in a new tab) that we've reviewed instead; they all provide excellent password security for the same low cost.
Follow Us