Web accounts

Is it safe to store passwords in your web browser?

Security and convenience are usually at opposite ends of a scale, so with added security comes added inconvenience.

Passwords are a great example. On the practical side, you can use the same password for everything from your bank’s website to a gardening forum and everything in between. Better yet, use the same email address or username for all of these accounts and you’ll only have one login to remember.

At the other end – the maximum security side of the scale – is where each account is protected with a unique, complex password and possibly multi-factor authentication as well.

You probably already know that it’s not a good idea to use the same password for everything and try to use a different one for different websites and accounts. Since it’s not possible to remember them all, and which password and username goes with each account, you use (or want to use) a password manager.

Web browsers often have built-in password managers, but we don’t consider them as secure as using a dedicated password manager such as Bitwarden or LastPass instead.

However, using a web browser’s password manager is still better than using the same password for everything, and there are definitely convenience benefits. Here are some of the benefits to consider.

1. It is already installed

If you use, for example, Chrome or Firefox, their built-in password managers are waiting for you to use them.

There is no need to install any additional software or pay as they are free.

2. They work on all your devices

As long as you’re not using an obscure browser that doesn’t offer desktop and mobile versions, the credentials you save in the browser will be available on any other device you use with the same browser. You’ll need to sign in and turn on the “sync” option for this to work, but that’s another real plus.

3. They automatically generate strong passwords

Modern browsers suggest a complex password when creating a new account or changing an existing password. This avoids the temptation to reuse existing passwords.

4. They auto-fill credentials for you

When you visit a website, the browser automatically fills in your username and password so you don’t have to find and type it. It’s no different from standalone password managers, but it’s very handy.

But browser password managers aren’t necessarily the most secure option. Here’s why.

1. They’re not as secure as dedicated password managers

Take Google’s password manager, built into Chrome, because Chrome is by far the most popular web browser. That’s pretty good, but it doesn’t protect your passwords as well as it claims.

Unlike most dedicated password managers, Chrome doesn’t use a master password to encrypt all of your logins. (Note that some browsers do use one, and are therefore more secure, although you should always trust your browser provider.)

This makes your stored passwords in Chrome relatively weak against “local” attacks. For example, if someone knows you well and gets — or guesses — your Windows password, then they can see all the logins stored in your browser’s password manager.

However, they don’t know your Windows password because you might walk away from your laptop or PC and leave it unattended. They can go up, access Chrome settings and see all stored connections.

Passwords are erased, yes, but usernames and associated websites are not. They can visit any of these sites and sign in using Chrome’s autofill feature. If they’re really clever, they can press F12 and use the browser’s dev console to remove the type=”password” code on the login page. This eliminates those pesky hidden characters and displays the password in all its glory.

2. The security of all your accounts is linked to the security of your browser account

Another risk, along the same lines, is if you use the sync option to make these connections available on all your devices. This means that they are stored in the cloud and, although encrypted, if someone manages to hack your browser account, they will have access to all your connections.

That’s why you should use two-factor authentication on your browser account if you are going to use its password manager and sync them with all devices.

Likewise, these stored credentials (along with those of everyone using the same browser password manager) could be stolen during a hack and, potentially, decrypted.

3. Switching to other password managers isn’t always easy

If you store hundreds of logins in your browser’s password manager, then decide to switch browsers or use a dedicated password manager (which you should have done in the first place of course), you you may find that it is not so simple.

There may be an export option, but it may not generate a file compatible with the browser or password manager you want to move to.

Password managers themselves have their own pros and cons, of course. You may have to pay for one, and it may not be as easy and convenient as a browser password manager.

However, one advantage they hold (besides being more secure through the use of the master password) is that they can usually autofill credentials outside of a browser. This is especially useful on mobile devices for logging into apps.

They can also store more than passwords. You may want to include notes with credentials or store other sensitive information such as your passport details. A browser password manager won’t.

Related articles to learn more