Copyright SlashGear
There's no denying that saving your password on your web browser is as easy as it is convenient. When your browser politely asks if you'd like it to "save your password for next time," it feels like a favor you should accept. After all, it's free, can be synced across your devices, and saves you time spent figuring out or inputting whatever mix of uppercase letters, numbers, and symbols you came up with for your login. The problem with accepting that favor is that, by default, browser password managers lack certain security features, as they are not built to protect information as robustly as dedicated password managers. Browsers like Chrome and Edge store passwords in the local browser profile folders and then sync them to Google and Microsoft servers. They do not employ the end-to-end encrypted vault or servers that a dedicated password manager would, offering only OS-level encryption at best. The reason this isn't good enough is that it leaves your passwords at risk to anyone who logs into your account or has access to it. So, if your account is compromised or suffers a malware attack, your passwords are as good as an open secret, and even your more complicated passwords can be vulnerable. Then there are phishing attacks and malicious extensions, where browsers can autofill passwords into websites that merely look legitimate. What you'll want is a dedicated password manager since it uses a master password or key that you create and control. That way, you alone can have access to your credentials even in the instance of an account compromise or a cyber attack. In general, there are several ways you can benefit from using a password manager. But using one that is dedicated to being just that and only that has even more upside than using the free Google Password Manager, for instance. The main advantage is that dedicated password managers use advanced encryption and zero-knowledge architecture. They typically use AES-256 or similar encryption standards, keeping encrypted databases separate from browser access. With these password managers, you can decrypt passwords only when needed and only on your local device, reducing your exposure to compromise and malware. Speaking of which, dedicated password managers are outstanding when it comes to resisting malware theft, cyber attacks, and providing breach alerts. Malware such as RedLine Stealer and Raccoon, which are designed to harvest saved browser passwords, have been proven to struggle against the encrypted vaults of password managers. These dedicated password managers also reduce the risk that autofill subsystems pose to phishing scams by verifying domain names before filling data. Additionally, password managers actively monitor for data breaches using their integrated breach-checking tools, which adds a layer of defense that your browser won't. You should know that although Google uses the same high-standard AES technology that dedicated password managers use, you'll still need to sync with your device's security, such as Windows Hello, to enjoy its benefits. Also, Apple's Keychain (or Passwords app) stands somewhat apart. It uses end-to-end encryption across Apple devices, meaning even Apple cannot access your passwords. Keychain is more secure than standard browser managers, but still not quite as specialized or transparent as dedicated ones. If the convenience your web browser offers is too great to pass up, then you can take certain measures to ensure you're using it more securely. One way to do this is by enabling on-device encryption available on the Google Password Manager. Google's on-device encryption gives you and only you the encryption keys to manage your passwords by integrating your device's screen lock. It's like an extra bit of protection that will be exclusive to your device, but also means you risk losing your passwords when you lose your Google login. You can also restrict your browser from autofilling passwords. To do this on Chrome, click the three dots at the top right corner, go to "Settings," click "Autofill and passwords," and then select "Google password manager." From there, go to "Settings" and toggle off "Offer to save passwords." For Microsoft Edge, open "Settings" and select "Passwords and autofill." Then, go to "More Settings" and toggle off "Autofill Passwords and Passkeys." On Safari for macOS Catalina 10.15 and later, go to "File," then "Export," and click "Passwords." Once there, click "Export Passwords" and enter your Mac's password to save the file. Another thing you can do is enable two-factor authentication (2FA) on every online account which you have saved its password in your browser. This is separate from integrating your device's security, such as PINs, biometrics, and passwords, into your password manager. Lastly, take time to go through and review your saved passwords and delete the ones you consider too sensitive to risk.
