June 25, 2018
|
Updated June 23, 2022
To keep all your online information secure, you should have a unique password for every account, but who can remember that many phrases or random combinations of letters, numbers, and special characters? No one, which is why people either reuse the same two passwords (increasing the odds of getting hacked) or they use their browser or a stand-alone password manager. Of these two options, your browser may be the most convenient, but is it safe to store passwords in Chrome or other browsers like Firefox and Safari?
We dive into the pros and cons of browser password managers and how to choose the right password manager option for your needs.
Are browser password managers secure?
When you sign into an account or create a new username and password, your browser asks, “Would you like us to save your password?” While this is an enticing option for convenience sake, it might not be your safest option. For an article in Wired about password manager security, Evan Johnson at CloudFlare cautions against using Chrome or any other browser to save your passwords:
“The cryptography details and implementation details should at least be documented somewhere, but they’re not,” says Johnson. “Chrome says ‘Your passwords are always encrypted,’ but this doesn't say a whole lot.”
Chrome doesn't use a master password to encrypt all your saved usernames and passwords. This means that if someone gets ahold of your device and is able to access your browser, they can take advantage of the autofill feature and access all your stored accounts. It's important to remember that acting as a password manager is secondary to a browser’s core function. And this should have you worried. For browsers, the primary goal is convenience, and this means the level of security takes a hit. That said, using your browser to store passwords is still more secure than using weak passwords or reusing passwords across accounts. Fortunately, there are other options.
Related reading: Top Web Browsers for 2022 Based on Security and Functionality
Why you should use a stand-alone password manager
Stand-alone password managers that function separately from your browser like LastPass, 1Password, or N-able Passportal require every user to first set up a master password that you will remember but that no one else can easily crack.
Pro-tip: Only use your master password for your password manager to avoid getting hacked.
Related Post: New Password Guidelines Call for Simple, Memorable Phrases
Once you’ve created a strong master password, you can also use the manager to generate passwords that offer maximum security (random combinations of letters, numbers, and characters) across all your accounts. Having a master password makes it much harder for someone to access your login credentials. Password management services also offer helpful ways to organize credentials, revoke access to ex-employees, and securely share passwords with team members.
Tips for increasing the security of your password manager
Using a stand-alone password manager is a good start but there are certain convenience features that are best to avoid for maximum security. The main feature to be wary of is the autofill function.
Forgo the autofillAutofill means that the password manager automatically fills in your username and password for frequently used sites. While fast and convenient, this option also makes your information more readily accessible to third-parties looking to harvest your data for advertising and more malicious purposes.
For example, there’s the possibility that an experienced hacker could impersonate a credible website, like MailChimp, where you store both payment information and individual’s emails addresses, full names, where they live ... You get the picture. If you use the autofill feature, the fake MailChimp site could trick your password manager into providing it with your user credentials, allowing them to access everyone’s information.
To store or not to store your master password?Password managers like Dashlane and 1Password have an extra security feature to protect your master password. These managers don’t store your master password which means no one can steal it, but if you forget it, you’ve lost access to all your other usernames and passwords. LastPass, however, does store your master password, giving you the option of a password reminder or reset should you forget it. (This is why memorable passphrases are so important.)
Two-factor authenticationLast but not least, make sure to choose two-factor authentication when setting up your password manager. This requires two steps and two devices when you login: your username and password and either a secure code that’s texted to your phone or a fingerprint. This second piece of information provides an extra layer of security for all your passwords inside the vault. Although it may take a little longer this way to log-in, the small sacrifice in convenience is well worth the additional security.
Which stand-alone password manager should I use?
There are many options out there for stand-alone password managers and they’re not all created equal. Choose your manager based on these three factors in order of highest priority:
Here at Pagoda, we have chosen N-able Passportal as our password manager of choice because it meets all three requirements. It also allows us as an MSP (Managed Service Provider), to securely manage and access our clients' login credentials. For the individual user, LastPass is also secure and convenient and offers a free plan.
Security: Passportal uses an 'organization key' to encrypt your account so only you have access. Passportal cannot decrypt this key so they can never access your account. It also prevents cybercriminals from exploiting any yet-to-be-identified vulnerabilities in Passportal's software.
LastPass does store your master password but we like to know that should we ever forget it, we don’t have to start over entirely with all our accounts. They also provide an entire blog post on how to create a strong master password because they recognize that this is the most important step in creating your LastPass account. They use local encryption that keeps all your information secret from other users and from LastPass and offer two-factor authentication. We also like that LastPass auto-generates secure random passwords for every account we use, ensuring optimum security across our online activity.
Convenience: Passportal and LastPass can both integrate with almost any browser, although we don't recommend using the autofill feature. Instead, you can launch your websites from your password manager. You can also automatically generate a random password and add it to your Passportal or LastPass vault. You can then organize your passwords into folders so you can easily search for a specific account.
It’s important to note that you can also store other sensitive information, besides passwords, in any password manager. Think credit card numbers, contact information, passport numbers, prescriptions, receipts, and the login info for your wireless router.
Related post: How to Secure Your Wi-Fi Router
Cost: The cost for Passportal is custom based on your number of employees and specific needs. Our clients pay, on average, just $3 per month.
All the features described above are offered in the free version of LastPass. The paid premium version is still only $24 per year and has additional features such as advanced security options, priority tech support, and additional storage.
Bottom line: Use a password manager separate from your browserThe bottom line is that it’s more secure to use a stand-alone password manager rather than allowing Chrome, Safari, or another browser to store your information. For more password manager options, check out Expert Insight's Top 10 Password Managers for Business this article by PCMag that compares the best password managers of 2022.
Feature photo by bruce mars on Unsplash Related Posts: How to Encrypt Your Internet Connection and Why Encryption Matters 7 Cyber Security Myths Debunked Your Web Browser and ISP Know You Better Than You Think
Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing.
Want IT to serve you better?
Need ongoing IT support for your business? Contact us for a free consultation. We’d love to work with you!
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––– About Pagoda Technologies IT services Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.
|
Return to Pagoda Blog Main Page |