Hey, it's been years I hadn't posted anything, but there were reasons, OK? So hopefully I would be able to post more often. Now, the title might be a bit bold, but the point is to demonstrate why password managers are not as good as they claim and why some trivial solutions, like browsers are actually not that bad as portrayed. So for this article, I propose to debunk and analyze common misconceptions, regarding password managers, spread by marketing and sales to scare you and make some profit.
"browser password managers are limited to that specific browser"
OK, we can just say that it's not true and go on. Not only password storage can be converted from one browser to another, not only browser data can be synchronized on multiple devices, but different browsers can also access your single keyring/keychain. But, what about sharing the password?
"you can't securely share yor passwords with someone else"
Despite
the fact that there is no integrated solution for such purpose in
browsers, I wouldn't say that the stand-alone managers are actually
better: you have to use same password manager, have an account and
probably pay for it. However, you can always use existing solutions, like free E2E messaging (which you suppose to use for a secure communication anyway), web-based crypto bin/pastes or even (self-made) anonymous token sharing. Granted your password is secure...
"there is no security check for password strength"
Not a valid point, browsers are capable of generating "random" passwords, which can be further tuned with an extension. An etropy check is, however, always advised. Nonetheless, sites nowadays will often enforce their own password policy and some services can even provide static passwords that can't be changed, although you're supposed to have different password for different case and change them from time to time (especially if the platform got a leak). Anyway, about the passwords...
"you can only store passwords"
It is true that browser password managers storage capabilities are somehow limited, but this is very true for stand-alone password managers as well, thus the existence of disk encryption and cryptographic containers, which brings us to...
"browser passwords aren't stored encrypted"
Well, not if you're using a primary/master password and cloud solutions are also possible for browsers. Now, I would like to address a case when you're not storing your passwords encrypted and the first thing that I want to say is that until your hard disk is encrypted, it is actually not that crucial. With disk encryption it's pretty self-explanatory, if your disk/partition isn't encrypted, anyone with physical access to your pc can have your data, which is of course not good. If you use disk encryption (and it's well used), the only way to access your data is to compromise your software and if someone is able to access your pc that way, fewer things could stop the attacker from getting your password to decrypt something that is locked - if you can't trust your system, you can't trust your data. Now, I would always recommend to encrypt, rather than not and to use multiple security layers, also speaking about security...
"your browser isn't a security product and may be compromised"
This is, unfortunately, very true, but this is the most used product to access the internet regardless and other password managers aren't perfect either. In fact, nothing is perfect, some browsers are better than the others, some hardening is possible, some password managers have browser extensions (perhaps they aren't sure about their own security either) and even if our software was perfect, there is still the kernel, the hardware and the user ... At this point you could even say that it's more secure to write your password on a post-it, so it can't be hacked on your pc and in fact, hardware password managers, crypto wallets and authentication tokens do exist, not even speaking about biometric and multi-factor strong authentication. By the way, I made a research thesis on this subject some time ago. Furthermore, I also made a password generator (deterministic password manager), which might be somewhat useful in some cases for someone.
Now what?
Now, all that we are left with are questions: why should we use password managers in the end? Why use passwords altogether? What is authentication? What is identity? Can it all be secure enough? With all my regret, I must say that I don't have definite answers and in fact, answering this is not the point of the article. What I wanted to show is that browser password storage is actually a pretty viable solution and that the password managers have some limitations to consider. I'm not saying that anyone mustn't use password managers, this is a security solution after all, but I'm saying that there are alternatives and every solution has to be considered from case by case, depending on what you need. Thus, you shouldn't be easily persuaded on what your vendor says, or any "security expert". This article isn't a holy Bible either, I only express my opinion by providing some information to back it up, nothing more, nothing less, it's always up to you to decide what you will use and this is the only thing that I want my reader to keep in mind. That said, stay safe, stay secure.
