Literally anything elseĪn encrypted text file on your computer is safer than a browser extension password manager. I recommend non-technical users use the built-in password managers because they're easy to use and plenty secure. Firefox's Password Manager along with a good master password.Chrome's Password Manager along with a good sync password.Since two-factor authentication is not available for these, use a very strong and unique passphrase. All of them also offer mobile sync so you can have your passwords on the go.
These are a nice choice if you dislike copying and pasting passwords into websites. Built-in browser password managersĮvery major browser now has a well-designed, built-in password manager that is easy to use. If you get all your passwords stolen by a new bug, you'll never even know, and you'll have little to no recourse. If you accidentally paste one password in the wrong place, it is easy to change. If they're reluctant, maybe you should be reluctant to put the crown jewels of your company in their hands.Ĭopying and pasting passwords into the wrong place is not a large enough risk to use a risky browser password manager extension. If you are buying a password manager from a company, you should ask to see the details of their latest source code security review. I use pass because it's simple to understand for technical folks, but I have many friends who use KeePass. Copy and paste the passwords from the app into your browser. If you do use one, do not install the browser extensions. There are many choices to choose from in this category, and none of them suffers from the direct-access-via-JavaScript risk category. Desktop-based password managersĪny program that is not resident in your browser is safer than one that is. What password managers should you use instead?ĭoes this mean you should give up and not use a password manager at all? No, but the choice is trickier than these companies' marketing would leave you to believe. If you think criminals aren't mining LastPass and others for bugs right now, you're naive.
If you're using it in a corporate environment to share passwords, now only one user of many needs to be attacked to steal all of your passwords via a previously undisclosed bug. Your password manager extension de jour might not be as bug ridden as LastPass, but it suffers from the same risk vector if it's a browser extension. Desktop-based password managers have no such access, as they require compromising the local machine first, which is much harder than visiting a webpage. That's how LostPass worked, and it's how many of the new attacks work, too. When you use a browser extension password manager, you give attackers an API to interact with your password manager via JavaScript or the DOM.
0 kommentar(er)
