Is it safe to store passwords in your web browser?

Security and convenience usually sit at opposite ends of a scale, which is why extra security comes with extra inconvenience.

Passwords are an excellent example of this. At the convenience end of the scale, you can use the same password for everything from your bank’s website to a gardening forum and everything in between. Better still, use the same email address or username for all those accounts and you have just one login to remember.

At the other end – the maximum security side of the scale – is where each account is protected by a unique, complex password and maybe multi-factor authentication as well.

You probably already know that it isn’t a good idea to use the same password for everything, and try to use a different one for different websites and accounts. As it’s not possible to remember them all, and which password and username goes with each account, you use (or want to use) a password manager.

Web browsers often have password managers built in, but we don’t  consider them as safe as using a dedicated password manager such as Bitwarden or LastPass instead.

However, using a web browser’s password manager is still better than using the same password for everything, and there are certainly advantages when it comes to convenience. Here are some of the pros to consider.

1. It’s already installed

If you use, say, Chrome or Firefox, then their built-in password managers are sitting there waiting for you to use them.

There’s no need to install any extra software, and no need to pay because they’re free.

2. They work across all your devices

As long as you’re not using some obscure browser that doesn’t offer desktop and mobile versions, the logins you save in the browser will be available on any other device you use with the same browser. You’ll need to sign in and enable the ‘sync’ option for that to work, but it’s another real benefit.

3. They auto-generate strong passwords

Modern browsers will suggest a complex password when you sign up for a new account or change an existing password. This helps avoid the temptation to reuse existing passwords.

4. They auto-fill logins for you

When you visit a website, the browser will auto-fill your username and password so you don’t have to look it up and type it in. That’s no different from standalone password managers, but it’s mighty convenient.

But browser password managers aren’t necessarily the safest option. Here’s why.

1. They’re not as secure as dedicated password managers

Let’s take Google’s password manager, built into Chrome, because Chrome is by far the most popular web browser. It’s pretty good, but it doesn’t keep your passwords quite as safe as it claims to.

Unlike most dedicated password managers, Chrome doesn’t use a master password to encrypt all your logins. (Note that some browsers do use one, and are therefore more secure, though you’ll still need to trust your browser provider.)

This makes your Chrome-stored passwords relatively weak to ‘local’ attacks. For example, if someone knows you well and gets hold of – or guesses – your Windows password, they can then see all the logins stored in your browser’s password manager.

However, they don’t know your Windows password because you might walk away from your laptop or PC and leave it unattended. They can walk up, go into Chrome’s settings and see all the stored logins.

The passwords are blanked out, yes, but the usernames and associated websites aren’t. They can visit any of those sites and log in using Chrome’s auto-fill function. If they’re really crafty, they can hit F12 and use the browser’s developer console to remove the type=”password” code on the login page. That gets rid of those pesky blanked characters and displays the password in all its glory.

2. The security of all your accounts is tied to your browser account’s security

Another risk, along the same lines, is if you use the sync option to make those logins available on all your devices. This means they’re stored in the cloud and, though encrypted, if someone manages to hack into your browser account, they will have access to all your logins.

This is why you should use two-factor authentication on your browser account if you’re going to use its password manager and sync them to all devices.

Similarly, those stored credentials (along with everyone else’s that uses the same browser password manager) could be stolen in a hack and, potentially, decrypted.

3. Moving to other password managers isn’t always easy

If you store hundreds of logins in your browser’s password manager then decide to change browser or use a dedicated password manager (which is what you should have done in the first place of course), you might find it’s not that simple.

There may be an export option, but it might not generate a file that’s compatible with the browser or password manager you want to move to.

Password managers themselves have their own pros and cons, of course. You might have to pay for one, and it might not be quite as slick and convenient as a browser password manager.

However, one advantage they hold (besides the fact they’re more secure thanks to the use of the master password) is that they can usually auto-fill logins outside of a browser. That’s especially useful on mobile devices for logging into apps.

They can also store more than passwords. You might want to include notes with logins, or store other sensitive information such as your passport details. A browser password manager won’t do that.

Related articles for further reading

  • Best password managers
  • How to use a password manager
  • How to manage and delete Chrome Autofill data
  • 10 security tips everyone can use for a safer internet every day