One of the questions my students ask me most often when I explain how password managers work and why they should use one is why can’t they trust the ones that come built into browsers?
The answer, like almost everything in technology, is not black and white. A few days ago, I came across an article in Wired titled “Your browser’s password manager is better than ever. You still shouldn’t use it”. This seemed the perfect opportunity to revisit a topic that may seem trivial but remains one of the biggest security gaps for most users.
Most people do the same thing when a site asks them to create a password: they combine words, numbers, and symbols until the system lets them through… and then they try to remember it. But over time, that mental system ends up breaking down: too many passwords, too many variations, too many leaks. What many people do next, reusing the same password with minor changes, is the digital equivalent of leaving the door ajar.
That’s precisely why password managers exist, tools designed to securely store and encrypt credentials. Even so, a large number of users still prefer the browser’s automatic saving system. And although the managers built into Chrome, Safari, and Edge have significantly improved their encryption and synchronization, they still create a false sense of security.
The problem in this case is not the encryption, which in Google’s case uses the AES standard and even allows local encryption, but the architecture: all your passwords become dependent on a single account, a single point of failure. If an attacker manages to access your browser session, they gain not only your email, but full access to your digital identity. Granted, the browser’s password manager has no leaks… but it’s still wiser to use a separate one.
Dedicated managers, such as 1Password, Bitwarden or the recently launched some two years ago Proton Pass offer an additional layer of separation. Your passwords are encrypted under a “zero-knowledge” model, which means that not even the company that hosts the service can access them. In addition, they include advanced security features such as email aliases, biometric authentication, or travel mode, which reduce the risk of exposure.
In contrast, browser-integrated managers are designed with a very different goal in mind: convenience, not security. Most users fear an interruption more than an attack, which is why many more secure features, such as requiring biometric authentication every time a password is autocompleted, are disabled by default.
And then there is human memory, undoubtedly the most precarious alternative. TechCrunch explained it years ago, and it remains valid today: relying on remembering complex passwords is not an act of mental discipline, but of irresponsibility. In an environment where phishing attacks, massive leaks, and credential trafficking are constant, human memory is always the weakest link.
Even the most reputable managers can fail, as happened with Last Pass in 2023, when a data breach forced millions of users to change their passwords. But even that episode does not invalidate the model: it was the password manager I used but the data was encrypted, access was limited, and it caused virtually no problems. The alternative, storing passwords in the browser, or worse, in your head, is much riskier.
In any case, using any manager is better than not using one at all. And if, out of habit, convenience, or thrift, you prefer the one that comes with your browser, use it, but know that it is a compromise. Integrated managers are convenient and free, but vulnerable to synchronization, session attacks, or dependence on a single account.
When it comes to security, convenience always comes at a price. Browser password managers are useful for those who don’t use anything else, but they are no substitute for a good dedicated solution. The key is not to memorize impossible passwords, but to use a manager that generates and remembers them for you, and then stop saving them in your browser. Because security is not in the tool, but in developing the habit.
Your digital life should not depend on a system designed simply for your convenience, just to save clicks. Browser-integrated managers are like a cheap umbrella in the middle of a storm: they may get you through and keep you a little drier, but if you can plan and be organized, don’t entrust your future or your security to something like that, because in today’s world, the question is not if you’re going to get hacked, but when, and whether you’ll lose more than convenience when you do. And that’s basically what I tell my students when we talk about these things in class.
—
This post was previously published on Enrique Dans’ blog.
***
You Might Also Like These From The Good Men Project
If you believe in the work we are doing here at The Good Men Project, please join us as a Premium Member today.
All Premium Members get to view The Good Men Project with NO ADS.
Need more info? A complete list of benefits is here.
Photo credit: iStock
