This is why I’m careful about saving passwords in my web browser

• What’s so risky about saving passwords in your web browser?
• What can you do to make saving passwords in your browser safer?
• Should you use a third-party password manager instead?

The eternal paradox with passwords is that while we’re constantly being pushed to create original and complex passwords for every app we use and every website we visit, those passwords become useless when we can’t remember them. Yes, a login like “311t10@gobxylo” might be difficult to crack and impossible to guess, but I’d never be able to memorize that well enough to avoid triggering a password reset eventually. Some sort of password locker is mandatory for me, and probably for you as well.

Because of this, it’s now de facto for major web browsers like Chrome and Firefox to offer to save your passwords in a free locker synced to your account. It’s extremely convenient, and you’re probably taking advantage of it right now. There are some security issues you should be aware of, however, which may prompt a few of you to switch to a paid locker instead. Everyone else should be fine as long as they take certain basic precautions, which I’ll cover in short order.

What’s so risky about saving passwords in your web browser?

Mostly secure… but not always

Typically, browser-based lockers like Google Password Manager (for Chrome) aren’t at risk of being raided at any second. Their data is encrypted on remote servers, and normally accessible only by logging into them with the same account you use to sync your browser’s tabs and bookmarks. Given that Apple, Google, and Microsoft are trillion-dollar megacorporations with a lot to lose, they’ve invested a great deal into cybersecurity. Browser makers like Opera and Mozilla are much smaller — Mozilla is a non-profit — but still well-established players, nevertheless.

Although it might be next to impossible to steal Apple, Google, or Microsoft account logins directly, they’re so valuable to criminals that attempts are constantly being made to uncover them elsewhere.

There are two main issues here: how data is stored and accessed on your own device, and the chances of your account info being stolen. On the first point, after you’ve logged into your device and signed into your browser account, there isn’t necessarily anything else stopping someone from accessing your passwords. Smartphones will often require an additional check of your passcode or biometric ID (i.e. your face or fingerprint) — but it you’re running Chrome for Windows, for instance, your passwords are simply accessible to anyone physically present, until you sign out of the browser or log out of Windows. Indeed, on many desktops, there may also be a locally-saved copy of your passwords that’s decrypted whenever you unlock your OS.

Account theft should be your largest concern. Although it might be next to impossible to steal Apple, Google, or Microsoft account logins directly, they’re so valuable to criminals that attempts are constantly being made to uncover them elsewhere. It’s not hard to predict, for example, that if your real name is John J Smith, your user ID might be something like “jjsmith” or jjsmith@email.com. And since people reuse passwords on a regular basis, one that’s exposed during a third-party security breach might work for one of your primary accounts. Depending on which hardware and platforms you use, a successful takeover could grant access not just to your passwords, but to your devices, too. That’s going to ruin your life unless you can quickly regain control.

What can you do to make saving passwords in your browser safer?

Simple but meaningful steps

At a minimum, it’s important to use unique and complex passwords for Windows, macOS, iOS, Android, or any other operating system you use, and apply the same tactic to any separate browser accounts you might have. By unique, I mean you can’t reuse them anywhere. By complex, I mean passwords that are reasonably long — eight to 12 characters or more — and impossible to guess.

To make them easier to memorize, you might try using the concept of a “pass-sentence,” as Edward Snowden suggests. A password like “icecream” is going to be easy to break using a dictionary attack, but “2005icecre@misdelicious!” is another ballgame.

By requiring a secondary authenticator app or device, a compromised password will become useless to a potential attacker.

Where appropriate, you should also use unique passcodes, and turn on biometric logins, which rely on local encrypted chipsets. Don’t forget to set your devices to auto-lock quickly too. It might be more convenient to leave your phone or laptop unlocked until you put it to sleep, but all an intrusion might take is forgetfulness, a grab-and-run robbery, or a co-worker poking around your cubicle while you’re out on a bathroom break. Biometric logins will make auto-locking less of a hassle, incidentally.

Take advantage of two-factor authentication (2FA) whenever possible. This can be annoying in its own right, sometimes, but by requiring a secondary authenticator app or device, a compromised password will become useless to a potential attacker. All you’ll have to do when you get a notification of a suspicious login attempt is change that one password so it can’t be tried again — not fight to recover your digital identity and reset every exposed account.

Should you use a third-party password manager instead?

Maybe, if you can afford it

Dedicated password managers like Bitwarden, 1Password, and LastPass can offer improved security. Their master passwords are separate from your OS or browser logins, and their lockers (AKA vaults) are typically encrypted end-to-end. Without that master login, in other words, a locker may be impossible to access not just on your devices, but even by the company hosting it. This is sometimes described as a “zero-knowledge” arrangement.

The biggest catch tends to be price. While a service like 1Password might cost only a few dollars per month, many of us are already suffering death by a thousand cuts when it comes to subscriptions. The idea that you might lose access to your password collection because you can’t or don’t want to pay anymore is bound to be terrifying for some people — especially if some of those passwords are auto-generated ones that no human can possibly remember. The best you can do in that scenario is export your passwords and/or write them down before you unsubscribe.

My suggestion is that if you’re deeply worried about security, you should probably invest in a dedicated password manager — as long as you can safely afford the monthly fee.

If you own an Apple mobile device, you might think the Passwords app (for iOS, iPadOS, and visionOS) would be a great alternative, since it’s both free and separate from your browser. It’s still linked to your Apple Account, however, so ultimately, it’s just a more convenient way of gathering and accessing your logins. The Google Password Manager app for Android is even worse — it’s just a shortcut to settings already on your device.

My suggestion, then, is that if you’re deeply worried about security, you should probably invest in a dedicated password manager, as long as you can safely afford the monthly fee. If you need to be careful with your cash, simply adopting some better practices for browser-based storage may be sufficient. You’ll have to weigh how serious any threats might be in your personal circumstances.