You still shouldn’t use a browser password manager

By default, Google manages your encryption key, but it allows you to set up encryption on the device, which works similarly to a zero-knowledge architecture. Your passwords are encrypted before they are saved on your device, and you manage the key. Regardless of how the encryption works, Google uses AES, which is still the gold standard for security among password managers.

Decrypting Chrome passwords was previously trivial, requiring little more than a Python script and knowledge of where the files were stored. But even there, Google has upped the security bar. Application-related encryption has made these methods obsolete, and password cracking has become more complex than it used to be. Moreover, Google has integrated with Windows Hello. If you choose, you can have Windows Hello protect your passwords every time you sign in by requiring a PIN or biometric authentication.

Other browsers are not safe. Firefox, for example, explains that even though passwords saved in Firefox are encrypted, “a person with access to your computer user profile can still see or use them.” Brave works in a similar way, although I suspect most people who use Brave are already using a third-party password manager (and perhaps a VPN).

Regardless, storing your passwords in even a less secure browser like Firefox is much better than not using a password manager at all. The browsers that lead the market share, Chrome and Safari, have greatly improved their security practices over the past few years. The problem is not with encryption, but with putting all your eggs in one basket.

Let’s talk about OpSec

OpSec, or operational security, is typically a term used when talking about sensitive data in government or private organizations, but you can look at your security through the lens of OpSec. If you were an attacker and wanted to steal someone’s passwords, how would you do it? I know where to look first.

Even with better security measures, the goal of a browser-based password manager is to get people to use password managers. This must be weighed against how easy it is to use the password manager. In a blog post announcing changes to Google’s authentication methods from Google I/O this year, the company mentioned reducing “friction” seven times, while “encryption” was not mentioned at all. That’s not a bad thing, but it’s a testament to how these tools are designed.

You don’t need to pick out words from a blog post to see this focus. Google gives you the option to turn on Windows Hello or biometric authentication using Google Password Manager. Every time you want to enter a password, you’ll need to authenticate. This is undoubtedly more secure than not authenticating every time, but the setting is turned off by default. It creates friction.