{"id":30746,"date":"2025-10-26T22:16:46","date_gmt":"2025-10-26T22:16:46","guid":{"rendered":"https:\/\/naijaglobalnews.org\/?p=30746"},"modified":"2025-10-26T22:16:46","modified_gmt":"2025-10-26T22:16:46","slug":"you-still-shouldnt-use-a-browser-password-manager","status":"publish","type":"post","link":"https:\/\/naijaglobalnews.org\/?p=30746","title":{"rendered":"You Still Shouldn\u2019t Use a Browser Password Manager"},"content":{"rendered":"<p>\n<\/p>\n<p class=\"paywall\">By default, Google manages your encryption key, but it allows you to set up on-device encryption, which functions similarly to a zero-knowledge architecture. Your passwords are encrypted before being saved on your device, and you manage the key. Regardless of how the encryption works, Google uses AES, which is still the gold standard for security among password managers.<\/p>\n<p class=\"paywall\">It was trivial to decrypt Chrome passwords previously, requiring little more than a Python script and knowledge of where the files are stored. But even there, Google has pushed the security bar up. App-bound encryption has invalidated those methods, and cracking passwords is far more involved than it used to be. Further, Google has integrated with Windows Hello. If you choose, you can have Windows Hello protect your passwords each time you log in by asking for your PIN or biometric authentication.<\/p>\n<p class=\"paywall\">Other browsers aren\u2019t as secure. Firefox, for instance, makes it clear that, although passwords saved in Firefox are encrypted, \u201csomeone with access to your computer user profile can still see or use them.\u201d Brave works in a similar way, though I suspect most people using Brave are using a third-party password manager (and probably a VPN) already.<\/p>\n<p class=\"paywall\">Regardless, storing your passwords in even a less secure browser like Firefox is leaps and bounds better than not using a password manager at all. And the browsers at the forefront of market share, Chrome and Safari, have vastly improved their security practices over the past few years. The problem isn\u2019t encryption\u2014it&#8217;s putting all your eggs in one basket.<\/p>\n<h2 class=\"paywall\">Let\u2019s Talk OpSec<\/h2>\n<p class=\"paywall\">OpSec, or operational security, is normally a term used when talking about sensitive data in government or private organizations, but you can look at your own security through an OpSec lens. If you were an attacker and wanted to swipe someone\u2019s passwords, how would you go about it? I know where I\u2019d look first.<\/p>\n<p class=\"paywall\">Even with better security measures, the goal of a browser-based password manager is to get people using password managers. That has to be balanced against how easy the password manager is to use. In a blog post announcing changes to Google\u2019s authentication methods from Google I\/O this year, the company mentions reducing \u201cfriction\u201d seven times, while \u201cencryption\u201d isn\u2019t mentioned at all. That\u2019s not a bad thing, but it\u2019s a testament to how these tools are designed.<\/p>\n<p class=\"paywall\">You don\u2019t need to pick out words from a blog post to see this focus. Google gives you the option to turn on Windows Hello or biometric authentication with the Google Password Manager. Each time you want to fill in a password, you\u2019ll need to authenticate. That\u2019s undoubtedly more secure than not authenticating each time, but the setting is turned off by default. It creates friction.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>By default, Google manages your encryption key, but it allows you to set up on-device encryption, which functions similarly to a zero-knowledge architecture. Your passwords are encrypted before being saved on your device, and you manage the key. Regardless of how the encryption works, Google uses AES, which is still the gold standard for security<\/p>\n","protected":false},"author":1,"featured_media":30747,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[52],"tags":[8104,8701,11811,2428],"class_list":{"0":"post-30746","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-browser","9":"tag-manager","10":"tag-password","11":"tag-shouldnt"},"_links":{"self":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts\/30746","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=30746"}],"version-history":[{"count":0,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts\/30746\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/media\/30747"}],"wp:attachment":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=30746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=30746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=30746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}