this post was submitted on 25 Aug 2023
64 points (97.1% liked)
Firefox
17301 readers
142 users here now
A place to discuss the news and latest developments on the open-source browser Firefox
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
As said previously, strongly strongly recommend not using browsers to store passwords and paiement cards. Bitwarden and keepass are well known good options, but if you trust Proton you should try their new password manager Proton Pass which has a free tier (not affiliated to them) For the moment I still have an active license on 1password so haven't switched over yet
People keep repeating this. But I've never really heard s good reason for why a separate password manager is any more secure.
Firefox's saved passwords are not encrypted and just copying your user profile to another computer will allow someone else to use your credentials.
If you use Chrome, do you really want Google knowing your logins?
But they are encrypted.
I think you mean if you don't use a primary password. They're still encrypted then, but since they can be used freely from inside the browser they are indeed not protected from someone copying the profile.
Firefox supports a master password to encrypt them with
But by default it's not encrypted and nobody ever changes the default settings
Tldr; chromium based browers are more vulnerable to password stealing malware because they encrypt with the OS user creds, Firefox would probably avoid this with a master password, as thats the primary protection of this that password managers offer.
https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/
On top of what has been said on lower security, this is also much worse in terms of privacy. You are giving up your credentials to Google/Mozilla.
Also they do not encrypt (when they do at all)website URLs, only the secret parts (passwords) so this is a downside as well. Anyone getting access (or Google/Mozilla) of the encrypted vault knows what apps/sites you have accounts on. Some password managers do encrypt everything
But yes, primarily it is way easier to steal passwords from a browser, especially when it's synced across many devices including some with lower security (a phone with just a pin, a phone lent to other people, a computer or tablet or phone let open to anyone to change music on Spotify, ...)
Source: https://support.mozilla.org/en-US/kb/how-firefox-securely-saves-passwords