this post was submitted on 10 Feb 2024
91 points (96.0% liked)
Firefox
17301 readers
107 users here now
A place to discuss the news and latest developments on the open-source browser Firefox
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Well yeah, if you breach a password manager, you get tons of credentials. If you breach a person's computer, you get one set of credentials. And most of those breaches are low impact, such as Okta:
Here's an example of a browser attack (not necessarily password management, but related):
Basically, any script that can run on your machine can compromise stored passwords and credit cards if there's no master password set (typically the default behavior). If there is a master password, it could be brute forced (I'm guessing most attackers don't bother). It's just a lot harder to detect this kind of breach since it happens on end-user machines instead of an audited web service. I'm guessing a lot of people get hacked this way, but it doesn't make the news because individuals don't dig into the breach to find the cause.
My understanding is that password managers are still way more secure than using your browser's built-in PW management, and you can take it a step further and self-host (e.g. Bitwarden offers this) to require attackers to actually target you.
The thing with built in browser password manager like in chrome or firefox is even if it's password peotected, you can still get those very easily.
Sure, but it requires a more sophisticated attack, so risks are a bit lower. There are tons of easier targets, so an attacker will probably just go after them instead.
But when it comes to a proper password manager, there are a ton of similarly protected accounts, so an attacker will either go for all the data or not bother. You're more likely to get corporate accounts and whatnot than by hacking a built-in browser PW manager, which is a lot more lucrative than someone's credit card info.
But the core point I'm trying to make is that we won't know how many people get hacked with built-in browser password managers because nobody is monitoring them. We do know about proper password manager breaches because someone is watching for them. In other words, absence of evidence is not evidence of absence, so the number of publicly reported breaches won't tell you which is safer, it just tells you which are high profile.
I guess I feel somewhat safer as relatively anonymous target of spearphishing as I have been for 20 years without incident, instead of as part of a much more valuable collective target, even though that data is probably better protected.
I'm guessing you practice relatively secure computing, meaning you don't download suspicious stuff, keep your system updated, etc. But that's not true security, you could always run into a browser vulnerability on a random website.
Also, there's no guarantee that you haven't been hacked, all we know is that you haven't noticed your private information being used. Usually what happens is attackers get a bunch of data then sell it on the black market. Buyers of that data will probably only use a subset of that data, so your data could be sold, just not used. You can check if your passwords have been leaked by examining data sets of leaked latest ([e.g. Have I Been Owned; I recommend not actually sending important info here).
There are two routes to go here:
The second is probably sufficient for most people though.
One important thing to note is that the main reason to go with a password manager is to have really secure passwords that are unique for each site. That way if one service gets breached, attackers can't just use the same credentials on other sites. Browser password managers don't do that, so you're opening yourself up to that if you're not careful in constructing good, unique passwords. I have >100 accounts, each with their own password, and that just wouldn't be feasible without a password manager.
I was with you right up until the unique passwords. I do use a different randomly generated password for each site.
And honestly, that's the 80% of the 80/20 trade-off for security vs practicality. If you use a different password for each site, you're protected from the most common attacks (password dumps). The rest of the measures you could take are just optimizations on the last 20%.
If you have a solid backup plan for if you get hacked (e.g. only use credit online), you're probably fine. Most likely, you're not going to get your browser password manager scraped, because that means you need to both get malware, and get the type of malware that knows how to scrape browser password manager data. If it's protected by a master password, it's incredibly unlikely you'll get hacked unless it's a targeted attack.
But if you want to go the extra mile, you can close a lot of that 20% with a few extra measures. It's up to you how far you choose to go.
That all sounds good to me. Good clarification.