I’m just scared that they’re saved with reversible encryption on the disk, then malware could steal them

  • sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    Sure, but it requires a more sophisticated attack, so risks are a bit lower. There are tons of easier targets, so an attacker will probably just go after them instead.

    But when it comes to a proper password manager, there are a ton of similarly protected accounts, so an attacker will either go for all the data or not bother. You’re more likely to get corporate accounts and whatnot than by hacking a built-in browser PW manager, which is a lot more lucrative than someone’s credit card info.

    But the core point I’m trying to make is that we won’t know how many people get hacked with built-in browser password managers because nobody is monitoring them. We do know about proper password manager breaches because someone is watching for them. In other words, absence of evidence is not evidence of absence, so the number of publicly reported breaches won’t tell you which is safer, it just tells you which are high profile.

    • brianary@startrek.website
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      I guess I feel somewhat safer as relatively anonymous target of spearphishing as I have been for 20 years without incident, instead of as part of a much more valuable collective target, even though that data is probably better protected.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        I’m guessing you practice relatively secure computing, meaning you don’t download suspicious stuff, keep your system updated, etc. But that’s not true security, you could always run into a browser vulnerability on a random website.

        Also, there’s no guarantee that you haven’t been hacked, all we know is that you haven’t noticed your private information being used. Usually what happens is attackers get a bunch of data then sell it on the black market. Buyers of that data will probably only use a subset of that data, so your data could be sold, just not used. You can check if your passwords have been leaked by examining data sets of leaked latest ([e.g. Have I Been Owned; I recommend not actually sending important info here).

        There are two routes to go here:

        1. Use proper security - high quality password manager, self-host your data (Bitwarden allows this)
        2. Reduce the impact of a breach (don’t use debit cards online, monitor credit card statements, etc)

        The second is probably sufficient for most people though.

        One important thing to note is that the main reason to go with a password manager is to have really secure passwords that are unique for each site. That way if one service gets breached, attackers can’t just use the same credentials on other sites. Browser password managers don’t do that, so you’re opening yourself up to that if you’re not careful in constructing good, unique passwords. I have >100 accounts, each with their own password, and that just wouldn’t be feasible without a password manager.

        • brianary@startrek.website
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          I was with you right up until the unique passwords. I do use a different randomly generated password for each site.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            arrow-up
            2
            ·
            9 months ago

            And honestly, that’s the 80% of the 80/20 trade-off for security vs practicality. If you use a different password for each site, you’re protected from the most common attacks (password dumps). The rest of the measures you could take are just optimizations on the last 20%.

            If you have a solid backup plan for if you get hacked (e.g. only use credit online), you’re probably fine. Most likely, you’re not going to get your browser password manager scraped, because that means you need to both get malware, and get the type of malware that knows how to scrape browser password manager data. If it’s protected by a master password, it’s incredibly unlikely you’ll get hacked unless it’s a targeted attack.

            But if you want to go the extra mile, you can close a lot of that 20% with a few extra measures. It’s up to you how far you choose to go.