You Still Shouldn’t Use a Browser Password Manager
All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Learn more.
Your browser wants to manage your passwords. Maybe it's to make your browsing experience more seamless in the hotly competitive browser wars, or maybe it's a response to the popularity of password managers. Regardless of the reason, you've undoubtedly seen hundreds of pop-ups offering to save your credentials as you browse online.
A few years back, that wasn't the best idea, but times have changed. The world's most popular browser, Google Chrome, now has a fairly robust password management tool, as does Apple's Safari, including security options that shut down the most common criticisms of browser-based password managers. If you aren't using a password manager, and you're reusing the same few passwords with an extra capital letter or exclamation point, storing unique passwords in your browser is more secure than what you're doing. Still, browser-based password managers pose an inherent problem, one that isn't solved with better authentication methods or superior encryption.
Improvements in Browser Password ManagersYour browser’s password manager isn’t as secure as a commercial, third-party password manager, or so the story goes. There’s some truth to that sentiment, but it requires nuance. In reality, your browser’s password manager is very secure, and using it is far superior to jotting down passwords in your notes app or using the same password across websites.
I’ll get to the security issues next, but we need to start with where browser password managers are today. I’ll be looking at Chrome and the Google Password Manager, not to pick on Google, but because it’s overwhelmingly the most popular browser in the world. Google has also continually updated Chrome’s password manager, and it’s in a much better place than it used to be.
First, encryption. The main difference between Google’s Password Manager and a commercial password manager isn’t what encryption is used, but rather how it’s used. A password manager like Proton Pass uses zero-knowledge encryption. That means that, although the service holds your encrypted passwords, it doesn’t hold the key to decrypt those passwords.
By default, Google manages your encryption key, but it allows you to set up on-device encryption, which functions similarly to a zero-knowledge architecture. Your passwords are encrypted before being saved on your device, and you manage the key. Regardless of how the encryption works, Google uses AES, which is still the gold standard for security among password managers.
It was trivial to decrypt Chrome passwords previously, requiring little more than a Python script and knowledge of where the files are stored. But even there, Google has pushed the security bar up. App-bound encryption has invalidated those methods, and cracking passwords is far more involved than it used to be. Further, Google has integrated with Windows Hello. If you choose, you can have Windows Hello protect your passwords each time you log in by asking for your PIN or biometric authentication.
Other browsers aren’t as secure. Firefox, for instance, makes it clear that, although passwords saved in Firefox are encrypted, “someone with access to your computer user profile can still see or use them.” Brave works in a similar way, though I suspect most people using Brave are using a third-party password manager (and probably a VPN) already.
Regardless, storing your passwords in even a less secure browser like Firefox is leaps and bounds better than not using a password manager at all. And the browsers at the forefront of market share, Chrome and Safari, have vastly improved their security practices over the past few years. The problem isn’t encryption—it's putting all your eggs in one basket.
Let’s Talk OpSecOpSec, or operational security, is normally a term used when talking about sensitive data in government or private organizations, but you can look at your own security through an OpSec lens. If you were an attacker and wanted to swipe someone’s passwords, how would you go about it? I know where I’d look first.
Even with better security measures, the goal of a browser-based password manager is to get people using password managers. That has to be balanced against how easy the password manager is to use. In a blog post announcing changes to Google’s authentication methods from Google I/O this year, the company mentions reducing “friction” seven times, while “encryption” isn’t mentioned at all. That’s not a bad thing, but it’s a testament to how these tools are designed.
You don’t need to pick out words from a blog post to see this focus. Google gives you the option to turn on Windows Hello or biometric authentication with the Google Password Manager. Each time you want to fill in a password, you’ll need to authenticate. That’s undoubtedly more secure than not authenticating each time, but the setting is turned off by default. It creates friction.
Without this setting turned on, anyone with access to a logged-in PC could pop into your browser, head to the settings, and see (and even export) your passwords in plaintext. If I had access to someone's PC and wanted to steal passwords, the first place I'd head is the browser password manager.
More concerning is the target on the back of your Google account. Just a couple of months back, Gmail suffered a data breach, and although no sensitive information was stolen, Google urged 2.5 billion users (around a third of the global population) to update their passwords. If an attacker can successfully take over your account, it’s not a great idea to give them your passwords in addition to unbridled access to your email and any services you’ve linked your Google account to.
Account takeovers happen, largely due to phishing, according to Google. Again, looking through an OpSec lens, it’s not the best idea to lock the passwords for all your accounts behind an account that’s a high-value target. That’s not a dig at Google. It’s just the reality of having a single account that’s so pervasive in online life.
There are ways to prevent an account takeover from happening, including multi-factor authentication (MFA) and device-bound authentication methods like passkeys. Both Google and Apple offer these options to increase your account security. If we're looking at risk mitigation, however, storing your passwords in a third-party password manager gives you another layer of protection beyond locking down a single, high-value account.
Beyond SecuritySecurity is first and foremost when looking at password managers, but let’s not miss the forest for the trees. A commercial password manager comes with a lot more features and functionality.
Proton Pass, for instance, gives you access to email aliases to reduce the likelihood of your email address leaking in a breach. 1Password gives you Travel Mode to clean up your vaults while traveling. Bitwarden lets you take your entire vault off the internet if you want, with a self-hosted option. That’s not to mention the variety of data you can store in a third-party password manager, including encrypted documents and notes, and custom entries for whatever other data you want to store.
A dedicated password manager like NordPass allows you to share your entries. You can share passwords stored in the Google Password Manager and iCloud Keychain, but only within their own ecosystems. With a third-party password manager, I can, for example, share my Wi-Fi password with someone even if they don’t have an account.
Using any password manager is better than using none, so if you’re avoiding your browser’s password manager because you’ve heard it’s unsafe, and as a result, use the same password across websites, stop. Your browser is more secure. But for folks who don’t mind a bit of friction for better security, a third-party password manager is the way to go.
All products featured on WIRED are independently selected by our editors. However, when you buy something through our retail links, we may earn an affiliate commission.
8/10
WIRED
Robust security design. Seamless autofill and capture. Passkey support. Travel mode included. 1 GB of encrypted storage. Only $3 per month with an annual plan.
TIRED
No self-hosted option. Masked email and credit cards cost extra. Hot keys and auto-login are finicky on desktop.
1Password has been around for almost two decades, and it’s changed a lot in that time. What started as a perpetual license with self-hosted vaults has morphed into a subscription service entirely hosted on AgileBits’ servers (1Password's parent company).
It’s remained resilient in the face of high-profile password manager breaches, due in no small part to its zero-knowledge security architecture, and it has continued to evolve with new features, including Travel mode, which is quickly becoming one of the marquee offerings. Even with such drastic changes, 1Password remains one of the best password managers on the market.
More Than Just Passwords
Most password managers let you store more than just passwords, and 1Password is no exception. There are presets available for medical records, server information, your bank account, your passport, and so much more. Ultimately, these are all just text fields with a special icon, and you’re free to add or remove fields as you see fit. Outside of text, entries in 1Password break down into a few main categories:
- Logins: These are different from passwords in that they’re tied to a URL or app, and they’re used for autofill. Passkeys, which 1Password supports, fall under this category.
- Identities: 1Password supports automatic form filling, and it pulls from the identities you have set up in your vault.
- Credit cards: You can store card information in 1Password, as well as autofill those details on desktop and mobile.
- Documents: You can attach documents to any entry in your vault (including the dedicated Documents preset). You get 1 GB of encrypted storage for these attachments on an individual account, and 1 GB per person on a family plan.
That gives you a wide view of the kind of data you can store in your vaults, as well as how you’ll need to categorize it for autofill purposes. But 1Password affords you a ton of flexibility. You can add, remove, swap around, and rename fields as you see fit. For example, you can include a note to differentiate multiple logins for the same website, or attach documents to your passport entry.
Two things stand out. First, 1Password can store one-time passwords. If you have accounts set up with Google Authenticator or some other two-factor authentication utility, 1Password can handle that for you. You just scan the QR code or copy the one-time password over to your login, and it’ll handle all the 2FA work.
The second is passkey support. 1Password can generate, store, and sync passkeys for websites that support them. 1Password also highlights logins where passkeys are available, but you aren’t using them. However, this list is based on 1Password’s own (somewhat dated) database of passkey support.
You have a lot of tools to organize your entries in 1Password, which becomes increasingly important as you continue to use it. I have over 600 entries in my vault, and I should’ve started using the organization tools earlier; that’s on me.
Everything starts with a vault. You can create as many vaults as you want. There may be a limit at some unreasonable point, but 1Password doesn’t technically impose limitations on the number of vaults you can have. I haven’t found much of a purpose to make a ton of vaults for personal use, but they’re convenient to have if you’re sharing entries a lot.
When you create a new entry, it’s automatically segmented into a category based on what entry type you used, but I get far more use out of tags. You can add as many tags as you want to entries, and you can even nest them; for example, nesting a “shipping” tag within your “business” tag. Once the tag is set, you don’t need to individually edit entries. Just drag them to the tag, and they’ll be organized.
My biggest issue with tags is that they’re all the same color in 1Password. You can mark favorites for quick access, but a color selector for tags would make it a bit easier to find what you need at a glance, especially if you create a complex, nested tag structure.
Desktop and MobileYou have a lot of options to use 1Password on a desktop or laptop. Native apps are available for macOS and Windows, as well as just about every flavor of Linux you could want (including my beloved Arch-based distribution). The easiest way to use 1Password—and the way I’ve used it for years—is through the browser. 1Password has extensions available for Chrome, Safari, Firefox, Edge, and Brave, and you can manage everything you can with the desktop app from a browser window.
1Password via Jacob Roach
Capture and autofill with the extension is basically flawless, at least across Chromium-based browsers and Firefox. I can’t recall a single time since I started using 1Password five years ago that it got tripped up on a password field, nor a time that 1Password failed to capture a password I generated when signing up for a new account. At this point, I don’t even see my passwords; they’re generated, captured, and stored by 1Password, and I don’t give them a second thought.
One quibble I have on desktop is 1Password’s automatic login. It’s a recent addition that attempts to sign you in right when you autofill. 1Password fills in your details and selects whatever button it needs to log you in without intervention. 1Password always makes the attempt, but more often than not, the login page throws up an error from the automated process. You can turn automatic login off, though the setting is buried in the browser extension.
Hot keys aren’t perfect in the browser, either. By default, Ctrl+Shift+X (Shift+Command+X on macOS) will open the 1Password extension, except on Firefox, which has a different hot key. On some systems, it works like a charm; on others, it doesn’t work at all. It’s not a deal breaker, but it’s annoying when a hot key doesn’t work the way I expect it to.
Outside of managing your passwords (and turning on Travel mode, which I’ll cover shortly), you can also access your Emergency Kit in the browser, which isn’t available in either the desktop or mobile apps. It’s a PDF with your account information, with a QR code and space to type (or write) your account password. Some password managers, such as Keeper and NordPass, have so-called digital legacy features that can pass on your passwords after you, well, pass. The Emergency Kit isn’t as convenient, but it largely serves the same purpose.
1Password via Jacob Roach
Password managers are spotty on Android and iOS in general, and 1Password isn’t above that issue. I’d estimate somewhere around 10 to 15 percent of the fields I encounter on mobile just don’t register with 1Password, sending me out to the app to copy my password over manually. This is more of an issue with how apps categorize different fields and expose them to other apps running, and less of a 1Password-specific problem.
1Password at least attempts to get around this with linked apps. As you start signing into apps using entries in your vault, 1Password will connect your login to whatever app you’re logging into. That doesn’t eliminate autofill problems on mobile, but it helps in the cases where 1Password is looking for a specific URL to autofill, and the mobile app isn’t operating with that URL.
Outside of autofill, using 1Password on Android and iOS is a breeze. You can enter your account password each time you unlock your account if you want, but 1Password supports biometric authentication on Android and iOS, including Face ID support. After a certain amount of time has passed (you can change the amount of time in the settings), 1Password will ask you to reenter your account password. Thankfully, if you don’t want to use biometrics, you can set up a PIN or passcode as well.
Quick access is important because 1Password is extremely limited on mobile, and that’s a good thing. Even switching to another app or locking your phone will also lock your account, and if you swipe through your list of open apps, you’ll only see the 1Password login screen.
You’re free to change these settings, from the amount of time you need to reenter your account password to when 1Password should clear your keyboard history. The defaults work well, but if you can’t be bothered, you can turn these extra security measures off.
Unique Security1Password may function similarly to other password managers, but its security design is unique. The company has a white paper you can read through for all the gory details, and it maintains a list of certifications and recent penetration testing. The core of 1Password’s security, however, is a zero-knowledge approach. It’s designed in such a way that, even if 1Password wanted to, it has no means to decrypt the contents of your vault.
This works due to what 1Password calls two-secret key derivation, or 2SKD. It takes your account password and a secret key that’s generated on your device when you first sign up for 1Password, and uses them to derive a key encryption key (KEK). Also on your device, 1Password generates a public-private key pair. Your private key is encrypted with the KEK, while your public key is shared.
There are several layers of nested encryption beyond this, but what’s important is that 1Password doesn’t have a copy of your private key, nor a copy of your account password that’s necessary to derive the KEK. And when you authenticate, everything happens locally on your device, including encryption and decryption. Your KEK, master password, and private key never leave your device.
It’s a huge boon for security, but this design introduces some usability hurdles. When you set up a new device, you’ll need to enter both your password and secret key the first time. Once that device has derived a KEK, you’ll only need to enter your password going forward.
One disappointing aspect of 1Password’s security is that it doesn’t have open source apps like Bitwarden or Proton Pass. However, 1Password still publicly publishes security audits, and it even offers free 1Password accounts to open source developers.
1Password via Jacob Roach
Over the years, one of the features I’ve grown to appreciate most in 1Password is Watchtower. Proton Pass and several other competitors have similar features, but Watchtower is one of the most comprehensive in what it covers. You get an overall security score for items in your vault, as well as suggestions for different logins.
1Password will show where passkeys are available, where 2FA is available but not enabled, compromised passwords, weak and reused passwords, and even entries expiring soon, like credit cards. It even segments all your entries into different strength categories, allowing you to quickly see, for example, how many passwords you have that are “good” but not “excellent.”
Then there's Travel mode. To my knowledge, no other password manager offers a feature like this (if there are others, drop a comment below). Basically, it lets you mark vaults as safe for travel or not. When you toggle on Travel mode, the vaults that aren’t safe are removed from all your devices, as if they never existed.
Those vaults are actually removed from your device, too, which is an important note to highlight in an era of rising device searches at the US border. There’s no way to turn off Travel mode from your phone. You can only toggle it through a browser that’s been authenticated with your account password and secret key.
1Password via Jacob Roach
Finally, 1Password offers masked emails and virtual credit cards, but it doesn’t offer them directly. Instead, it supports integrations with FastMail and Privacy.com, both of which offer additional subscriptions. I’m happy that 1Password is using well-known and popular tools for these services, but it doesn’t get around the fact that access to these two features will significantly bloat your monthly cost.
That’s one of 1Password's weaknesses. It’s just a password manager. Proton and Nord offer extensive security suites that go beyond password management, and bundling them together will save you some money.
Cloud OnlyIt’s been close to a decade now, but 1Password used to allow you to host your own vaults. That changed in 2017, and since then, you haven’t been able to. The vast majority of commercial password managers work in this way, but there are still reasons you may want to host at least some logins locally.
But it's not possible with 1Password. All of your vaults are stored in the cloud. Our top password manager recommendation, Bitwarden, offers a self-hosting option, and a lot of open source password managers like KeePassXC force you to figure out your own hosting solution. 1Password doesn’t need to be fully self-hosted, but it would be nice to have the option of storing some vaults locally, especially considering how much data you can store in your vault beyond passwords.
Barring these issues, 1Password still sets the gold standard for password managers when it comes to security. It has been consistently transparent about its security architecture, and it goes above and beyond most other password managers to keep your logins secure. It’s also cheap and dead-simple to use.
wired
