back to article We can't believe people use browsers to manage their passwords, says maker of password management tools

It seems some of us are, in the year of our lord 2021, still reusing the same password for multiple sites, plugging personal gear into work networks, and perhaps overly relying on browser-managed passwords, judging from this poll. ThycoticCentrify, formed from a merger between two computer access management firms, said it …

  1. DrXym

    Mixed model

    I use the browser for sites for forums and things of that nature. I use Password Safe for everything else. Aside from that I enable 2FA whenever it's available so even if someone does somehow get my password it's not necessarily going to help them.

    1. Piro Silver badge
      Windows

      Re: Mixed model

      Same here, but KeepAss instead of Password Safe

      1. Dan 55 Silver badge
        Coat

        Re: Mixed model

        ExpertSexChange error.

      2. Nifty Silver badge

        Re: Mixed model

        "Same here, but KeepAss instead of Password Safe"

        isn't that a bit anally retentive?

        1. David 132 Silver badge
          Coat

          Re: Mixed model

          I feel like digging passwords out of that part of your anatomy is really scraping the barrel of your bottom.

        2. Ken Moorhouse Silver badge

          Re: KeepAss

          It's a variation on bolting the stable door after its equine content has vanished.

        3. EricB123 Bronze badge

          Re: Mixed model

          You made me DuckDuckGo "KeepAss" just to verify you made that name up.

          You didn't.

        4. gandalfcn Silver badge

          Re: Mixed model

          Only for Septics.

    2. Ozan

      Re: Mixed model

      Yes, fixed method. I dont savepassword to browser (I dont even trust firefox for that.) I use bitwarden for it. I went selfhosted for it. I dont know I should have or not at this point. KeePass might be better for self hosting using dime a dozen could storage systems outthere.

    3. Headley_Grange Silver badge

      Re: Mixed model

      Same here, and my password manager synchs over my local WiFi only. It's a bit mandraulic, but I don't want my important passwords in the cloud. Finance passwords are in my head only.

      1. Doctor Syntax Silver badge

        Re: Mixed model

        From my PoV finance passwords can't be kept in my head - they look more like line noise.

    4. Sgt_Oddball
      Flame

      Re: Mixed model

      Ditto, if its something that can cost me money then I don't save it to browser. If it's something with personal info that isn't important then I use slightly off data (think changing a year, being one street over or a non-existent number, wrong phone number) and then save password to browser.

      That said i do have a cypher book, written in fountain pen with my left hand whilst drunk for certain passwords on infrequently visited sites. I wonder if I should consider burning... Especially since even I can't make out what I attempted to write.

    5. Anonymous Coward
      Anonymous Coward

      Re: Mixed model

      2FA wherever possible here too, but I go one step further and use pass together with a Nitrokey on all my devices. That makes it very unlikely that the encryption key ever leaks.

    6. big_D Silver badge

      Re: Mixed model

      I just use a password manager these days, it is easier than faffing around and keep telling the browser never to ask to store a password for a specific site. I just disable it completely.

      I use 2FA everywhere, never SMS, and preferably a Yubikey.

    7. Snake Silver badge

      Re: password managers

      How do we know that these "password managers" are safe in themselves? That, if synced to their cloud infrastructure, that said infrastructure is secure from both cracking and hacking? That this password manager isn't sharing your info with unwanted third pasties, such as unfriendly governments??

      Etc etc etc.

      Don't trust anyone.

      1. Anonymous Coward
        Anonymous Coward

        Re: password managers

        I agree. Also if someone somehow breaches the password manager master password, they have access to everything, no?

        I personally prefer the security by obscurity approach.

      2. Smartypantz

        Re: password managers

        Hear hear

        You can't trust any of that shit:

        1. Make strong passwords!

        2. Remember them!

        KISS

        1. Doctor Syntax Silver badge

          Re: password managers

          You can memorise something like ^>~\)z%c+L3",4S' ?

          1. Disgusted Of Tunbridge Wells Silver badge

            Re: password managers

            Who told you the code to my luggage?

      3. Doctor Syntax Silver badge

        Re: password managers

        It depends on where the password manager is. In my case it's not on somebody else's computer.

      4. DrXym

        Re: password managers

        Password Safe saves your passwords to a file on the disk. This file is encrypted with a master password. It doesn't save to the cloud. Of course you could make it save to the cloud if the password file was on Google Drive or similar.

      5. EricB123 Bronze badge

        Re: password managers

        As readers of The Register already know, the cloud is the safest place to store data!!!!!

        POLL: Is this sarcasm?

      6. gandalfcn Silver badge

        Re: password managers

        Given that Google, the Chocolate Factory et al seem to be everything these days we don't. But Password Safe seems to be well clear of them.

      7. mdubash

        Re: password managers

        My KeePass database is stored in numerous places. It's 256-bit encrypted. And it requires the presence of a particular piece of data in a specific location to be unencrypted. And it doesn't stre finance-related PINs, as they're only in my head. That's safe enough.

      8. Captain Obvious

        Re: password managers

        You beat me to the punch - MOST of these if you Google have been hacked at some time. Many probably don't even know they have been hacked. Then ALL your passwords are pwned.

      9. SuperGeek

        Re: password managers

        "sharing your info with unwanted third pasties, such as"

        Hollands? Greggs? Yummy, make my "pasties" a meat potato, and cheese & onion!

    8. Anonymous Coward
      Anonymous Coward

      Re: Mixed model

      notepad.exe and password.txt on the desktop for me!

      1. NonSSL-Login

        Re: Mixed model

        Joking aside, password.txt is generally a lot more safer than keeping them stored in your browser!

    9. Blackjack Silver badge

      Re: Mixed model

      Unless they pickpocket your smartphone then they get everything.

  2. bolac

    The whole industry only exists because Microsoft has no sane solution for Windows. On the other side, Mac users save their passwords in the Keychain, Linux users do the same with gnome-keyring and KDE kwallet for literal decades now.

    1. Halfmad

      Why on earth would I want to entrust my info to MS or save in a MS keychain?

      Eggs in one basket much?

      There's little difference between the use of something like kwallet and say bitwarden.

      1. Disgusted Of Tunbridge Wells Silver badge
        Paris Hilton

        > Eggs in one basket much?

        Downvote for that horrific American use of "much" that I thought had died a death (much).

        1. Anonymous Coward
          Mushroom

          PTSD much?

          > Downvote for that horrific American use of "much" [ ... ]

          Horrific? Really? Is it giving you nightmares?

          Are you now traumatized beyond repair because you read the word much? Suffering from PTSD? In need of counseling and a safe space?

          1. Col_Panek

            Re: PTSD much?

            It's RACIST, somehow.

          2. Disgusted Of Tunbridge Wells Silver badge
            Gimp

            Re: PTSD much?

            Yes horrific

            Like a Barnard Castle eyesight joke, or somebody saying "dot com" at the end of a phrase.

            Or somebody saying "doozy", as though anybody on the correct side of the pond knows or is interested in finding out what it means.

            1. Anonymous Coward
              Anonymous Coward

              Re: PTSD much?

              'or somebody saying "dot com" at the end of a phrase.'

              However do you manage to tell someone a domain-name without getting triggered?

    2. AndrueC Silver badge
      Joke

      So people moan at MS when it pushes other companies out of the market and moan when it leaves a gap in the market.

      1. A Non e-mouse Silver badge

        That's the joy of being in the audience: You're free to criticize as much as you want safe in the knowledge that you won't actually have to come up with an answer yourself.

    3. A Non e-mouse Silver badge

      The problem is for those of us who don't work in an OS monoculture. We need cross platform tools.

      1. bolac

        This is bullshit. Cross-platform software always sucks. Always. No exception. A tool should integrated into the system conventions as well as possible. A Windows application should follow Windows conventions, a Mac application should follow Mac conventions, and so on.

        This is particularly true for a password manager, so you don't need insecure dirty clipboard tricks to enter passwords into forms. The only cross-platform thing we need in this area is a portable format for export/import and backups of password databases.

        1. nintendoeats

          So there shouldn't ever be webapps then?

        2. Doctor Syntax Silver badge

          "A tool should integrated into the system conventions as well as possible... so you don't need insecure dirty clipboard tricks to enter passwords into forms."

          Clipboards aren't integrated into the OS?

      2. Graham 32

        Or just cross-machine. How to sync the gnome keychain? (I wouldn't be surprised if Apple can sync theirs)

      3. Anonymous Coward
        Anonymous Coward

        There are easy and obvious solutions to the monoculture problem if so inclined, they just require a little pain when using Windows based devices.

        I take a somewhat cynical approach that I suspect is not uncommon. My own digital life lives on my own devices, which are not Windows based and share no accounts or passwords with my work presence, which is on Windows devices which do not belong to me. My employer assures me their domain is secure and has not blocked password saving in browsers or provided an alternative. Therefore my work passwords are stored in my default Windows browser. I never access my personal life from my work devices.

        I suspect my own data may remain secure longer than my employers’, but there it is.

    4. Dan 55 Silver badge

      Control Panel > User Accounts > Credential Manager?

      1. Oh Matron!

        You missed the "No sane solution"

        A bit like giving the local fox your chickens and saying, "I'm off to benedorm for a week. Be a love and look after the clucks for me."

      2. katrinab Silver badge
        Unhappy

        Doesn't store website passwords. Chromium Edge I think stores them in OneDrive.

        1. Dan 55 Silver badge

          There is a Web Credentials 'tab', at least in my version of Windows. Can't say I remember it always being there, it might just be the most recent versions of W10.

          It does work with IE at least. In my case it's full of intranet passwords for stuff which won't work with anything else.

    5. teomor

      Exactly. Windows needs a built-in password manager if we want this to stop.

      This is one of the main reasons I am using a Mac (both at home and at work). Also, integration with Keychain across all Apple devices is a godsend.

      1. Nifty Silver badge

        My last company wouldn't allow me to install open source programs like KeePass. Next best thing I came up with was an XLSM file with password protection on it. Column containing the passwords was made narrow and a macro was to hide the formula bar, so that passwords couldn't be casually viewed by accident during a screen share.

        I use a similar file to keep a list of moderately confidential info.

    6. big_D Silver badge

      I use a mix of macOS, Linux, iOS, Android and Windows. Therefore Apple Keychain is useless, as are gnome-keyring. For those not using just one platform, it has to be a platform independent solution.

      1. John Brown (no body) Silver badge

        "For those not using just one platform, it has to be a platform independent solution."

        Or at least a similar app on each platform using a common storage system that can be either USB drive access from any of those platforms, or at least able to sync/copy between platforms.

    7. Anonymous Coward
      Anonymous Coward

      Windows WILL save credentials for you. But one password reset and "poof! All gone"

  3. Disgusted Of Tunbridge Wells Silver badge
    Holmes

    I use the browser because I have more important things to do with my life, like watching TV.

    I trust Google to be secure more than I trust TrustworthyPasswordManager.

    Also any sites that are of any importance ( eg: banking, email, even social media ) have 2FA.

  4. Anonymous Coward
    Anonymous Coward

    Training

    "Meanwhile, about half of those working for large (5,000+ headcount) companies said they hadn't received cybersecurity training in the past 12 months"

    But I bet they've all received 'Unconscious Bias training", "Diversity training", "Personal Pronoun training", "Cultural Competency training", "Preventing Discrimination and Harassment training", and of course "Creating an Inclusive Workspace training."

    All far, far more important than any old IT security nonsense. That's IT's job, innit.

    1. Anonymous Coward
      Anonymous Coward

      Re: Training

      We have a special sort of nagware where I am. Online security training forces a 10 quesiton/answer session once a fortnight, anyone who refuses to do at least one a month is reported to the sec officer and made to it! Ha ha! Once a month it gives out two 15 mins lectures on basic desktop and mobile security practices.

      It's mostly for the non-techies, just to drum the usual stuff home, "look for the padlock", "don't open mails with attachments", "don't trust it? then don't touch it!", "hover links to see where they really go", all that.

      It's annoying and takes up time your day but better safe than sorry I suppose.

    2. Anonymous Coward
      Anonymous Coward

      Re: Training

      I work for an an +50000 headcount company.

      We have had numerous "courses"

      ALL of them have been worthless "cover-my-ass", obvious crap, green-washing "cover-my-ass" crap or WOKE-crowd pleasing "cover-my-ass" crap.

      All of them expensive, polished and information-thin garbage and no use to anybody. How should another "cyber-security" course help?

      ;-)

      1. swm

        Re: Training

        Most password breaches occur by someone installing a key logger or other system compromise. Complicated passwords don't defend against this kind of attack. Requiring at least one lower case letter, one upper case letter, one special character, one digit etc. just means that the password will be written down or stored in a text file.

        1. John Brown (no body) Silver badge

          Re: Training

          "Requiring at least one lower case letter, one upper case letter, one special character, one digit etc. just means that the password will be written down or stored in a text file."

          Yes, a password along the lines of SomewhereOvertheRainbowWhereBlackbirdsShagAllDayLong is probably a bit more secure than MyP455word! and probably more memorable for a human. But few system allow passwords that long and they pretty much all requires numbers and "special" characters.

          But as you point out, passwords alone can't protect against keyloggers.

          1. Disgusted Of Tunbridge Wells Silver badge

            Re: Training

            You could use the first ( or second? ) letter of each word, eg:

            Sotrwbsadl

            or

            Ovhahlhlao

            That's how I make memorable passwords

          2. Rustbucket

            Re: Training

            >> Yes, a password along the lines of SomewhereOvertheRainbowWhereBlackbirdsShagAllDayLong is probably a bit more secure than MyP455word! and probably more memorable for a human.

            But not when you may have several hundred passwords to remember.

        2. The Oncoming Scorn Silver badge
          Holmes

          Re: Training

          or a little book.....

    3. NonSSL-Login

      Re: Training

      I wonder how many large companies had cybersecurity traiing in mind during the last 12 covid months other than wanting to secure their VPNS and gateways.

      When you hear any reports with 'the last 12 months' in it you have to factor in our dear friend covid

  5. Potemkine! Silver badge

    as connecting personal devices to corporate networks

    We use 802.1X to avoid this. We also get alerts when some jerk user connects his/her smartphone on a professional computer to charge it. I would love to practice kneecapping on them, alas company policies doesn't allow it.

    1. elaar

      What does that have to do with internet passwords??

  6. Pascal Monett Silver badge

    "using things like multi-factor authentication"

    Yeah, which means I have to give up my phone number to any number of websites run by any kind of sysadmin with a budget I am not aware of and qualifications that I know even less.

    Sorry, I'll keep my password management in-house, thank you very much.

    1. Spiz

      Re: "using things like multi-factor authentication"

      You don't have to give up your phone number if you use an authenticator app

      1. mark l 2 Silver badge

        Re: "using things like multi-factor authentication"

        Try not giving your phone number to Paypal, i have 2FA set up with an authenticator app and yet they still insist on trying to verify my account with an SMS message or voice call periodically.

      2. Sven Coenye

        Re: "using things like multi-factor authentication"

        No, the authenticator app does that for you. (At least, MS Authenticator does. It does not work on a WiFi-only device as MS uses the number as "proof" that it is still you who is trying to log in.)

  7. Smirnov

    We can't believe people use browsers to manage their passwords

    I'm not sure why ThycoticCentrify puts out so much hate for browser-integrated password managers. Because it really doesn't matter wether you store your passwords in the browser or in a separate password safe app, if the system they run on are compromised then so are very likely your passwords.

    But then, the idea behind password managers (no matter if the ones built into browsers, the OS or as standalone apps) wasn't to secure your password against invaders, it's a tool to help you to manage passwords across accounts so users don't re-use passwords because they can only memorize a limited number of them. And password managers built into browsers are as good as any standalone app to do that.

    And if your PC is hacked then it's 2FA which keeps your accounts safe, but at that point it still means your passwords are compromised (and so are all your accounts without 2FA!) and should be changed.

    1. NonSSL-Login

      Re: We can't believe people use browsers to manage their passwords

      There is exploitation in the context and memory of the memory and theres sandbox breaking RCE.

      In theory its easier to grab stuff the browser has access too, like cookies and passwords from a drive by exploit than full access which gives you access to memory and files outside of that context.

      If you are fully compromised then the passwords can be grabbed from anywhere. Password managers weak spots are the unencrypted passwords in memory and despite a few tricks some employ, its trivial to read them once unlocked. If the password manager isnt active though, there is small chance of anyone cracking the dormant database of some of these that use decent passwords. You have to wait until its used.

      I have not used the browser to save most passwords since I first used a tool to extract passwords from most browsers some 20 years ago. Then there was other browser exploits to do the same and bEEf/beefproject and some of that stuff is enough to frighten you away from saving passwords and cookies past each session.

      The advice I never see given is to use different emails as well as different passwords. Use a different email address for your bank and finance stuff than you do other things. Even if you use the same password, credential stuffing is not such an issue. Not that I recommend using the same password except on all the genuinely unimportant sites that can't be used to gain more info or social engineer info out of others.

      As for 2FA....depends on the 2FA (sms is not secure) and where did you save your seed for your code generation? Use it on important things but handle the backups of codes carefully.....

      Stating the obvious and leaving out a lot of the obvious.

      1. John Brown (no body) Silver badge

        Re: We can't believe people use browsers to manage their passwords

        "The advice I never see given is to use different emails as well as different passwords."

        I was about to say the same thing.

        For a lot of online stuff such as forums etc, I use variations of a common themed password, but each has a unique username/email address made up from something related to the site and usually some number. If a site gets hacked/raided/whatever, the miscreants won't get enough data to be able to use elsewhere.

  8. revilo
    Thumb Up

    easy peasy

    I just twitter my passwords and never looked back. never lost one.

  9. redwine

    In the year of our lord?

    Please, there are no such things as gods and magic isn't real. Update your use of language!

    1. A.P. Veening Silver badge

      Re: In the year of our lord?

      Especially as he isn't aware his lord isn't my lord. As far as I am concerned, that year 2021 is 543 years ago (I use the Buddhistic Era).

    2. Snake Silver badge

      Re: In the year of our lord?

      I am an atheist. But, since "2021 A.D." means anno domini, which translates from Latin to "in the year of the Lord", the author is precise and technically correct even if you do not wish to agree with the belief of the existence of the entity mentioned.

      1. swm

        Re: In the year of our lord?

        "in the year of the Lord"

        My college diploma (in latin) reads, "in the year of the salvation of mankind".

      2. Anonymous Coward
        Anonymous Coward

        Re: In the year of our lord?

        We use CE now in case you hadn't noticed.

    3. Doctor Syntax Silver badge

      Re: In the year of our lord?

      So what's your reference year?

      1. John Brown (no body) Silver badge

        Re: In the year of our lord?

        It's not unusual to use CE instead of AD these days. Same reference date, just absent the sky fairy reference.

        1. Doctor Syntax Silver badge

          Re: In the year of our lord?

          That's one that's always struck me as trying to duck the issue, pretending to ignore what it doesn't want to say but not really doing so.

          In fact Dionysius seems to have been somewhat arbitrary in his designation. It's also a pity he was using Roman numerals, one reason why he couldn't incorporate a year zero which is apt to introduce either off-by one errors or make the results look odd when expressing C14 dates in both years BP [before Present] and BC. C14 dating, BTW, takes 1950 as its reference year.

  10. random119327

    I can

    I can't believe keepassxc, is the default password manager of numerous of linux system, like tails, or recommended by the EFF and other "famous" organization : A fork from a perfectly working password manager to an unmanageable development software that facilitate transmission of password via network, internet browser, ssh... and other fancy options at the cost of a weaken security (and let's not forget new bugs reported on their git on a daily basis). They fail to provide the main goal of a password manager : keep the passwords in a secure place

    https://www.passwordstore.org is a match better advise

    1. Doctor Syntax Silver badge

      Re: I can

      What is this keepaswc of which you ramble? It doesn't sound anything like the one running here.

  11. Anonymous Coward
    Anonymous Coward

    Please explain

    What makes an external password manager better than the one built-in with Firefox? The one in Firefox is not just another password manager?

    1. Doctor Syntax Silver badge

      Re: Please explain

      For a start the one in Firefox wouldn't be much use when I'm using Palemoon (which is, BTW, set up to forget all its history when closed) and the one in Palemoon wouldn't be much use when I'm using Seamonkey and none of them on this laptop would be much use when I'm using one of the others. The separate keepassxc database can be synced as and when needed between systems.

  12. Anonymous Coward
    Anonymous Coward

    My password is secret

    Yes, secret

    1. David 132 Silver badge

      Re: My password is secret

      In a similar spirit of full disclosure, mine is **********

      1. marcellothearcane

        Re: My password is secret

        Hunter2000?

  13. Disk0
    Coat

    Best practice suggestion for keeping credentials secure: Chonk56£#*%$!

    Register all your accounts with overly complex, randomly typed paragraph-length passwords. Do not store or note the passwords in any format whatsever.

    Instead, in order to log in to whatever online service you want to access, simply press the [Forgot Password] button.

    Scream once you realize you can not access the emailaccount the password reset email was sent to because that is the very emailaccount that you are trying to reset the password to.

    Revert to using the cat's name age in human years and your favorite swear word in the age-appropriate pound-hash-asterisk-percent-dollarsign-exclamation point format as your password for any and all services.

  14. Anonymous Coward
    Anonymous Coward

    Well, of course we are..

    You can't even post a comment on this site without logging in...with a password.

    If you had to create a password every time you opened a new loaf of bread then you'd start reusing passwords too.

    Let's find some solutions shall we?

    A) stop making me create an account everytime I want to open a bloody website. Authenticate only when needed.

    B) unify authentication across a single or couple of services and integrate your shitty website with those.

    C) in combo with B, get rid of passwords.

    Microsoft, bless'em, are working on B and C. Probably Google are too(?).

    Stop blaming users. Stop selling me solutions to problems the industry creates for itself.

  15. Doctor Syntax Silver badge

    I certainly agree with A. B is a bit of a problem because it ensures that if the authentication is breached then it opens up too much. It also means that it might mean, as a previous post suggested, that you can't get through to get access restored if authentication fails.

  16. eaadams

    Limit login attempts will solve most problems

    We only need long, complex passwords, requiring password managers for some, to try and thwart brute force attacks. Limiting the number of login attempts solves this. Okay, if your company doesn't have an effective "Forgot password?" process this means employing an extra 50 people for the IT Support Desk on Monday mornings, but that is the price of security.

  17. Bob.

    Bloody LastPass Free now is effectively for a single device. I can only change between my laptop and mobile phone app 6 times.

    After some research and messing about, I decided on Avira Password Manager Free and installed it and imported my passwords.

    I have kept Last Pass as backup / emergency.

    I am now in the excellent situation where both now fill in the other's Master password.

    Hmmm...need some more hours thinking. But I have been fed up with playing what ifs and security strategies for years.

    My latest bugbear was choosing $ as one of my special characters

    Where the hell is $ on an Android phone keyboard?!!???

    I was reduced to copying and pasting it from a random website until I learned how to do it properly (even my daughter - a phone wizard - didn't know this trick)

    Solution: Press and hold any currency key for a choice of others.

    I also keep Axcrypt (! - still) encryptions of my password file export on my laptop

    And make regular system images of the HDD to an external HDD.

    Regular education and updating does take significant time

    And all the What Ifs swirling around my head

    What If...

    My phone or laptop is lost or stolen?

    While I am in the middle of a current password manager session?

    Have I been sneakily phished or hacked recently?

    Are all my apps secure?

    What about this new Pegasus Zero Click vulnerability?

    I know that most of my passwords that I keep on odd scraps of paper or the paper notebook next to my laptop are secure.

    I can't even decipher them. And if I do, it's a long defunct email account to regain access to a company long out of business

    What if I have a car crash or a Stroke?

    I might forget how technology works completely

  18. -martin-

    We need something better

    The thing is, a password or whatever is like needing to memorise the pattern of your house key and type / draw it each time you want to get into your house. Passwords are an archaic mechanism, we need something better... With the house key, we don't care what it is, we just want to stick it in and turn it to unlock the door. We need something comparable in the online world that is as easy and secure.

  19. arachnoid2

    Passwords are an archaic mechanism,

    Better than using a finger print

    A: you only have ten (unless you take your socks off)

    B: you leave your "password " all over everything you touch

  20. 54bombay

    Old fashioned way I prefer.

    I used two password managers and, I forgot the master password for both of them. So I lost all my passwords.

    I ended up with a random password generator and, a note book. You can set the length and type if to use special characters.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon