Which Password Manager Is Better? Standalone or Built-In?

Should you use a separate, standalone Password Manager, or the Password Manager built into your browser?

Tavis Ormandy is an Information Security Engineer from England currently employed by Google as a member of their Project Zero team.

After discussing various technical problems with Password Managers, and after downplaying the need for “nuance,” Tavis says:

“If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.

I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI (user interface) from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.”

Tavis also recommends writing down and securely storing passwords.

Standalone Password Manager applications offer consumers more features and greater functionality.

But 65% of internet users access the internet using the Chrome browser. Its built-in Password Manager is highly-regarded and may be featured enough for many users.

Is there a reason we shouldn’t tell consumers to use the built-in Password Managers of the top 3 browsers? Do we have solid, convincing evidence to claim that built-in Password Managers are unsafe if used as designed?

Various researchers including Britton White have provided evidence of browser attacks in the wild which completely circumvent protections designed into the built-in password managers in Windows and Apple computers.

Should we think of this as nudging consumer behavior along a spectrum, from bad >> better >> best? Some think using the built-in Password Manager is better than reusing the same/similar password across multiple online sites.

I’m very interested in exploring this question, and completely open to thoughts and suggestions.

Link to Tavis Ormandy’s blogpost: https://lock.cmpxchg8b.com/passmgrs.html

— Anthony Collette

Scroll to Top