Password manager in browser is it safe? Keepass vs Bitwarden?

bennyisaiah · August 8, 2021, 2:46am

Hi there,

I am curious to know of what is safer to use with the browser inclused with Fedora (firefox). Is it a risk to use the password manager built into the browser. I have read this is not safe for banking and other important credentials.

What steps could be taken to mitigate this risk, such as a Bitwarden plugin, is this better or not neccasary?

[benji@localhost ~]$ neofetch
          /:-------------:\          benji@fedora 
       :-------------------::        ------------ 
     :-----------/shhOHbmp---:\      OS: Fedora release 33 (Thirty Three) x86_6 
   /-----------omMMMNNNMMD  ---:     Kernel: 5.13.6-100.fc33.x86_64 
  :-----------sMMMMNMNMP.    ---:    Uptime: 3 hours, 1 min 
 :-----------:MMMdP-------    ---\   Packages: 2199 (rpm), 54 (flatpak) 
,------------:MMMd--------    ---:   Shell: bash 5.0.17 
:------------:MMMd-------    .---:   Resolution: 2560x1440 
:----    oNMMMMMMMMMNho     .----:   DE: Cinnamon 4.8.6 
:--     .+shhhMMMmhhy++   .------/   WM: Mutter (Muffin) 
:-    -------:MMMd--------------:    WM Theme: CBlack (CBlack) 
:-   --------/MMMd-------------;     Theme: CBlack [GTK2/3] 
:-    ------/hMMMy------------:      Icons: Mint-Y-Dark-Blue [GTK2/3] 
:-- :dMNdhhdNMMNo------------;       Terminal: gnome-terminal 
:---:sdNMMMMNds:------------:        CPU: Intel i5-3570K (4) @ 3.800GHz 
:------:://:-------------::          GPU: NVIDIA GeForce GTX 660 
:---------------------://            Memory: 4668MiB / 15939MiB

sampsonf · August 8, 2021, 7:33am

I don’t think there will be a simple yes or no answer to this question.

Security is a balance of cost / risk .

I find Password Managers are not saving Financial Website passwords by default (Bitwarden, LastPass, Chrome, Firefox) . I don’t know how they classify which website is a Financial one.

hhlp · August 8, 2021, 9:07am

There is other posibilities:

Browser extension:

Pass plug-in to import from another sources

Regards., HTH

sampsonf · August 8, 2021, 10:00am

When using different username for different services, one challenge ai always face is to remember which username is for which service.

Does ‘pass’ have any facility to help in this area?

ankursinha · August 8, 2021, 12:00pm

Also store the username in the password file? pass has no restrictions on what you can save in the file. For example, my pass files are:

<password>
Username: <username>
E-mail: <e-mail>

<Any other additional info>

I save these files as: <hostname> or if I have multiple accounts for the same hostname, <username@hostname>.

I use qutebrowser which as a userscript to use pass, which reads the password from the first line and username from a line with username:, and this can be changed depending on how you format your pass files.

blueshurricane4 · August 8, 2021, 12:24pm

Personally, I use Keepass (specifically, KeepassXC). My main reason is that my password database is never stored in “the cloud”.

sixpack13 · August 8, 2021, 3:28pm

… and a benefit is also:
you’re able to copy the pw-db to your android (IOS ?) phone and run keepass on it with KeePassDX

ozeszty · August 8, 2021, 7:39pm

+1 for KeePassXC, look at how easy (in most cases) browsers import each other’s password databases.

It seems reasonable to create a separate database with only a subset of passwords that might be of use on mobile - security there is by far inferior.

A compromise between security and convenience might be using a second factor to secure the database, e.g. a generated key file, and synchronising only the database through some cloud. That way DB is harder to crack while having a backup and synchronisation. It’s also a better way for syncing passwords with a mobile.

sixpack13 · August 8, 2021, 9:03pm

your both arguments (“+1 for KeePassXC” and “…security there is by far inferior” are somewhat contrary.
cause the DB’s of KeepassXYZ are secure and namely everywhere or they are not (independantly how much passwords they contain)

deal ?

ozeszty · August 9, 2021, 3:59am

I meant that security on mobile devices is worse than on linux PC/laptop. At rest passwords are secure, but anything can happen when you open it on a device with known vulnerabilities.

jwatt · August 9, 2021, 11:55am

If having a command line interface like pass appeals to you but you also like KeePassXC, note that KeePassXC includes keepass-cli (which also has an interactive mode). If you’re on macOS and using KeePassXC.app rather than installing via homebrew, or similar, you can find it at /Applications/KeePassXC.app//Contents/MacOS/keepassxc-cli .

bryanmoore · August 10, 2021, 2:55pm

FWIW, and going back to OP’s question, I think some prefer a password manager like Bitwarden—as I do—because there have been third-party audits of it and it is open source; AFAIK, the built-in Firefox manager has neither been audited nor is it open source.

All the previous posters make very good points about where the password db is housed and comment clearly on the benefits of not having it in the cloud; however, for my purposes, I prefer saving hashed and salted in the cloud with a developer I trust.

bennyisaiah · August 11, 2021, 11:56am

So would you trust Bitwarden I have trusted them as they are open source. I guess I trust that other users audit there code from time to time say every quarter or semi annually.

bennyisaiah · August 11, 2021, 12:01pm

So trusting the firefox password manager is not advised would you say? I’m a bit worried about all the trust I put in my browser, I have a lot of passwords and if there is a breach I could be compromised… The convenience of the browser remembering all my logins is so very helpful as I run CalyxOS on my smartphone and each time I login I need to unlock bitwarden and paste in the password and it happens many times a day and slows me down a lot as I login and out of many user interfaces.

augenauf · August 11, 2021, 1:06pm

No password-only authentication is safe, independent of what password manager you use. What you need is Two Factor Authentication, including for your online banking site.

bryanmoore · August 12, 2021, 12:55pm

My trust isn’t absolute, but it’s more for a developer who is willing to open source their code and submit to third-party audits.

Additionally, I second @augenauf’s comments about 2FA.

bennyisaiah · August 13, 2021, 4:16am

Great, thanks I’ll contact the banks and get that setup, thanks a lot. So for other non-2 factor authentication for important access, would you not save passwords to the browser ?

ozeszty · August 13, 2021, 10:57am

Use long, unique, randomly generated passwords.
Where possible, use some second factor of authentication: one time password (e.g. andOTP) or some hardware key (Solo key, Nitrokey, Yubikey).
There are add-ons that integrate KeePassXC with browsers, making it almost as easy to use as built-in password managers: KeePassXC: Getting Started Guide

If you want to use browser’s password manager, at least enable master password (Firefox), which has to be entered to unlock saved passwords.

augenauf · August 13, 2021, 12:51pm

A post was split to a new topic: KeePassXC browser integration

ankursinha · August 13, 2021, 12:18pm

let’s start new topics for specific errors, otherwise this already long topic will become even harder to follow