Password managers: Is it OK to use your browser’s built-in password management tools?

Every major browser on every platform includes built-in password management features. Is it safe to use these tools? More importantly, is it smart?

Should you use your browser’s built-in password manager?

These days, the ability to keep track of the passwords you use with secure online services is a basic feature for web browsers. The feature is typically turned on by default, which means you probably have a random collection of passwords saved in the cloud along with your bookmarks and settings for your default browser.

If you regularly switch between browsers (Chrome on the desktop, Safari on your iPhone), you might even have multiple sets of saved passwords scattered across multiple clouds.

It's time to clean up that mess.

You have two choices. You could decide to get serious about adopting that feature and using it deliberately across every device you own. Or you could switch to a third-party password manager and shut down that feature in the browser.

Also: Best password managers for business in 2020: 1Password, Keeper, LastPass, and more 

In either case, it's prudent to track down outdated saved passwords and delete them from the cloud.

Years ago, security experts cautioned against saving passwords in a browser. Today, the case for using one of those built-in password management tools is stronger. Consider the advantages of allowing your favorite browser to take over this task:

  • No extra download is required, as is the case with third-party password management utilities.
  • Your passwords sync automatically along with all your other data. When you sign in to your browser on a new device, your passwords are already available for you.
  • There's no subscription fee for these built-in password managers.
  • Your saved/synced data is secured by the same encryption and two-factor authentication features you use with your email, cloud storage, and device security features.

The list of disadvantages is shorter, but these factors are worth considering. The most obvious drawback is that browser-based password managers don't work with alternative browsers. If you routinely switch between browsers on different devices, you'll find yourself frustrated when you change a password on one device only to discover days or weeks later that your secondary browser is now offering an outdated set of credentials.

The bigger problem is that free, browser-based password managers generally have a basic feature set that can't compete with paid alternatives. They've all stepped up with password checkup features that alert you if your password was part of a data breach, and they can typically also track things like addresses and credit card numbers for quick form-filling. But they fall short on other, more interesting features.

Also: How to use 2FA to improve your online security 

For example, every browser I looked at is capable of generating a strong, random password that you can use when you create or change your credentials for a new site. But none of them offer the ability to customize that password by choosing a specific length, allowing or disallowing symbols, and so forth, as you can with the third-party 1Password utility shown here.

1password-options-generator.jpg

Browser-based password managers don't offer advanced features like these options in the paid 1Password utility.

Likewise, free browser-based password managers lack a feature that's crucial for families: the ability to share passwords so that any family member can access a subscription service or place an online order using the same account.

With a full-featured password manager, you can also add notes to each saved entry, manage bookmarks, enter alternate top-level URLs that use the same credentials, and so on.

The bottom line? For anyone whose online demands are modest, who uses the same browser on every device, and who can live with the limitations of these basic features, a browser-based password manager is probably good enough. If you've read this far, that description's probably not you. In that case, the challenge is to transfer your currently saved passwords to a new utility and then disable the feature in favor of your preferred third-party password manager.

I've studied each of the four leading browsers: Google Chrome, the new (Chromium-based) Microsoft Edge, Mozilla Firefox, and Apple's Safari. Here's how to find the password management settings for each one, export any saved passwords to a safe place, and then turn off the feature. As a final step, I explain how to purge saved passwords and stop syncing.

Google Chrome

Chrome's built-in password manager is, not surprisingly, tied to whichever Google account you used to sign in to the browser. When you're signed in, passwords sync to your Google account and are available in Chrome on your PC or Mac, on Android devices, and on iPhones and iPads. If you're not signed in, passwords are saved locally.

You can manage password settings from the Chrome browser on a PC or Mac. Make sure you've signed in using your Google account, and then go to the Autofill > Passwords page at chrome://settings/passwords.

password-manager-chrome-settings.jpg

1) Use this shortcut to go straight to Password options; 2) Turn both these switches off; 3) Use these menus to export all passwords or remove individual saved items. 

(You can also manage this setting from your online Google account. Go to https://passwords.google.com/options, where you'll find the same limited set of options. Or use the Password Settings option on an Android device.)

Back up your saved passwords: If you have any saved passwords, I recommend that you export a copy before you adjust any settings. There's a big Export button on the Google Account page; on the Autofill > Passwords page, click the More Actions button (three vertical dots) to the right of the Saved Passwords heading to reveal the Export command. The resulting file is in CSV format, which you can save or open in Excel or Google Sheets for printing.

Turn off password saving: Turn off both options on the Autofill > Passwords page: Offer To Save Passwords and Auto Sign-In. That will stop Chrome from saving any additional passwords, but it won't stop the browser from trying to fill in passwords that are already saved.

Purge saved passwords: From the Autofill > Passwords page, you can delete individual saved credentials. Click the More Actions button to the right of any entry and then click Remove. That action deletes the saved item from your Google account and from every other device where you're signed in using that account and have sync turned on.

If you just have a few saved passwords, deleting them individually is not such a big deal. If you have dozens of passwords (or more), it's a tedious process, but there's no other way to delete all saved passwords from your Google account short of deleting the account. You can delay the process by turning off password syncing and then clearing all locally saved passwords: After turning off password sync, go to chrome://settings/clearBrowserData, click Advanced, choose All Time from the Time Range menu, select the Passwords And Other Sign-in Data check box, and click Clear Data.

Turn off password syncing: To avoid having a password you accidentally save on another device sync back to the current one, go to chrome://settings/syncSetup/advanced, choose Customize Sync, and turn the Passwords switch to the Off position.

The New Microsoft Edge

Because the new Edge is based on the same open source Chromium engine that Google Chrome uses, the procedures for configuring the password manager feature are very similar to those in Chrome.

You can manage password settings from the Edge browser on a PC or Mac. Make sure you've signed in using your Google account, and then go to the Profiles > Passwords page at edge://settings/passwords. Unlike Google, Microsoft does not provide online access to your saved passwords from your Microsoft Account page.

Back up your saved passwords: On the Profiles > Passwords page, click the More Actions button (three horizontal dots) to the right of the Saved Passwords heading to reveal the Export command. The resulting file is in CSV format, which you can save or open in Excel for printing.

Turn off password saving: Turn off both options on the Profiles > Passwords page: Offer To Save Passwords and Auto Sign-In. That will stop Edge from saving any additional passwords, but it won't stop the browser from trying to fill in passwords that are already saved.

Purge saved passwords: From the Profiles > Passwords page, you can delete individual saved credentials. Click the More Actions button to the right of any entry and then click Remove. That action deletes the saved item from your Microsoft account and from every other device where you're signed in using that account and have sync turned on.

As with Google Chrome, you must delete saved passwords individually to clear them from Edge on other synced devices. If you just want to clear all locally saved passwords, first turn off password sync, then go to edge://settings/clearBrowserData, choose All Time from the Time Range menu, select the Passwords check box, and click Clear Now. If you want to remove all data that was transferred from the legacy version of Edge, including saved passwords, scroll to the bottom of the list and select the All Data From The Previous Version Of Microsoft Edge option.

Turn off password syncing: To avoid having a password you accidentally save on another device sync back to the current one, go to edge://settings/profiles/sync and turn the Passwords switch to the Off position.

password-manager-edge-clear-data.jpg

Be sure to turn off password syncing before clearing this data, or Edge will quickly restore all your saved passwords from the cloud.

Firefox

I confess, it has been a while since I used Firefox as my primary browser. Specifically, it must have been before October 22, 2019, which is when Mozilla released Firefox 70, with the browser's internal password management tools rebranded as Firefox Lockwise.

password-manager-firefox-lockwise.jpg

Mozilla has rebranded the password management features in Firefox as Lockwise, with separate mobile apps available for iOS and Android.

What makes Lockwise different from its browser brethren is that it saves passwords in Firefox but allows you to access those saved passwords via apps for the two dominant mobile platforms. In theory, that architecture makes this a more versatile solution, but the reviews I've read aren't encouraging.

One important note about Lockwise: It works only if you're signed in to your Firefox account. If you're not signed in, your passwords aren't saved.

Back up your saved passwords: Sorry, Firefox doesn't include an export option with Lockwise. There are workarounds (including a two-step process that uses the Brave browser) but no built-in functionality for this important option.

Turn off password saving: After signing in to your Firefox account, go to about:preferences#privacy and clear the Ask To Save Logins And Passwords For Websites option.

Purge saved passwords: In Firefox, go to about:logins, where you'll find a list of all your saved credentials, with a navigation bar in the left pane that shows the current selection in the right pane. Click Remove to delete a saved password from your Firefox account in the cloud. There's no way to remove more than one password at a time, so if you've got a very large collection of saved passwords, you'll need to do a lot of clicking and confirming.

Turn off password syncing: To stop syncing passwords to your Firefox cloud account, go to about:preferences#sync, click Change, and clear the Logins And Passwords box. Note that this doesn't remove your previously saved passwords.

Safari on Mac

Apple's Safari browser is based on WebKit, which makes it a first cousin to the Chromium-based alternatives. But unlike Chrome or Edge, Apple doesn't allow its flagship browser to manage passwords independently of the operating system. Your passwords are saved in Apple's iCloud Keychain, which works on Macs, iPhones, and iPads.

There's no Safari browser for Windows PCs or Android devices, so Safari's password manager is appropriate only for those who are fully committed to the Apple ecosystem. If you've got an Apple Card because that 3% rebate represents big bucks for you, read on.

Back up your saved passwords: Apple does not make it easy to export data from its Keychain. The Keychain Access utility includes an export function, but the resulting files aren't readable by mere mortals, and it's really only appropriate for backing up from one Apple device to another. As with everything Apple, there are workarounds, but none I can confidently recommend.

Turn off password saving: To turn off password saving in Safari, go to Safari > Preferences > AutoFill, and clear the User Names And Passwords check box.

Purge saved passwords: Everything else about Apple's Keychain is difficult, but this is a major exception. To delete the saved passwords from a Mac, go to Safari > Preferences > Passwords. Sign in using your user account password, press Command+A to select every entry in the list, and then click Remove. Shazam!

password-manager-safari-remove-all.jpg

Safari is the only major broser that allows you to quickly delete all saved passwords from the cloud.

Are you using your browser's password manager? Tell your story in the comments section below.