Which is more secure, browser cached passwords or password manager?

Ethereal · July 28, 2016, 8:29pm

I just had a thought, which would be more secure to use, ignore the strength of the password.

Using a web browsers built in password saving feature, so passwords are not typed in all the time and synced between devices.
Using a password manager and disabling the saving of passwords and copy/pasting them into the box each time you visit a website.

Are the differences negligible? Or is one better to use than the other? Also, note that the password manager is not built into the browser, it's standalone. (keepass).

Th3Z0ne · July 28, 2016, 8:48pm

This - most secure is a "offline" passwordwamager, keepass2, keepassx2, those I use and I trust them.

Browser storage is often and widely attacked, and lastpass(?) currently has/had a big gaping hole.

Ethereal · July 28, 2016, 8:49pm

So the most secure way of using passwords would be to disable the caching of passwords and use a password manager with randomly generated passwords at maximum lengths?

Also, keepass ftw lol

Th3Z0ne · July 28, 2016, 8:56pm

Yes and with a master password that is used nowhere else and also quite complex. I mean its only one PWD to remember =)

Disable caching completely, its a low hanging fruit ...

Ethereal · July 28, 2016, 8:57pm

I'm going to start doing that, I already carry my password manager with me it felt silly never really using it, the only thing I don't have cached is my bank stuff. But I will definitely start using it more. I also need to finish randomizing all my passwords, I got about half of them done already. lol

Levitance · July 28, 2016, 9:24pm

I can't believe password managers aren't more widely used. It's so convenient, while also being far more secure. As long as you don't use browser integration. I've run across a number of people who feel that's a good middle ground between browser caching and external password management. It's not. It's a terrible thing that shouldn't be done.

And also, KeePass ftw. I use KeePassX because I pretty much live in Linux these days. I can get KeePass for Linux, but I like KeePassX better in general.

Ethereal · July 28, 2016, 9:28pm

I use different versions across all my devices, it's super handy. I like how the database can just copied from device to device. Although it can be a bit annoying when you have 6 devices and need to update it on all of them. Don't know if anybody has a decent solution for this other than just copy/pasta.

Levitance · July 28, 2016, 9:33pm

Copy pasta. However I have adopted a distribution system. I only create passwords on my main computer. The database then goes up to Google Drive and is dispersed to the other devices. If I'm on another device, and I sign up for a new service, there's a password that I'll use to create it. I'll go back later when I'm at my computer, update the password, send the new database up, and that's that.

Ethereal · July 28, 2016, 9:36pm

Ah yeah. I need to rid myself of Google services, but fuck man it's hard. lol

wUFr · July 29, 2016, 2:50pm

i personaly use Enpass - sometimes it kinda buggy, but it saves passwords in your computer - or on onedrive (and many others), if you need to sync it between computers and it even has WP app - ye laugh at me, im ok with WP, don't need to play stupid Pokemon :P

Stopped trusting chrome and password managers that saves passwords in their own servers since you don't know whats on backend.

So i would say: store localy on encrypted drives

ibreakthings · July 29, 2016, 5:09pm

Syncthing should work to keep it synced across all devices. Make a backup before trying this though.

Th3Z0ne · July 29, 2016, 8:52pm

Having a master password, is a first step.. and using encryption in the browser; I have not looked into BeEF http://beefproject.com/ in a while - can not say for sure if there is already an attack vector.

But escaping the sandbox, than attacking another process is harder certainly