There are plenty of password managers on the market, all capable of effectively and securely storing your login credentials and other sensitive data. Password managers appear in many different forms and have their own respective list of special features, yet there is one thing that they all have in common: they import login data to their safe vault via browser extensions.
These add-ons are very convenient when it comes to importing and auto-filling credentials, but over the last few years they have been involved in some nasty security breaches. So the main question is: are they really a threat against our online privacy or is it still safer to have them in our browsers than continuing the bad habits of sticky notes and reused passwords?
What Seems to Be the Problem?
Before jumping into early conclusions, let’s clarify one thing right at the beginning: thanks to military-grade encryption, password managers themselves are so secure it is virtually impossible to access them without the master password, especially when two-factor authentication is turned on, too. Another important aspect is that password management tools are capable of encrypting data before it enters into the password manager company’s cloud storage.
This is not the case of browser extensions, however, the code of which can be easily accessed by experts and less tech-savvy users alike, displaying vulnerabilities like the decryption key used by the software, the option to bypass the security question and, worst of all, making your passwords visible.
The internet is already full of cases of security ‘horror stories’ involving browser extensions but one of the most recent breaches occurred at LastPass. In March 2017 Tavis Ormandy reported that by sending unauthenticated messages to the company’s extension, authorized LastPass commands like copying and filling passwords could have been accessed. Thankfully the company proved why password managers are considered to be on top when it comes to eliminating security breaches, since the vulnerability and an eerily similar counterpart were patched within 24 hours.
The moral of this case can be summarized like this: password manager browser extensions are indeed vulnerable, but thanks to the constant monitoring by their developers, a hacker has to work at the speed of light in order to actually exploit the vulnerability before it is patched and becomes publicly known.
Better to Have an Extension than Nothing at All
Some experts say that it’s best to ditch password manager browser plugins altogether, since it is only a tool of convenience, plus it will always be the target of hackers as they try to find the Achilles’ heel of password managers. But if there is one thing internet users won’t give up, even if they were facing the end of a gun, it’s convenience – the main reason they are using password managers to begin with.
Password managers are well aware of the constant attacks, therefore they pay extra attention to their browser add-ons: 1Password, for instance, claims that its extension never contains any data whatsoever, since it only acts as a ‘bridge’ between the actual desktop app and your browser. In fact, most of these desktop-only password managers have very limited browser plugins, only capable of displaying what has been saved to your vault; every action related to passwords and other credentials can only be performed in the software itself, which means there is absolutely nothing to be compromised in the extensions. This way the add-on serves its true purpose – saving and filling passwords – while still revealing nothing about you and your credentials should it be attacked by hackers.
An Extra Layer Towards Perfect Online Protection
Having a strong password, activating the two-factor authentication and installing an add-on that cannot be compromised is already enough to effectively protect your online identity. But if you want to go one step further and make sure you achieve perfect protection, consider using a VPN as well. Unlike password managers that only encrypt login credentials and sensitive information, VPNs hide literally everything by encrypting all of your data and tunneling your internet traffic through a secure VPN server located anywhere in the world.
With a VPN turned on your internet activity becomes invisible for ISPs and, as a nice addition, it allows access to sites that are geo-blocked.
Best Password Managers of 2019
|Editor's Choice 2019|