Welcome to “Ask a security trainer,” the column where the digital security training team at Freedom of the Press Foundation (FPF) answers your burning questions at the intersection of journalism and security. Submit yours here! Let’s jump right into this week’s question.

Dear DST,

At your training, we learned about password managers like 1Password, and I realized I might have been using one this whole time by saving my passwords in my web browser. Is there anything wrong with just using my browser to store passwords?

Signed,

Open Sesame

Hi Open,

I previously worked with Google Chrome doing security and privacy research, learning from users how they use the software. So I’ve spent more time thinking about this than I’d like to admit. And while I can understand the choice to use a browser-based password manager, I personally recommend a dedicated password manager like 1Password or Bitwarden that will work on all major operating systems and browsers. That way, you’re not locked into any one ecosystem.

Let’s unpack this. Most people tend to reuse a small handful of easily memorized passwords, sometimes even including publicly accessible personal information (e.g., a family member’s birthday). Password reuse is risky, because a password breach on one website allows an attacker to try your password on lots of others.

Enter the password manager. This is just a piece of software designed to help you create long, randomized passwords and store them securely. Most people don’t use a password manager, or if they do, they might not be aware they’re using one.

There are multiple kinds of password managers, with somewhat different features. Some are built into your browser. Some are built into your operating system, like Apple’s iCloud Keychain. Some are dedicated password managers with just one job, to help you create and store more secure passwords.

When you use a password manager properly, you isolate the damage from a password breach to just one service because now you’re using unique passwords on every website. Whether it’s built into your browser or is stand-alone, if you are using the password manager to generate long, random passwords, that’s great. However, if you’re just saving your passwords and continuing to reuse them across websites, you’re not taking advantage of the password manager’s security benefits.

Dedicated password managers like 1Password, Bitwarden, and others protect your credentials behind a password-protected, encrypted “vault.” This vault can be synced across all of your browsers and devices through their apps, so you can access your passwords no matter what device you have on hand. A browser-based password manager is better than nothing, but it may or may not offer these features.

You should also know that, historically, Google’s Chrome browser could read your passwords by default when you synced them across devices. This may be changing, though, with the introduction of new technologies integrated into Google Password Manager.

Sync settings in Google Chrome, showing the option to "Encrypt synced data with your own sync passphrase" under "Encryption options"

Screenshot: Google Chrome’s sync settings

For Chrome users curious to tinker with these settings, dig into your Chrome settings on a desktop device and find “Sync and Google Services.” From here you should be able to see “Encryption options” that will allow you to use an optional sync passphrase to encrypt your passwords before they are sent to Google.

Firefox, by comparison, uses end-to-end encryption to ensure your passwords are synced in a way that not even Mozilla can read. Similarly, when you sync passwords on Safari with iCloud Keychain, those are also end-to-end encrypted.

But for me, the biggest advantage of a dedicated password manager like 1Password is that it will work with all major browsers and operating systems. You can use it everywhere, including in external apps, and outside of your favorite browser. That way, you never have to worry about which operating system you’re using, and you’re not locked into any particular browser.

I would not want to be too partisan about which password manager to use. The most important thing is to avoid password reuse. I do think a dedicated password manager is the most effective way to accomplish this.

There are other subtler considerations as well. So to learn more, check out our guide to choosing a password manager. And if you’re a journalist looking for help getting started, reach out to our team.

Happy browsing,

Martin Shelton