[jawns]

If you're looking at this problem not as a technical person, but just as someone looking for the most practical solution to the problem ... Chrome's built-in password management is the obvious mass-market solution.

It suggests (relatively) strong passwords, it discourages password re-use, it surfaces when you use passwords that have been found in a data breach, and it allows you to access these passwords across devices.

I have no idea about the cryptographic strength of Chromes's offerings, but the fact that it is the leading browser worldwide means that it's going to be dead-simple for most people to adopt, even those who are decidedly non-technical.

(Personally, I use Bitwarden and 1Password, but I'm a software engineer. I would not expect my elderly family members to do the same, especially because both involve installing and maintaining browser extensions that can be finicky when Chrome updates.)

[baryphonic]

> Personally, I use Bitwarden and 1Password, but I'm a software engineer. I would not expect my elderly family members to do the same, especially because both involve installing and maintaining browser extensions that can be finicky when Chrome updates.

I've used 1Password for several years now. A couple years after I started using it, I upgraded to the family plan and got my wife into it. Granted, she's not elderly, but she's not exactly confident about technology. I was able to get her pretty comfortable with it in about two weeks. Now, we can easily share credentials with each other for things like Netflix or certain accounts we've set up for our kids by just putting them in our shared vault.

Im sure if I was trying to get my grandma to use it, she wouldn't get it, but in my experience 1Password at least is accessible to the non-techies among us.

[fullstackchris]

I'd agree with this and in a bit more bitter sentiment, I don't understand why absolutely everything has to have an extremely low learning curve. If you can drive a car or bake some bread, you can take the literal 30 minutes it takes to learn how to use a (brilliantly designed, in my opinion) UI/UX tool like 1password.

[Justsignedup]

Just to add, my daughter has been using 1pw since she was 9. This is just how passwords are managed in my family now. This is the way.

[chrisshroba]

I love Chrome's password manager but the flow is not good at all for iOS (because other dedicated password manager apps integrate with the os)

[jchulce]

Chrome on iOS integrated with the OS password system several years ago, it's just disabled by default and not easy to find the setting.

[halJordan]

Chrome uses the host OS's cryptographic apis (ie dpapi on Windows). Which in turn relies usually on the user's pin/password.

[intuxikated]

This is the main reason to avoid browser based password managers, just plugin a usb with portable firefox and 'import' the passwords into firefox, nothing will try to stop this

If the user is logged into the PC, everything is available to extract, nothing is really preventing any extraction besides the windows user account

[lalaland1125]

Chrome is also one of the most secure options. Google has a well deserved reputation for incredibly strong security.

[metadat]

This is false in some scenarios. Dumping browser credential vaults as well as extracting from active memory have both become de facto standard post-exploitation behaviors.

References are many:

https://kylemistele.medium.com/stealing-saved-browser-passwo...

https://isc.sans.edu/diary/Use+Your+Browser+Internal+Passwor...

https://www.cyberark.com/resources/threat-research-blog/extr...

https://www.bleepingcomputer.com/news/security/redline-malwa...

[jefftk]

It's all a question of your threat model. The biggest threats I see for most users are:

1. Password reuse, where a relatively unimportant account (shopping site) getting cracked gives the attacker the same password you used for a critical account (email).

2. Phishing, where you enter your password on a fake login page.

3. Lost device, where someone finding it can easily impersonate you on any site you're logged into.

A password manager handles (1), and if it auto-fills reliably on websites (as Chrome's does) that handles (2) as well. For (3) you want disk encryption, which is now standard on phones and is an easy option on laptops as well.

After these, my next concern would be compromise of the cloud-based password backups. Here is where your parent's comment on Google's security is relevant: Google (disclosure: I used to work there) has an excellent security team and there are few companies I would trust more to keep cloud vaults secure.

The attacks your links are talking about start by assuming someone has full access to your computer. While putting some bumps in their way at this point is nice, I guess, there's nothing stopping them from keylogging their way past any password manager you choose.

[lalaland1125]

Just want to note, Chrome's password manager solves (3) as well. The passwords are stored encrypted on disk.

[lalaland1125]

The threat model where someone is able to run malware on your machine, but not run a keylogger to grab your master key for your password manager seems sorta absurd.

Yes, if someone installs malware on your machine (in your user account), they can grab the Chrome password vault. But in that case, 99% of the time they will be grabbing the password vault of other providers as well.

Also, note that the Chrome password vault is encrypted on disk.

[senectus1]

what worries me about this, is googles history of happily nuking your google account when you do something as simple and legal as a chargeback.

you wont just lose your email and bookmarks but all your passwords... Also its a much bigger surface area target, and the auto syncing to new machines you sign into is a concern. I dont want passwords to be "accidentally synced" to any machine my family signs into. I want them to knowingly sync their passwords to them. be MINDFUL of what they're doing. no thank you.

As the default administrator/CTO of the family I'd rather suggest bitwarden and safer practices.

[ineptech]

Are Chrome accounts separate from Google accounts generally, i.e. will the passwords go poof if your gmail account gets banned for mysterious reasons?

[pnutjam]

Unsure, but it's incredibly stupid about certain passwords. 2 examples I've seen.

I use a portal for work, and enabled MFA. Every time I put my MFA PIN in, it tries to replace the stored password. If I let it, accidentally, there is no history of the old password.

2nd example. When I was looking for a job, lots of companies seem to use a similar job/HR portal (workday) that has some variant of portal.company.com. Chrome things these are all the same, so to store the passwords; I have to replace the old one, which loses it and again there is no history...

[danuker]

Then again, Google has an overwhelming window into everyone's private lives. Perhaps giving them passwords is adding fuel to the fire.