Should I allow browsers to remember my passwords and synchronize them?

To expand on what @d1str0 said: if the creator of your browser wanted to steal your passwords, it would be trivial to send them to a manufacturer controlled server whenever you entered them - they don't need to bother with the hassle of telling you about sync procedures, or offering to remember passwords. All browsers by default send a certain level of usage data back, usually crash reports and update checks, which could easily conceal password and username data.

However, if any browser was found to be doing this, there would be outcry against that manufacturer - look at the rage directed at Microsoft following the release of Windows 10 with the reporting back enabled there.

Keepass and Password Safe are both open source (so, given sufficient programming knowledge, and a trusted compiler, you can be sure they're doing what they say they are, and nothing else - sufficient programming knowledge may well be a very high level though). In both cases, the encrypted password files should be safe to sync, even to third party sources, as long as the safe password is not provided. Breaking AES (Keepass) or TwoFish (Password Safe) without the appropriate key (the safe password) comes down, as far as we know, to brute force.

Lastpass and 1Password both require you to trust the developers, and sync by default to a remote location. Theoretically, they are safe, but there wouldn't be any obvious way to detect a vulnerability in them relating to storage. If you're concerned about Chrome or Firefox stealing passwords, logically, the same arguments apply to these apps.

Personally, I use one of the cloud based password services mentioned - I've considered the risks and benefits, and balanced the amount of security I'm willing to accept against the ease of use for the service, and decided that for my use cases, it's acceptable. Your acceptable risk might well be different - if you consider AES as vulnerable, for example, keeping a Keepass safe on an encrypted USB key which uses a different encryption algorithm might be a viable option, but uploading the file to a third party service might be "too risky" for you.

It comes down to what you consider safe, having evaluated the options. Many security professionals have considered this problem though, and generally advise using password safe type software over allowing browsers to remember passwords, simply because browsers used to be terrible at it - they allowed access without a master password, and used poor encryption methods. Some of these issues have been addressed now, but old habits die hard!


If you were worried about Chrome or Firefox stealing your passwords, you wouldn't be using them as a web browser in the first place.

An application like Keepass or LastPass can keep your passwords encrypted with a master password.

If you don't use a master password, your web browser can unencrypt your passwords at any time.

It's up to you on what level of security you want.


In addition to the answers regarding password managers, there is a moment where you must allow for uncertainty.

To take the example of KeePass: in addition to trusting people who review the code (or trusting yourself to have the knowledge to review it yourself), you also need to trust the provider of the binary (that it matches with the advertised code). Or recompile it yourself and trust that the compiler is correct. And that the OS is trusted as well.

This is a lot of "trust" and there always come a moment where your risk analysis declares that it is "good enough". This "good enough" is what you should look for, relative to other risks.

I am with @Matthew regarding the use of online password managers: you protect yourself against the most probable risk (a site is hacked but you have unique and long passwords thanks to the password manager) vs the possibility that Google/the NSA/[put your favorite organisation here] is after you. if they are after you they will have more efficient ways to get to your data.