- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
Integrated password managers make a significant contribution to the usability of browsers. Today, they fulfill similar security requirements as standalone tools. They store passwords encrypted and allow the login data to be displayed only after the users enter their Windows password or pass biometric authentication.
All three browsers contribute to password security by monitoring password strength and warning against compromised or weak passwords.
Synchronization as an issue
In many companies, the argument against using this browser feature is that stored passwords can be synchronized to other potentially private devices.
If this is the primary concern with password managers, all three browsers reviewed here allow the deactivation of synchronization. The option to save passwords can still be retained.
Edge with the best password manager
Chrome offers relatively few settings for configuring the password manager, aside from deactivation. Microsoft Edge, on the other hand, provides numerous options.
These reflect the much broader range of functions offered by the Microsoft browser, which are on par with tools like KeePass or Bitwarden.
Like Firefox, Edge can automatically generate strong passwords and require users to authenticate before automatically filling out a login form. This is intended to prevent misuse of credentials if strangers gain physical access to the PC.
These upgraded features have prompted Microsoft to change the security baseline for Edge 114 and no longer recommend disabling the password manager. Following Microsoft's logic, one should disable the password manager in Chrome, as it offers only a few of these capabilities.
Another unique feature of Edge is that the password manager does not synchronize the stored credentials with the Microsoft browser on mobile devices, but instead with the Authenticator app.
This allows users to not only automatically access their credentials in Edge on mobile phones, but also in other browsers, such as Safari on the iPhone.
Google not only stores login credentials and autofills them in login forms, but also warns against the use of hacked and weak passwords. However, these are the only advanced features that Chrome's password manager has to offer.
The group policies for managing the password manager can be found under both the computer and user configurations. The path is Policies > Administrative Templates > Google > Google Chrome > Password Manager.
- Enable saving passwords to the password manager: By disabling this policy, the password manager is turned off.
While the Google browser also maintains a list of websites for which passwords should not be saved, this list can only be updated interactively, not through group policies.
Sensitive information can also fall into the wrong hands through the automatic autofill of addresses and credit card numbers. These features can be turned off in Google Chrome by disabling the following settings:
- Enable AutoFill for addresses
- Enable AutoFill for credit cards
There is also an option to disable synchronization:
- Disable synchronization of data with Google
Firefox offers some features that go beyond Chrome's capabilities. For example, users can generate strong passwords or protect stored login credentials with a master password.
The Mozilla browser provides several group policies related to password management. These exist in both the computer and user branches and can be found under Policies > Administrative Templates > Mozilla > Firefox.
There are two policies for disabling the password manager:
- Offer to save logins
- Offer to save logins (default)
Only the first of the two policies is binding, while the second allows users to reenable the password manager in the settings.
Firefox can block users from saving passwords for specific (critical) websites. For example, all internal applications could be added to this blacklist while allowing the password manager for other sites. The corresponding policy for this is:
- Password Manager Exceptions
The Password Manager policy only hides it from the GUI settings when disabled.
Syncing can be blocked by disabling Firefox accounts:
- Disable Firefox accounts
Currently, no setting is available to prevent the automatic autofill of credit card information.
The Microsoft browser provides group policies for all the password manager features described above, allowing you to disable or customize them.
These policies can be found under Policies > Administrative Templates > Microsoft Edge > Password manager and protection.
To deactivate the whole feature, you need to disable this setting:
- Enable saving passwords to the password manager
There is also an option to prevent saving passwords for certain websites, so you don't have to disable the entire password manager just because of security concerns with a few critical applications:
- Configure the list of domains for which the password manager UI (Save and Fill) will be disabled
In addition, you can specify URLs for internal websites where passwords should be further protected using salted hashes:
- Configure the list of enterprise login URLs where the password protection service should capture the salted hashes of a password
You can also block synchronization with other devices via the cloud:
- Disable synchronization of data using Microsoft sync services
This setting can be found directly in the Edge folder.
Lastly, you can also prevent the automatic filling of credit card information:
- Enable AutoFill for payment instruments
The password managers that are integrated into the market-leading web browsers enhance user convenience but can be perceived as security risks in certain environments. Therefore, Chrome, Edge, and Firefox provide group policies to disable this feature.
Instead of taking this drastic measure, there is the option to disable only the password managers' problematic features. These include synchronization and storing credentials of sensitive web applications. The latter, however, can only be prevented in Edge and Firefox.
Subscribe to 4sysops newsletter!
A properly configured password manager can enhance security because all three products warn against using weak or compromised passwords. They also prevent users from jotting down credentials on paper or storing them in an insecure manner, such as in a text file.