-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Master password for Brave desktop versions #13350
Comments
also with a fingerprint login would be great |
I currently use Bitwarden as my password management solution and it has everything we need here. Not to distract from Brave getting the same features, I feel like Bitwarden is a great model to look at. |
yes please |
I'm in the middle of moving my password management to Brave and this feature would be important for me to go all-in. Basically, if I'm going to have Brave fill in a bank or other financial password, I'd like to be asked for a master password first (similar to LastPass). |
I want a master Password too. This is an important feature to add as you want your customer to see how you value their most sensitive information! |
Agreed.. I am using BB for my desktops at home and at servers on my projects for syncing some data. |
I want a master Password too. This is an important feature to add as you want your customer to see how you value their most sensitive information! |
Would be a great feature. |
plz include master password for brave browser |
As Francois mentioned in the community discussion (#73627), Chromium might expect to have access to the password database all the time, but simply adding a master password when Brave starts shouldn't have too many side-effects like that? Then as long as I close the browser, I know my passwords are secure. That is how I use it on Chrome, and it works pretty well, I think. I do wonder about malicious extensions being able to get to it after the master password is typed in, but I'll try to not install any... :) |
As others have stated, this is the "killer feature" for me that prevents me from using the browser as my primary. It would be good to take this a step further than firefox and have an "aggressive" setting for this that forced me to enter the password on each instance of login to a site (rather than just at browser startup). |
Edge (chromium) has just added master password on their beta channel. They already had an indirect master password feature, where the user is asked to input his Windows password as master password (opt-in). Microsoft integrated Edge with Windows security and both of them used the same password. But, now they added a dedicated master password for their in-built password manager. https://invidious.kavin.rocks/watch?v=G6zGupsRwNQ&nojs=1 The video from Microsoft lists their previous features (which are pretty good). Firefox also has a really great password manager along with their Firefox Monitor (which gets its data from Have I Been Pwned). Brave is way behind in this important department; as regular users normally use the in-built browser's password manager rather than a dedicated password manager like Bitwarden, 1password, LastPass etc (usually they do not know that such products exist). |
Though Bitwarden, 1password is a very alternate solution as of now, but now-a-days we create multiple profiles everyday in different websites majority of them could be junk or one time use. So having a built-in safety in the browser helps a lot. Also with Brave Sync option the browser data is shared in my Andorid phones, Windows PC and Ubuntu Laptop. We can secure the android app with fingerprint. But the saved password remains vulnerable in PC/Linux systems. Hence Master Password / Primary Password is very much needed with the Brave. |
I recently switched fully from Firefox to Brave. Now I found out that this essential and necessary feature is missing. Guess it was a mistake to change. It should have been possible to implement this feature within the last year as this issue is already old. @fmarier you closed issue #20794 but still haven't replied here. What is your opinion on this topic as Security engineer at Brave? |
Until such a facility is available in Brave, we recommend that users wanting this functionality install a third-party password manager since most of them come with such a thing. |
Hello @fmarier, I'm worried there is a misunderstanding about the functionality of the master password in Firefox. Furthermore I want to be able to only enable the Brave access via an password as additional security layer to the regular OS account login. Your suggested third-party-password manager doesn't have anything to do with the stated use cases. Please clarify |
Password managers also encrypt your passwords the same way firefox master password does.
Meaning you want something like applock. A password (PIN) needs to be inputed for the browser to open and function? Considering that brave deals with cryptocurrency via widgets directly (uphold, gemini, binance, ftx widget) it will be appropriate for the browser to have an app-lock functionality. I would suggest for others to use a paasword manager instead of brave browser password management currently due specific password manager benefits over brave one's, like encryption, random password generation, api check via haveibeenpwned, random username generation etc. I ask (request) brave team to focus resources on this important feature compared to something other things like sidebar or UI change. Proper password management is an important feature from privacy/security side and brave should focus a lot more compared to above other things since it is a 'privacy browser'. |
I never intended just passwords. Browser collect plenty of information (cookies, storage, history, bookmarks, etc) which should be protected at rest. I want all of the information the browser collects safe from access. A password manager has nothing to do with that. I don't store my passwords in a browser at all. |
That does depend on what you mean by "rest". It's a little bit like data is encrypted at rest on a hard drive. It's encrypted when the computer is off, but it's not encrypted when the computer is on and you're logged in and it's also typically not encrypted when the computer is suspended. In the case of Brave, it's encrypted at rest when "rest" is defined as "you're not logged in". We use the OS keychain / keyring to automatically encrypt/decrypt passwords, cookies, etc. based on a key that is unlocked when you login. If you want another layer of encryption, i.e. you want the browser to "rest" more often than that, then you need something else:
If you want #1 now, then you can use a password manager. If you want #2 now, then you'd need to put your browser profile directory on an encrypted drive. On Linux for example, you can use the Both #1 and #2 increase the amount of time that the browser is "resting" for the purpose of not having the data be decrypted. They are definitely both valuable and it would be great to have them integrated in Brave, but I can't give you a timeline for this since these are not quick fixes. |
I got confused for a bit. There are two cases here, I wrote about the Edge browser password management thinking the issue was for the First case, my fault, I should have read the issue properly. So, two separate issues should be created, as these feature requests are quite different from one another. |
Yeah |
@Egon099 I believe that right now it's not completely possibile, at last on windows, because there are some parts of the profile tied to the windows installation. |
@424344 |
I feel brave on desktop manager need to have a master password for accessing to pass list (view/edit/delete) would be a great feature |
Based on some of the comments above, it seems as though the built-in pw manager in chrome/brave may never be a very workable solution. I like 3rd party solutions such as bitwarden, but dislike them integrated as a plugin. Maybe a better solution would be for brave to build a better pw manager as a native solution and outright ditch the current pw manager. Maybe something similar to the built-in crypto wallet. For me, this would mean 1 less browser plugin and 1 less app on my phone. |
Since the passwords are encrypted at rest, instead of using a random seed to derive the password why not combine the random seed with a user provided password in an opt-in feature and lock the password vault every X time? |
This needs to be standard in chrome and every browser. However, I see it as a way for Brave to lead the way. As a Cyber Sec. Engineer in training I keep my eyes on threats and we have a new type of Malware that steals passwords from browsers and gather passwords, credit cards, other autofill data, computer configuration and software info, 2FA data and backup codes, and a lot more and send it back as a compressed file. One example of this is called Erbium and showed up July 2022. There is a response of someone here who was hacked by a version of this so it is relevant to the community. Please search these terms " Erbium Stealer Malware Report Executive Summary " by Cyfirma only if you can’t find it then use the url below. Remember not to click links online; instead find the organization independently through trusted channels when possible. Though I think this is important enough that people need to know URL: https://www.cyfirma.com/outofband/erbium-stealer-malware-report/ |
+1 for master password |
+1 for master password! |
+1 for master password! Just like the IOS version of the app! :) Also implement it where on MacBook we can use touchID to enter it! |
Absolute must-have ! |
Yea it will be a great addition. |
Hi, I agree with a general password AND internal encryption of user/password(s), which is only the most basic of security and privacy. However seeing that the OP date backs to 2020-12-31 and that absolutely nothing has been done since, my contention is it is probably a 3 letters agency (gag or not) order… One thing is therefore absolutely sure, Brave is not developed with security and privacy of its users as first goals. This is weird and worse, unprofessional, so I go back to Firefox, which is far from being perfect but at least doesn't take it's users for negligible quantity. |
Yes, +1! |
as long as this feature is not added will not use brave. thanks for the amazing work team. |
Any news on this feature ? |
best Privacy Browser but there is no master password. 😉 |
would love to see an update on this |
Moved to firefox until this feature rolls out on Brave, I think this is very important. |
Maybe this issue should be pinned @Brave-Matt so it is clear that this aspect of security is not the priority at the moment but other features. |
I still think it'll be a great addition. By the way, for those commenting here, I recommend considering a password manager like Bitwarden (which can be self-hosted) or my current choice, EDIT: I'm not saying Brave shouldn't add this feature. In fact, most users will likely stick with the default option, so it's essential to make it as secure as possible. |
I need this, please |
I would like this option |
I would like it |
Just came from Firefox 10 minutes ago, and will likely go back given the lack of this feature. |
cc: @rebron for priority triage |
As discussed in Brave community (73627 and 127332), I would like to request a master password feature for the desktop versions (similar to Firefox).
Master password is a very important feature for a privacy focused browser, and it is very important to separate it from the operating system password as it can be hacked easily if the OS disk is not encrypted which is the case for most users.
This is also an important factor in protection of the saved information (such as payment methods and passwords) as well as the accounts that are logged and remembered by sites.
I can see that this feature exists in iOS (although it is limited to a 6 digits passcode) so it is only makes sense to add it to the desktop versions as well (but with the ability to use a much more complicated password).
The text was updated successfully, but these errors were encountered: