I’m guessing you practice relatively secure computing, meaning you don’t download suspicious stuff, keep your system updated, etc. But that’s not true security, you could always run into a browser vulnerability on a random website.
Also, there’s no guarantee that you haven’t been hacked, all we know is that you haven’t noticed your private information being used. Usually what happens is attackers get a bunch of data then sell it on the black market. Buyers of that data will probably only use a subset of that data, so your data could be sold, just not used. You can check if your passwords have been leaked by examining data sets of leaked latest ([e.g. Have I Been Owned; I recommend not actually sending important info here).
There are two routes to go here:
Use proper security - high quality password manager, self-host your data (Bitwarden allows this)
Reduce the impact of a breach (don’t use debit cards online, monitor credit card statements, etc)
The second is probably sufficient for most people though.
One important thing to note is that the main reason to go with a password manager is to have really secure passwords that are unique for each site. That way if one service gets breached, attackers can’t just use the same credentials on other sites. Browser password managers don’t do that, so you’re opening yourself up to that if you’re not careful in constructing good, unique passwords. I have >100 accounts, each with their own password, and that just wouldn’t be feasible without a password manager.
And honestly, that’s the 80% of the 80/20 trade-off for security vs practicality. If you use a different password for each site, you’re protected from the most common attacks (password dumps). The rest of the measures you could take are just optimizations on the last 20%.
If you have a solid backup plan for if you get hacked (e.g. only use credit online), you’re probably fine. Most likely, you’re not going to get your browser password manager scraped, because that means you need to both get malware, and get the type of malware that knows how to scrape browser password manager data. If it’s protected by a master password, it’s incredibly unlikely you’ll get hacked unless it’s a targeted attack.
But if you want to go the extra mile, you can close a lot of that 20% with a few extra measures. It’s up to you how far you choose to go.
I’m guessing you practice relatively secure computing, meaning you don’t download suspicious stuff, keep your system updated, etc. But that’s not true security, you could always run into a browser vulnerability on a random website.
Also, there’s no guarantee that you haven’t been hacked, all we know is that you haven’t noticed your private information being used. Usually what happens is attackers get a bunch of data then sell it on the black market. Buyers of that data will probably only use a subset of that data, so your data could be sold, just not used. You can check if your passwords have been leaked by examining data sets of leaked latest ([e.g. Have I Been Owned; I recommend not actually sending important info here).
There are two routes to go here:
The second is probably sufficient for most people though.
One important thing to note is that the main reason to go with a password manager is to have really secure passwords that are unique for each site. That way if one service gets breached, attackers can’t just use the same credentials on other sites. Browser password managers don’t do that, so you’re opening yourself up to that if you’re not careful in constructing good, unique passwords. I have >100 accounts, each with their own password, and that just wouldn’t be feasible without a password manager.
I was with you right up until the unique passwords. I do use a different randomly generated password for each site.
And honestly, that’s the 80% of the 80/20 trade-off for security vs practicality. If you use a different password for each site, you’re protected from the most common attacks (password dumps). The rest of the measures you could take are just optimizations on the last 20%.
If you have a solid backup plan for if you get hacked (e.g. only use credit online), you’re probably fine. Most likely, you’re not going to get your browser password manager scraped, because that means you need to both get malware, and get the type of malware that knows how to scrape browser password manager data. If it’s protected by a master password, it’s incredibly unlikely you’ll get hacked unless it’s a targeted attack.
But if you want to go the extra mile, you can close a lot of that 20% with a few extra measures. It’s up to you how far you choose to go.
That all sounds good to me. Good clarification.