[Feature Request] Master password for Brave desktop versions

[roeizavida]

As discussed in Brave community (73627 and 127332), I would like to request a master password feature for the desktop versions (similar to Firefox).

Master password is a very important feature for a privacy focused browser, and it is very important to separate it from the operating system password as it can be hacked easily if the OS disk is not encrypted which is the case for most users. This is also an important factor in protection of the saved information (such as payment methods and passwords) as well as the accounts that are logged and remembered by sites.

I can see that this feature exists in iOS (although it is limited to a 6 digits passcode) so it is only makes sense to add it to the desktop versions as well (but with the ability to use a much more complicated password).

[LorisTecnology]

also with a fingerprint login would be great

[trev-dev]

I currently use Bitwarden as my password management solution and it has everything we need here. Not to distract from Brave getting the same features, I feel like Bitwarden is a great model to look at.

https://github.com/bitwarden

[Brave-Matt]

+1 from Community: https://community.brave.com/t/braves-login-pw-functionality-is-really-not-working-for-us-and-free-is-not-working-for-us/253396/5

[KamilSJaron]

yes please

[doodaddy64]

I'm in the middle of moving my password management to Brave and this feature would be important for me to go all-in. Basically, if I'm going to have Brave fill in a bank or other financial password, I'd like to be asked for a master password first (similar to LastPass).

[snakysnake]

I want a master Password too. This is an important feature to add as you want your customer to see how you value their most sensitive information!

[zv09]

Agreed.. I am using BB for my desktops at home and at servers on my projects for syncing some data. There are another admins can gettin an access to admin console and get inside my brave browser settings and data.. Master Password to lock entire profile or browser at all is a critical necessary feature must be as soon as possible, and even more so if crypto-things on developing inside the BB...

[karimalishamsi]

I want a master Password too. This is an important feature to add as you want your customer to see how you value their most sensitive information!

[REVENTOR-EU]

Would be a great feature.

[mazispider]

plz include master password for brave browser

[jondaley]

As Francois mentioned in the community discussion (#73627), Chromium might expect to have access to the password database all the time, but simply adding a master password when Brave starts shouldn't have too many side-effects like that? Then as long as I close the browser, I know my passwords are secure.

That is how I use it on Chrome, and it works pretty well, I think. I do wonder about malicious extensions being able to get to it after the master password is typed in, but I'll try to not install any... :)

[dspinhirne]

As others have stated, this is the "killer feature" for me that prevents me from using the browser as my primary. It would be good to take this a step further than firefox and have an "aggressive" setting for this that forced me to enter the password on each instance of login to a site (rather than just at browser startup).

[m77e4t]

Edge (chromium) has just added master password on their beta channel. https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-beta-channel#version-89077418-february-3 https://www.ghacks.net/2022/02/25/microsoft-edge-100-primary-password-support-and-pdf-thumbnail-view/ https://www.windowscentral.com/microsoft-edge-beta-testing-out-feature-improve-browser-security.

They already had an indirect master password feature, where the user is asked to input his Windows password as master password (opt-in). Microsoft integrated Edge with Windows security and both of them used the same password. But, now they added a dedicated master password for their in-built password manager.

https://invidious.kavin.rocks/watch?v=G6zGupsRwNQ&nojs=1 The video from Microsoft lists their previous features (which are pretty good). Firefox also has a really great password manager along with their Firefox Monitor (which gets its data from Have I Been Pwned).

Brave is way behind in this important department; as regular users normally use the in-built browser's password manager rather than a dedicated password manager like Bitwarden, 1password, LastPass etc (usually they do not know that such products exist).

[Kunalgroy]

Though Bitwarden, 1password is a very alternate solution as of now, but now-a-days we create multiple profiles everyday in different websites majority of them could be junk or one time use. So having a built-in safety in the browser helps a lot. Also with Brave Sync option the browser data is shared in my Andorid phones, Windows PC and Ubuntu Laptop. We can secure the android app with fingerprint. But the saved password remains vulnerable in PC/Linux systems. Hence Master Password / Primary Password is very much needed with the Brave.

[B1773rm4n]

I recently switched fully from Firefox to Brave. Now I found out that this essential and necessary feature is missing. Guess it was a mistake to change. It should have been possible to implement this feature within the last year as this issue is already old.

@fmarier you closed issue https://github.com/brave/brave-browser/issues/20794 but still haven't replied here. What is your opinion on this topic as Security engineer at Brave?

[fmarier]

What is your opinion on this topic as Security engineer at Brave? It would be a great feature to have. It's not a quick one however because there are lots of technical implications and corner cases to not having the password manager be available at all times and there are important user experience considerations as well.

Until such a facility is available in Brave, we recommend that users wanting this functionality install a third-party password manager since most of them come with such a thing.

[B1773rm4n]

Hello @fmarier,

I'm worried there is a misunderstanding about the functionality of the master password in Firefox. For me the primary concern is that the browser data is encrypted at rest. This is done in Firefox via the master password. How does Brave provide encryption at rest for the userdata?

Furthermore I want to be able to only enable the Brave access via an password as additional security layer to the regular OS account login.

Your suggested third-party-password manager doesn't have anything to do with the stated use cases. Please clarify

[m77e4t]

Your suggested third-party-password manager doesn't have anything to do with the stated use cases. Please clarify

Password managers also encrypt your passwords the same way firefox master password does. I would say that it does a far better job than the firefox master password encryption.

Furthermore I want to be able to only enable the Brave access via an password as additional security layer to the regular OS account login.

Meaning you want something like applock. A password (PIN) needs to be inputed for the browser to open and function? I too ask for this specific feature. A lot of applications specifically on android have an in-built PIN entry to open like banking apps, privacy-focused email clients.

Considering that brave deals with cryptocurrency via widgets directly (uphold, gemini, binance, ftx widget) it will be appropriate for the browser to have an app-lock functionality. A lot of important data currently resides in any browser, but specifically brave browser as it deals with crytpocurrencies directly from it. As brave browser is a privacy-focused browser, it would be appropriate for it to have an app-lock.

I would suggest for others to use a paasword manager instead of brave browser password management currently due specific password manager benefits over brave one's, like encryption, random password generation, api check via haveibeenpwned, random username generation etc.

I ask (request) brave team to focus resources on this important feature compared to something other things like sidebar or UI change. Proper password management is an important feature from privacy/security side and brave should focus a lot more compared to above other things since it is a 'privacy browser'.

[B1773rm4n]

Password managers also encrypt your passwords the same way firefox master password does. I would say that it does a far better job than the firefox master password encryption.

I never intended just passwords. Browser collect plenty of information (cookies, storage, history, bookmarks, etc) which should be protected at rest. I want all of the information the browser collects safe from access. A password manager has nothing to do with that. I don't store my passwords in a browser at all.

[fmarier]

How does Brave provide encryption at rest for the userdata?

That does depend on what you mean by "rest". It's a little bit like data is encrypted at rest on a hard drive. It's encrypted when the computer is off, but it's not encrypted when the computer is on and you're logged in and it's also typically not encrypted when the computer is suspended.

In the case of Brave, it's encrypted at rest when "rest" is defined as "you're not logged in". We use the OS keychain / keyring to automatically encrypt/decrypt passwords, cookies, etc. based on a key that is unlocked when you login.

If you want another layer of encryption, i.e. you want the browser to "rest" more often than that, then you need something else:

1. Third-party password managers will typically lock (i.e. it's no longer decrypted in memory) the password database after a few minutes of inactivity, even when the browser is still running.
2. Firefox will unlock the password manager, cookie store, etc. at browser startup if you configure a master password. Then it will keep it unlocked until you close the browser IIRC.

If you want #1 now, then you can use a password manager. If you want #2 now, then you'd need to put your browser profile directory on an encrypted drive. On Linux for example, you can use the cryptmount command. I'm sure there are equivalents on Mac and Windows.

Both #1 and #2 increase the amount of time that the browser is "resting" for the purpose of not having the data be decrypted. They are definitely both valuable and it would be great to have them integrated in Brave, but I can't give you a timeline for this since these are not quick fixes.

[m77e4t]

I got confused for a bit. There are two cases here, i.) Master Password for the in-built password manager and ii.) Master Password for the entire brave browser.

I wrote about the Edge browser password management thinking the issue was for the First case, my fault, I should have read the issue properly.

So, two separate issues should be created, as these feature requests are quite different from one another.

[Egon099]

Yeah Would like profile to be encrypted and opening it would ask for the password. So even if someone else uses the computer they can't use my profile or see my data. Entire profile including bookmarks and hystory and so on. Would be nice at work for example since several people use same computer.

[lazymonkey2]

@Egon099 yes. In addition I'd like to copy the profile on a different computer, enter the password and be able to use it. This way O could make a backup by simply copying the profile on a backup disk.

I believe that right now it's not completely possibile, at last on windows, because there are some parts of the profile tied to the windows installation.

[Egon099]

@424344 It doesn't have to be actually entyre profile tecnically. Just the data like chase, bookmarks, cookies, hystory, etc. Profile name and settings themselves don't specifically have to be encrypted i guess

[Malachiel87]

I feel brave on desktop manager need to have a master password for accessing to pass list (view/edit/delete) would be a great feature

[dspinhirne]

Based on some of the comments above, it seems as though the built-in pw manager in chrome/brave may never be a very workable solution. I like 3rd party solutions such as bitwarden, but dislike them integrated as a plugin. Maybe a better solution would be for brave to build a better pw manager as a native solution and outright ditch the current pw manager. Maybe something similar to the built-in crypto wallet. For me, this would mean 1 less browser plugin and 1 less app on my phone.

[tur11ng]

Since the passwords are encrypted at rest, instead of using a random seed to derive the password why not combine the random seed with a user provided password in an opt-in feature and lock the password vault every X time?

[CyberKenneth]

This needs to be standard in chrome and every browser. However, I see it as a way for Brave to lead the way. As a Cyber Sec. Engineer in training I keep my eyes on threats and we have a new type of Malware that steals passwords from browsers and gather passwords, credit cards, other autofill data, computer configuration and software info, 2FA data and backup codes, and a lot more and send it back as a compressed file.

One example of this is called Erbium and showed up July 2022. There is a response of someone here who was hacked by a version of this so it is relevant to the community.

Please search these terms " Erbium Stealer Malware Report Executive Summary " by Cyfirma only if you can’t find it then use the url below. Remember not to click links online; instead find the organization independently through trusted channels when possible. Though I think this is important enough that people need to know URL: https://www.cyfirma.com/outofband/erbium-stealer-malware-report/

[kasparpalgi]

+1 for master password

[alexbeewise]

+1 for master password!

[TheWitchySarz]

+1 for master password! Just like the IOS version of the app! :) Also implement it where on MacBook we can use touchID to enter it!

[Lab5-Switzerland]

Absolute must-have ! Doesn't have to be perfect for starters, since: Everything is better than nothing !

[vimfn]

Yea it will be a great addition.

[JiffB]

Hi, I agree with a general password AND internal encryption of user/password(s), which is only the most basic of security and privacy.

However seeing that the OP date backs to 2020-12-31 and that absolutely nothing has been done since, my contention is it is probably a 3 letters agency (gag or not) order… One thing is therefore absolutely sure, Brave is not developed with security and privacy of its users as first goals.

This is weird and worse, unprofessional, so I go back to Firefox, which is far from being perfect but at least doesn't take it's users for negligible quantity.

[symonxdd]

Yes, +1!

[sinanisler]

as long as this feature is not added will not use brave.

thanks for the amazing work team.

[AkechiShiro]

Any news on this feature ?

[sinanisler]

best Privacy Browser but there is no master password. 😉

[brookssw]

would love to see an update on this

[AkechiShiro]

Moved to firefox until this feature rolls out on Brave, I think this is very important.

[AkechiShiro]

Maybe this issue should be pinned @Brave-Matt so it is clear that this aspect of security is not the priority at the moment but other features.

[vimfn]

Yea it will be a great addition.

I still think it'll be a great addition. By the way, for those commenting here, I recommend considering a password manager like Bitwarden (which can be self-hosted) or my current choice, pass. You can also explore other options that you think might be better. There are extensions and ways to make it as seamless as possible. This approach is far more secure than relying on a browser to manage your passwords.

EDIT: I'm not saying Brave shouldn't add this feature. In fact, most users will likely stick with the default option, so it's essential to make it as secure as possible.

[imgustavo]

I need this, please