From a client:
I understand the reasons why you recommend the use of password managers. I’m not sure that we’re going to have widespread adoption. As we discussed, my people know how to do their jobs, and things that get in the way of that or that slow things down tend to get ignored. Its an incentive thing of course, so I’m wondering if there is a middle ground we can strike? <Browser> has a builtin password manager. Would it be OK for folks to use it instead of Keepass or any of the other options?
A lot of experts in this field would say “no,” but I’m going to go out on a limb and say that none of them are running a multi-million dollar manufacturing operation that does business domestically and overseas, and supports a workforce that is…not technically sophisticated and incented to produce, not produce securely.
If the use of a browser’s built-in password management capability will drive the use of strong(er) passwords, reduce if not eliminate account/credential sharing, and reduce password reuse, I’m going to give it the thumbs up. No, I don’t know how rigorous an effort has been made to secure that capability, but the alternative is basically all the bad password practices and we know how that story ends.
Success in security is like football: measured in inches. A “better” solution used vice “a markedly better solution” ignored? I’ll take that inch.