Just a simple question: are passwords stored in plain text in the Brave password manager? Is it any less safe storing my passwords in Brave than keepass (external to the browser) for example? Are passwords more vulnerable to attacks if they are stored in the browser? I’m only asking about the security aspect, and am not interested in the extra features offered by password managers.
I think passwords are viewable in plain text at brave://settings/passwords but are stored encrypted. Brave decrypts the passwords when you are using the browser. There is a Brave GitHub issue report relating to implementing master passwords for Brave that has some interesting information about password encryption that you might want to look at.
I think this comment might help answer your question:
How does Brave provide encryption at rest for the userdata?
That does depend on what you mean by “rest”. It’s a little bit like data is encrypted at rest on a hard drive. It’s encrypted when the computer is off, but it’s not encrypted when the computer is on and you’re logged in and it’s also typically not encrypted when the computer is suspended.
In the case of Brave, it’s encrypted at rest when “rest” is defined as “you’re not logged in”. We use the OS keychain / keyring to automatically encrypt/decrypt passwords, cookies, etc. based on a key that is unlocked when you login.
If you want another layer of encryption, i.e. you want the browser to “rest” more often than that, then you need something else:
Third-party password managers will typically lock (i.e. it’s no longer decrypted in memory) the password database after a few minutes of inactivity, even when the browser is still running.
Firefox will unlock the password manager, cookie store, etc. at browser startup if you configure a master password. Then it will keep it unlocked until you close the browser IIRC.
If you want #1 now, then you can use a password manager. If you want #2 now, then you’d need to put your browser profile directory on an encrypted drive. On Linux for example, you can use the cryptmount command. I’m sure there are equivalents on Mac and Windows.
Both #1 and #2 increase the amount of time that the browser is “resting” for the purpose of not having the data be decrypted. They are definitely both valuable and it would be great to have them integrated in Brave, but I can’t give you a timeline for this since these are not quick fixes.
The post below is from a topic related to master password implementation. It addresses challenges to enabling the password database “to be encrypted at all times”: