Our security just send around an email that they're disabling Google Chrome's password manager.
While I understand not wanting those passwords in Google's hands, the reality is that they do have the $$$ for security.
But instead of being able to leverage that functionality, and the Generate Password functionality we now have to resort back to name_of_application_my_name or something like that.
Do not ban things just because it has an issue. Provide a better alternative.
Disabling a password manager that's built into a browser? That's simply madness. What do they expect people to use? Their brain to remember all their passwords rather than a password manager? And rely on their brain to know they are on a site whose domain doesn't match the domain in the password manager despite looking very similar?
Also this has nothing to do with passwords in Google's hands. They could turn off syncing in Chrome and have a completely local password manager. I personally do exactly that.
Your org will suffer many data breaches due to this policy.
When browser managed credentials are synchronized across devices, an attacker may be able to move laterally into an enterprise by compromising the personally managed device or personally managed account (since it may be without 2FA, or may use a shared/guessable/weak password thats shared across dozens of compromised websites, or be far behind on app/OS patches, etc..)
While I understand not wanting those passwords in Google's hands, the reality is that they do have the $$$ for security.
But instead of being able to leverage that functionality, and the Generate Password functionality we now have to resort back to name_of_application_my_name or something like that.
Do not ban things just because it has an issue. Provide a better alternative.