John Hammond, of Huntress fame, published a video detailing how it's possible to recover, decrypt and reveal passwords from Chrome. The attack vector will also work for Firefox. It requires access to an endpoint, so don't be too alarmed when you read its title: "How To Extract Plaintext Google Chrome Passwords".
Certainly, permitting your users to save passwords in Chrome is better than password reuse. Reuse leads to credential stuffing and that compromises identities, which is the beginning of the identity attack chain to achieve lateral movement inside your systems if there isn't a sufficient identify and access management strategy in place.
It's just that the practice of saving passwords in browsers is also risky, as this video demonstrates. It's best to be proactive and get your passwords out of browsers entirely (before attackers decide to do it for you). Consider a dedicated password manger such as JumpCloud Password Manager. It's decentralized without a master password, but with the enterprise compliance and collaboration features you’d expect.
It's worth doing, whichever solution is best for you. Hats off to Mr. Hammond for being a terrific cybersecurity educator.
