"Safari and Chrome are essentially tied for the worst password manager built into a major Web browser," said Robert Chapin, president of Chapin Information Services, in his report, which looked at the types of security checks browsers used to make sure that they were sending username and password information to legitimate Web sites instead of clever hackers.

Two years ago Chapin reported a widely publicized in the Firefox browser, by Mozilla developers. The bug was used by attackers on the MySpace.com Web site who had set up a fake login page to steal account information from users of the social-networking site.

Firefox has now done a lot to improve its password manager, but all of these products are still far from perfect, Chapin said in an interview. "Should everyone put 100 percent implicit trust in every password manager?" he asked. "Not at all."

One problem is that today's password managers can be tricked into submitting different password credentials to different parts of the same Web site. That's what hackers did with the MySpace attack, posting a fake password entry form on a MySpace page. Because both the fake and real login forms were on the myspace.com domain, browsers like Firefox could be tricked into automatically sending login information to the fraudsters. That bug has been fixed in Firefox now, but Chrome and Safari are still vulnerable to similar attacks.

Another problem is that browsers will send passwords meant for one domain, Google.com for example, to another domain -- say Myspace.com -- without warning the user, he said. That's because browser makers assume that the page asking for the password should be trusted, even if it is sending the password to another domain, he said.