Your browser has 40 extensions. Here's how many you actually need
Open your browser’s extension page right now. Count what you see.
If you are like most people, the number may surprise you. Browser extensions accumulate the way apps do on a phone: installed for one task, used once, then forgotten. The difference is that extensions do not sit harmlessly on a home screen. They run inside the single most sensitive application most people use every day — the browser that handles banking, email, work systems, cloud applications, shopping, authentication and passwords.
That makes browser extension hygiene a security issue, not a housekeeping issue.
Why extensions are a bigger deal than they look
A browser extension is software. It may look small, but it can have significant access depending on the permissions granted during installation.
Some extensions request narrow access. Others ask for broad permission to read and change data across websites. That distinction matters. An extension with broad website access may be able to observe page content, interact with forms, modify what appears in the browser, inject scripts, redirect traffic or collect browsing-related data.
In practical terms, this means an extension may have visibility into the same browser sessions you use for online banking, webmail, SaaS platforms, administrative consoles, corporate applications and personal accounts.
That does not mean every extension is malicious. Many are useful, reputable and well maintained. The issue is trust. When you install an extension, you are not just trusting what it does today. You are trusting the developer, the update process, the permissions model, the extension marketplace review process and any future change in ownership or behaviour.
That is a lot of trust for a tool you may have installed three years ago and forgotten.
The extension you installed may not be the extension you have today
Extensions update automatically. That is usually a good thing because security fixes and compatibility improvements can be delivered quickly. It also creates a risk: users rarely review what changed.
A legitimate extension can change hands. A developer can abandon a project. A new owner can change the business model. A useful tool can become aggressive with data collection. A once-simple extension can add new permissions. A popular category can attract copycats and malicious lookalikes.
This is especially relevant now as AI-themed browser extensions multiply. Users are installing writing assistants, summarizers, search helpers, meeting tools and productivity plugins at speed. Some are legitimate. Some are low-quality clones. Some are designed to imitate trusted brands or capture user activity.
The lesson is simple: treat browser extensions like privileged software, not like harmless browser decorations.
How many extensions do you actually need?
There is no universal number. The right answer depends on your work, your browser habits and your risk tolerance.
That said, many users can function well with a small core set:
A password manager. If you use a password manager — and you should — its browser extension is often what makes strong password behaviour practical. This is one of the few extensions that can justify deeper browser integration.
A reputable content or ad blocker. Beyond convenience, a strong content blocker can reduce exposure to malicious advertising, tracking scripts and unwanted page behaviour.
One or two work-specific tools. This may include a meeting scheduler, grammar tool, screenshot utility, note-taking tool, developer helper or corporate-approved extension that genuinely supports your workflow.
Everything else deserves scrutiny.
The goal is not to reach a perfect number. The goal is to reduce unnecessary software running inside your browser.
A 10-minute extension cleanup
Set aside 10 minutes and review your extension list with five questions.
1. Have I used this in the past month?
If not, remove it. You can always reinstall it later.
Removal is better than simply disabling an extension you no longer need or trust. Disabled is not the same as gone. If the tool no longer has a legitimate purpose, remove it from the browser entirely.
2. Do I know who makes it?
Click through to the extension’s listing. Look at the publisher. Look for a real company, a maintained website, a clear privacy policy, support information and a credible update history.
A recognizable company is not automatically safe, but it is different from an anonymous developer with limited transparency.
3. Do the permissions match the function?
A password manager needs meaningful browser access. A content blocker needs to inspect web content. A calculator, simple timer or basic formatting tool should not need broad access to every website you visit.
When the permission request and the purpose of the extension do not align, remove it.
4. Is there duplication?
Many people run multiple extensions that do the same thing: two ad blockers, several coupon tools, multiple screenshot utilities or overlapping productivity assistants.
Duplication increases complexity and attack surface. Keep the one you trust and actually use.
5. Would I install this again today?
This is the most useful question.
If you saw the same extension today, with the same publisher, same permissions and same reviews, would you install it again?
If the answer is no, remove it.
Be especially careful with these categories
Some extension categories deserve extra caution because they often request broad access or interact with sensitive browsing activity.
Coupon and shopping extensions. These often work by observing shopping pages, URLs, carts or checkout flows. Some are legitimate, but the access is not trivial.
Free VPN or proxy extensions. These can see or route traffic. If you would not trust the provider with your browsing activity, do not install the extension.
AI assistants and summarizers. These may read page content, selected text, documents or prompts. Be deliberate about where they are allowed to run.
Screen capture and productivity tools. These may need access to pages, tabs or browser content. Keep only the ones you actively use.
Extensions installed because a website told you to. Be skeptical of prompts that say you need a plugin, helper or extension to view content. Legitimate software rarely arrives through pressure tactics.
The enterprise version of this problem
For organizations, browser extensions are not a minor desktop preference. They are part of the endpoint and part of the software supply chain.
The modern browser is where employees access email, SaaS platforms, customer data, collaboration tools, financial systems, developer repositories, administrative consoles and AI services. Unmanaged extensions therefore become unmanaged code running inside a highly privileged business application.
Security teams should be able to answer basic questions:
- Which browser extensions are installed across the environment?
- Which ones have broad site access?
- Which ones can read or modify page content?
- Which ones are installed by users with privileged access?
- Which ones are abandoned, poorly maintained or published by unknown developers?
- Which ones are approved for use with sensitive systems?
- Which ones overlap with existing enterprise tools?
The objective should not be to block every extension. That creates friction and drives workarounds. The better approach is to manage extension risk the same way organizations manage other software risk: inventory, classification, allowlisting for sensitive roles, permission review, policy enforcement and periodic recertification.
For high-risk users — administrators, developers, finance teams, legal teams, executives and anyone with access to sensitive data — extension governance should be stricter.
Habits that keep the list short
Going forward, apply a simple rule: install extensions only when you have a specific, ongoing need.
Use official browser stores. Check the publisher. Read the permission request. Avoid installing tools from pop-ups, social media ads or urgent prompts. Remove extensions after a project ends. Review your full list twice a year.
A useful calendar reminder is simple: review browser extensions when you change smoke detector batteries, test your backups or review account recovery settings.
It takes minutes, and it removes risk you probably forgot you accepted.
The bottom line
Extensions are small programs with big access.
Most people need a handful. Many people have dozens. Every extension you remove is one less developer to trust, one less auto-updating codebase inside your browser, one less permission grant to worry about and one less thing that can go wrong.
Forty extensions is not a productivity setup. It is an attack surface.
Aim for five. Keep what earns its access. Remove the rest.
Ethics and Transparency Statement
This article was prepared with AI assistance for drafting, editing and structure. The final judgment, conclusions and responsibility for publication remain with the author.
No vendor paid for, reviewed or approved this article. Product categories are discussed for general security awareness and are not endorsements or recommendations of any specific browser, extension marketplace or extension developer.
Disclaimer
The views expressed in this article are my personal views and do not necessarily reflect the views, positions or opinions of my employer, its affiliates, leadership, customers or partners.
This article is provided for general informational and educational purposes only. It does not constitute legal, compliance, security, privacy or professional advice. Browser extension risk varies based on the user, device, browser, organization, permissions, installed software, data sensitivity and operating environment.
Individuals should make decisions based on their own needs and risk tolerance. Organizations should evaluate browser extension controls in the context of their security architecture, endpoint management capabilities, regulatory obligations and acceptable-use policies.
Keywords
browser extensions, browser security, Chrome extensions, extension permissions, extension hygiene, browser attack surface, endpoint security, password manager, ad blocker, content blocker, malicious extensions, AI browser extensions, SaaS security, enterprise browser security, security awareness, privacy, cyber hygiene, software supply chain, browser governance