For example, exploiting a browser-based password manager likely means escaping the sandbox that contains web pages and accessing the shadow DOM. But this is still a larger surface area than 1Password, where the password selection menu (on Windows at least...) is actually rendered by an entirely separate process on the system. (I.e., clicking the icons that the extension displays triggers the 1Password desktop application to display UI at the cursor's current position. Picking a password from this UI will transmit it to the browser extension for filling. The password is only present in the browser's memory once you've interacted with the desktop application's UI.)
As always, do your research. Don't get suckered into paying a subscription fee for a browser extension that offers the same functionality your browser has built-in. But realize that there are other options out there that may actually be worth investing in.
Disclaimer: I've been a happy 1Password customer for a few years now.
Edit: I just cracked open the 1password extension, and it does indeed use a content script. Glancing over the code I only see stuff related to locating which fields are the username and password field - but I was mistaken in thinking that they didn't use a content script.
All the icon on the webpage ought to do is indicate to the password manager that you'd like to use it, nothing else. You shouldn't be typing your master password there, you shouldn't see a list of sites there (perhaps you just see an option for the current web page, that's fine), etc.
1Password follows this rule and has a pretty good track record overall and I too use it. There are certainly password managers that don't follow this rule; don't use them.
Connecting the application that manages your secrets to the most exposed application on your PC is a bad idea.
In fact, LastPass and others had some pretty embarrassing vulnerabilities that can be exploited due to being an extension.
There's no question that a local PM has a significantly lower attack surface.
Here are some stories:
https://blog.lastpass.com/2019/09/lastpass-bug-reported-reso...
https://www.csis.dk/newsroom-blog-overview/2021/moserpass-su...
There were several classic web vulnerabilities for 1password and bitwarden when it comes to extensions.
That’s a clickjacking vulnerability. Gp post discussed why UI should be out-of-DOM.
> https://www.csis.dk/newsroom-blog-overview/2021/moserpass-su...
I’m not familiar with the password manager here, but that's a CDN compromise causing auto-update to download a malicious dll. Of course voluntarily installing malicious code is a game-over scenario unrelated to the discussion, and I’m not even sure there’s a browser extension involved here. What’s the point you’re trying to make?
And KeePassXC is open source and does not require cloud storage. So you can build from source and do not need to rely on any claims from the vendor on how the data is securely stored.
Anyone else remember when they essentially pushed OSX to get better at security by having a tunnel of protected memory? (It’s been a minute and I know I won’t be able to find the article, so please excuse me if the details are wrong)
? Browser-addon 1password has been the only way to use (modern?) 1password on Linux for a long time.
Any PM that injects a script into the DOM is vulnerable, as the article explains, because the script runs with the exact same privilleges as everything else in the DOM (so the existing DOM can mess with your script or with the changes your script tries to make).
Also, the shadow DOM has nothing to do with security in any way. It's trivial to work around it whether it's closed or not. See https://blog.revillweb.com/open-vs-closed-shadow-dom-9f3d742... for example on how to do that.
Extensions are protected by a mechanism called Xray vision, not the shadow dom.
https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Xray_v...
Also, I never use that icon and exclusively use the shortcut. I'm curious if that can be spoofed somehow. But again, they can only get your master password. In the case of 1password, I'm pretty sure they would need direct access to the computer to gain access to your vault.
I can't be the only one who finds that to be small comfort; isn't it sensible to respond, "if my 1Pwd master pwd is stolen, I must treat the vault as if it had been exposed"?
» I’m generally skeptical of these online subscription password managers, and that’s going to be the focus of the rest of this article.
I may be wrong but he talks about online password managers only, that's why his conclusion is «if you want a password manager in your browser, sue the one that's built-in». Otherwise, separate password managers are good, but author isn't talking about them.
I haven't used the browsers built-in password manager for years, so I don't know what features they have, but I find it hard to believe that they can provide the same functionality as a dedicated password manager.
Some of the top features of dedicated password managers include:
* Generating random passwords/passphrases (this is pretty basic)
* Storing and generating two-factor authentication codes (TOTP)
* Filling out passwords into mobile apps as well as websites
* Storing security questions, back up codes, any other site specific data that needs to be secure
* Storing credit card information
* Platform agnostic syncing
* Sharing passwords with friends, co-workers, or family
* Weak password checking / HIBP integration
I'm sure that the browser password manager can do some of these things, but I doubt it can really do all of them.
I'm 100% on board with not using 1P's TOTP for guarding the AWS Master Payer Account for my company, but my GitHub account is not a nation state threat, so having 1P autofill the code after it autofills the long password is very convenient
I have also experimented with passwords in one manager, TOTP in another, but ... as I said about that convenience spectrum
---
Kind of related to that last item, I also have gotten a lot of mileage out of KeePassXC's autotype feature for having it type my GPG pass phrase into pinentry. It stays out of the clipboard, I only have in use it within the pinentry timeout, and it's convenient. I wish 1P had similar behavior on sane OSes (1P will autotype into certain fields on Windows 10 but that convenience extends only to my gaming accounts because I'm not going to use Windows)
That's only true if you are using an online service as a password manager, so the master password is the only thing protecting you. Not necessarily for offline password managers. E.g. in my case, I use Keepass that I never sync/store online, so even without enabling a website's 2FA, for many attack models I am effectively using 2FA: logging into the website requires both something I have (a device with my Keepass database) and something I know (the password for my Keepass database). But without website 2FA those two factors then produce one single factor (the website's password) that is transmitted to log in, so enabling website's 2FA and storing it in Keepass makes it 2FA against even more attack models, i.e. attacks where it's not my password database that it compromised, but just that one password. So it's still a benefit.
If I ever feel the need to sync my Keepass database, e.g. on Dropbox; I could set a key file (that I transferred offline between my devices) in addition to the master password to preserve this 2FA aspect, so that even if my Dropbox password and Keepass master password were both compromised, they would still be useless without access to my devices that contain the key file. But I never had the need to use my password manager on a different device, so no syncing needed so far. In any case, I don't actually care about 2FA (when I enable 2FA, I actually do it to decrease security, not increase it, as I explained in my other comment), this 2FA is just a bonus of my not needing and liking online services.
Also, keeping 2FA codes in a syncable password manager is a huge boon for people who ever break/lose phones. Can't tell you how many people get locked out of their accounts because they lose their 2FA codes.
As an alternative, companies have to have a 2FA-reset process. The fact that such a system exists weakens the entire system, which is too bad.
Just depends on your use case.
https://i.imgur.com/h7ZAGZw.png
When I choose to edit an entry, it only gives me the option to have a username and password. I don't see where to put security questions or backup codes, etc. and searching around for a TOTP generator feature also yielded no results.
Unfortunately, it also means I can basically never switch web browsers again, so it's an absolute non-option for me. I don't want to be locked into Chrome forever.
"Things start to go wrong when you want integration with other applications, or when you want data synchronized by an untrusted intermediary. There are safe ways to achieve this, but the allure of recurring subscription fees has attracted businesses to this space with varying degrees of competence. I’m generally skeptical of these online subscription password managers, and that’s going to be the focus of the rest of this article."
So yeah the article focuses more on people who want the convenience of a password manager embedded in their browser.
1. Password manager for PC / Laptop: KeePassXC. It's not built into your browser, it's a seperate application. It's totally open source, and trusted by many. It also supports two factor authentication, I use a passphrase and a key file. Supports TOTP. Has a ton of "premium" features, totally free. It's awesome.
2. Syncing application: Google Drive. Sync your KeePass database using Google Drive (or whatever other sync application you want). KeePassXC supports merging databases if there's ever a conflict, as rare as those are. This is secure, because the KeePass database file is encrypted, and Google Drive / Google will never see the unencrypted database.
3. Password manager for phone: KeePass2Android. Not sure what the options are for Apple, but I'm sure they exist. Allows you to open your KeePassXC database from Google Drive.
4. Browser support: KeePassXC-Browser. Allows you to autofill your username / password / TOTP from your KeePassXC application to Chrome / Firefox.
Totally free, secure, convenient, and syncs to all your devices. Also comes with excellent redundancy for your password database so you'll never lose it. I've been using this setup for years flawlessly.
one minor inconvenience with auto-type is that your passwords don't auto fill by themselves, but I have it set to the hotkey alt+x which makes it quick to trigger with my thumb and after doing it this way for nearly 2 years now i barely notice
another downside with auto-type is that not all websites put their full names in the browser title bar so auto-type won't show you your related passwords in some cases. to fix that you can install a browser extension that puts the full web url in titlebar https://github.com/erichgoldman/add-url-to-window-title
Instead of modifying the browser title, I use AutoTypeSearch plugin for Keepass, that opens a dialog allowing me to suggest entries in case of no matches.
There is also another plugin that allows search using both URL and title -- "WebAutoType".
These two plugins together make the Keepass experience almost seamless.
I've been running this setup for about a decade,since some big breach (I forget which one) made it clear to me that using the same or similar passwords across multiple sites was not gonna fly any longer.
The initial time investment was surprisingly heavy - I iterated through every online login I could find for myself (searching through email history mostly for signups confirmations) and changed the password on every account I had. Took about two full days.
I believe the point the article is making is that any browser extension to auto fill is inherently insecure for architectural reasons.
I find it odd someone so serious about password managers would recommend KeePassX which hasn't seen a release since 2016. Perhaps they meant the KeePassXC fork.
No, that is not what the article said. The article said that password managers that insert elements into the webpage are insecure. You don’t need need to do that to autofill passwords.
Strongbox is fantastic on iOS
Yeap, but now you have to trust (there's really no open source on iOS, as there's no reproducible builds or way to verify the code) on some guy and hope for the best.
I've also spend a lot of time with understanding password managers in my master thesis. What I can recommend is: https://pfp.works/
The creator was auditing password managers like LastPass, found a lot of issues, and used his knowledge to create pfp, which does it right imho.
> Click PfP icon on any website
> Enter your master password
Can't a website just fake a PFP icon to induce you to reveal your master password, and now the website owner has access to all of your generated passwords? Isn't this exactly the type of attack that caused taviso to write OP?
Yes the pop-up could be faked, but not the button.
Actually Tavis Ormandy found a lot of security breaches in password managers that loaded GUI elements into the website. Not only that you can fake it, but also they are susceptible to clickjacking.
You still need to trust that the software is secure.
I would definitely use the browser password manager, if I could choose where to sync the data to. I think it's possible with firefox, but it's not straight forward.
I personally trust pfp, because the creator is doing audits of browser addons and publishes them on his blog. They are very well explained.
Also the code is quite compact compared to the other password managers. LastPass, 1Password and Bitwarden have more than 100,000 lines of code, including many third party dependencies. So an audit of PfP is more feasible.
People can’t remember 80 passwords so they reuse the same one, that password eventually gets leaked and 9/10 times it doesn’t get leaked due to a targeted attack or a compromised machine but rather due to a breach of a service you signed up too.
Sure password managers have issues, they don’t solve user related errors and can even add to the attack surface of a machine they are running on but that’s really not important...
Using password managers and generating different passwords for each service reduces the blast radius from any breach.
This is why I don’t care if the password manager has the best encryption, or does it even encrypts at all or does it uses the clipboard vs some more secure side channel. Yeah that’s nice but that’s not in my threat model.
Which is why I don’t care if your password manager is a spreadsheet, it’s a terrible choice for a business because their threat landscape and the fact that a spreadsheet won’t allow you to audit who has access to what but for you or your mom even that is better than using the same password everywhere else.
Heck at home print your passwords and store them somewhere safe... put them on a post note for all I care as long as you live alone or at least not with anyone you wouldn’t want stumbling on that list...
Additionally, if you use two different browsers or operating systems you'll need a 3rd party tool to keep your passwords in sync.
For me, that's why I use a 3rd party.
---
Funny thing is though, I consider myself the 1st party. The website or app I am using is the 2nd party. Anyone else including the browser is a 3rd party. Neither Google, nor Apple, nor Mozilla, to name a few of the top browser-makers, are anything more than middlemen.
I think it's better to trust them with less rather than allow them to keep the passwords as well since they have no incentive to make them portable between competing browsers.
>Second, everyone needs to be using unique passwords. You don’t have to use a password manager to do that, whatever system works for you is fine. If you want to use a notebook in a desk drawer, that’s totally acceptable.
Use a PW manager. If you really don't want to use one, don't use the same PW. At least at your own salt.
eg. HN@thepwialwaysuse4
HN would be the "salt" for Hackernews.
E.g. myBank@thepwialwaysuse
I never really understood this. Ed25519 keys use SHA-512 and are considered secure. They're still just long secrets, aren't they?
What's to prevent me from using a similarly long, randomly generated secret as my password, using a different one for every site? Because that's what I'm doing with KeePass.
Backing up the auth database/file and having enough redundancy in place, as well as having a sufficiently secure master password take some effort, but the rest is just copying and pasting those long secrets when you want to log in.
Of course, 2FA is a necessity for everything important as well, but it feels to me like the kinds of passwords that many people use are the problem, not the concept of passwords.
No. I find it easiest to keep this straight in my head with a line from the U2 song "The Fly", "a secret is something you tell one other person". You're thinking of Ed25519 private keys, you mustn't tell those to anybody and they're minted as a pair with a public key you can tell to everybody.
> What's to prevent me from using a similarly long, randomly generated secret as my password
That's a Shared Secret. You tell the password to the remote web site. They have a copy of it, their permanent copy of it is likely hashed, but you send them a new, unhashed version of that same password to the site every single time you log in.
This makes all the difference in the world. Let's see that in action:
Suppose that Edward, who is Evil, has complete insight into everything stored by and every program running at Facebook for an hour. If someone logs into Facebook using a password, obviously Edward learns the password, it was sent to Facebook so they could check it was correct. So Edward can log in as any Facebook user who logged in while Edward's magical insight lasted? Right?
Nope. Facebook has WebAuthn. For WebAuthn users logging in involves public key cryptography. Facebook has a public key for those users but no private key. Edward can see that the users were properly authenticated, but he doesn't get a persistent credential because the persistent credential never left the user's grasp. He cannot log in as those users, only they can do that.
But in general I agree with the rest of your comment.
Out of curiosity, what does haveibeenpwned.com say about your most used email?
Passwords are great, because they're in your head and can be changed at will (unlike biometrics), and phishing 2fa from (eg old people) is not any harder than phishing for a password.
I eventually defaulted to using FF for passwords, but it still feels wrong. Password Safe had password generators, space for notes.. lil things that I keep missing.
Is Bitwarden decent enough? The fact that it has a cli, FF extension etc. on a free plan is pretty tempting.
It should solve your problems. It is not open source and costs money if you want to use it on your phone (which I don't). Saves everything. PW, CC, notes, certificates etc.
KeePassXC is also a good option, and I'm considering switching to it.
A minor annoyance is that Safari will not let me treat sites which use multiple domains as equivalent. So Discount Tire uses dt.com and discounttire.com but Safari flags this as a security problem because I'm using the same password with both. LastPass lets me set them as equivalent domains, though the process is probably too difficult for most people.
LastPass made free users decide whether to use it either on computers or phones & tablets but not both. Because I use FireFox on my Mac, I used LastPass on computers. I rely on Safari to sync for my phone and tablet. I think it's inevitable that LastPass will continue making life more difficult for free users and I may end up with a flat file or Apple Notes file to store the security questions and answers.
Why not just pay for it? If it prevents a hack which impacts your finances, then its more than worth it and not worth the waste of your time trying to avoid paying them.
I use passwords in a lot of places outside of browsers and often the interface I'm using has no browser capabilities.
Understand using browser based password management if you only ever use passwords on the web. But I'm sure a lot of others, like me, need them outside of that context.
The 1P keyboard knows what app I'm using, and auto fills accordingly
Occasionally I need the password for Microsoft or intelliJ accounts, but even then I just use my phone to lookup the password in my manager visually and then type it, I'm never letting any password I care about go into my Macs clipboard!
Fortunately I could export Chrome to CSV and use some third party applescript to export KeyChain and import into KeePassXC. It's not perfect but it's better than the built in stuff.
Maybe W3C could standardize a protocol for password managers so we don't have this insane vendor lock in.
The password interface in iOS has improved a whole bunch (tells you about weak passwords, reused passwords, etc) but doesn’t support attaching a TOTP to an entry.
Which may or may not be a big deal now what everyone is moving to U2F etc.
That's not what the article said
Combined with being completely open-source (including backend), full-featured even in the free version, and $10/year pro version (with features like sharing, encrypted storage, etc.), I can recommend it to practically anyone.
Bitwarden is certainly one of the better password managers in my book (seriously, some of its competitors don't even let you add arbitrary fields to credentials!) and has proven to be reasonably secure. However, you cannot ignore the vulnerability the browser extension model or any auto-update model might bring to something as sensitive as a password manager.
I'm using it myself in combination with a self-hosted bitwarden-rs instance (used to run the native version but its performance was just terrible) and I can't say I regret the decision.
I do wish that browser would expose an autofill API to password managers, though, so addons wouldn't need to inject Javascript or do other funky stuff to get passwords filled in.
This isn't true - I use BW and annoyingly it doesn't work with Basic Auth at all. This is because I have disabled auto-fill.
Copying out of Bitwarden and pasting into the visible fields would get around that instead of using its auto-fill.
You still sometimes need to use the interfaces you mention, but increasingly rarely.
> Conceptually, what could be simpler than a password manager? It’s just a trivial key-value store. In fact, the simplest implementations are usually great. Good examples of simple and safe password managers are keepass and keepassx, or even pass if you’re a nerd.
I think keepass synched via nextcloud is a great solution, e2e encrypted, works basically everywhere (windows mac linux osx ios android) and it keeps the sync and backup in your hands. If copy and pasting a password or using autofill for keepass is too much to ask, then you propably don't care about security.
With that in mind, I’m rolling with Bitwarden (maximal security afaik and great usability - it’s even linked with my iPhone) for personal stuff and keepass for work as I only have one machine I need passwords on. I don’t like Setting up something to sync a file if I don’t need to, so I’d never use keepass for multiple devices
> @diractelda: Based on your thoughts, it seems a more accurate statement is "Don't use a password manager that interacts with your browser automatically unless it's the built in password system. Non-integrated password stores are fine."
> @tavis: Yep, that's a fair summary, I was just trying to be punchy
>> @colmmacc: Safari seems conspicuously absent from the list, but it has more users than Firefox or Edge. Is that deliberate? superficially it has the chrome problem solved and T1/T2 integration for the password manager across iOS and OS X.[1]
> @taviso: Well, it's deliberate because I don't know how it works, not because I think there's something wrong with it! It sounds reasonable from the docs, but I haven't looked at the implementation.[2]
As I said in thread, that’s a weird response given the opening paragraph of the article:
> I’ve spent a lot of time trying to understand the attack surface of popular password managers. I think I’ve spent more time analyzing them than practically anybody else, and I think that qualifies me to have an opinion!
I mean, I think Tavis is qualified to have an opinion regardless. But just blanket ignoring a competitor’s solution that addresses all of the problems in the article, while claiming to have more familiarity with the space than practically anyone else... that doesn’t sit well with me.
1: https://twitter.com/colmmacc/status/1401336209746673666?s=21
2: https://twitter.com/taviso/status/1401373666328203264?s=21
I've never succeeded in explaining this to any password manager's tech support. They stay in business because their tools are convenient to use.
I've migrated from 1Password to a Dashlane family plan. I use two separate accounts for myself. I log in to one account to access sensitive financial sites, and log out explicitly before leaving my chair. I log into another account for everything else; do I care if my subscription to the Washington Post gets compromised? That account stays open for convenience.
Each password manager has a theory on how best to offer similar security/convenience with one account. None work as smoothly as having two accounts.
I believe 1Password also lets you lock itself after a period of time which can be very short.
If someone breaks in their house,they have a bigger problem than someone reading their emails, and since they live off givernment pensions, there is not a lot of money that can be stolen via the internet.
The most secure solution is a local PM.
Also find it odd the author uses Chrome, which doesn't even let you set a master password to E2E encrypt its password store.
In that case, I find it odd that the author doesn't recommend setting a sync passphrase, as that's not enabled by default.
I use Firefox with Lockwise[1] for Android and pass[2] as overflow for more involved secrets. This is a solo solution though that doesn't solve sharing these secrets with others.
> I use [...] pass as overflow for more involved secrets
Why don't you consider pass a third-party script here in this context? Don't you use the Firefox plugin passFF?
Isn't this true for any scenario, password manager or not? If a site has been compromised without you knowing and you enter your password from memory, paste, or a password manager, that password is at risk.
Is the author saying that he is able to access ALL passwords in the password manager via a single malicious site?
Also the other guy who mentioned re-used passwords has another good point.
The problem your approach has is that the user always really believes this is the BigCorp site - from their point of view the stupid password manager isn't working as intended, they need their BigCorp password and it isn't being filled out. The user will definitely figure out how to work around this (e.g. with cut-paste), almost always before they realise (if they ever do) that it's actually a phishing scam.
Because the user simply cannot work around the mystery problem with WebAuthn on a phishing site you have two advantages. Obviously firstly your users can't give away their credentials to phishing scams, because there's just no way to do that even if they are 100% certain that's what they need to do. So that's nice.
But the more subtle advantage is for site owners. When the new Big Boss wants to replace bigcorp.example with new-brand-name-awkward-suffix.example you can't do that in WebAuthn. "Just make it work". Can't. "We paid brand consultants $1M for this domain name. Make it work". Can't. bigcorp.example will have to exist forever or you'll have to explicitly re-enroll all your users. Contrast the situation with a password manager where I can 100% guarantee somebody will tell you to just basically help phishing scammers to steal all your users credentials, rather than admit senior management are incompetent buffoons.
Curiously, I haven't had the issue with coworkers at my company using their password where they shouldn't... but the company I'm at is rather small... and I do scare them with a long phishing presentation when they join the company, and show them all the ways they can be phished, and tell them very carefully not to use passwords where they aren't suggested... I bet there are people who are like that though. And that would be a pain =/.
I haven't had to deal with the 2nd thing you mentioned, but yeah, I imagine it's quite a bit more secure that way. I bet it's caused a few trouble calls, that's for sure. I'll check out WebAuthn though.
If someone has your phone and your phone passcode you’re kind of hosed anyway.
I was actually thinking more about law enforcement being the most likely to try gaining access to your phone. They can make you use your face or fingerprint, but they can’t force you to reveal your pin code.
I run the password generator in a terminal window, then copy and paste the password in to the site I am trying to log in to.
It’s a fairly complicated shell script, since it also has to deal with nonsense like stupid arbitrary password rules (e.g. Southwest considers an underscore to be a letter, and insists at least one non-letter non-number punctuation is in a password; some places require a password to be 8 characters or shorter; etc.) and also provides login information so I can also remember my username.
As recently as 5 or 6 years ago, there were issues with websites which wouldn’t let you copy and paste a password in to their password field; Firefox has always had a “ignore any Javascript which stops pasting” special rule in about:config I had to use. I haven’t seen one of those in a while; developers finally got a clue and realized that password managers exist.
One weakness this setup has is that anyone with the “master key” can get all of the password generated by the password generator. My workaround is to use a separate master key in a virtual machine for critical passwords, such as online banking ones.
Shameless plug time:
openssl rand -base64 12
If a couple attempts at that doesn't generate a password that satisfies complexity requirements, add, remove, or change a character or two before pasting. Change 12 to a larger or smaller number to change the length of the generated pw.
The system I use handles long term storage, generates the same password for a given website multiple times (with support for changing the index used to generate a given website’s password for things like password rotation—each index is a completely different password), allows passwords to be regenerated from memory if one memorizes the master key, and allows one to have a secure generated password without there being a record that one has generated a password for a given site.
It has protections against trying to guess the master key based on a generated password and the generated password are themselves difficult to crack (a given password has, by default, 60 bits of entropy, but this can be increased if desired).
The weak links are the master key, and the fact the passwords are placed in the clipboard. I use filesystem encryption to protect the master key and only have the master key in two locations (two: Just in case one SSD or computer dies, I have a backup). Browsers do not allow easy access to the contents of one’s clipboard (this is why one has to use Ctrl+V instead of Edit → Paste when using Google Docs in Firefox), so that attack surface, while there, is limited.
I really feel like people overthink this sometimes.
You don't need a notebook for unique passwords. Just use the service's name. Unless you also meant unguessable, in which case a notebook is probably going to be insufficient because your brain-powered password generator will soon run out of entropy.
> The tech press can review usability and onboarding experience, but can’t realistically evaluate any security claims, so how do you propose users tell the difference?
"Security at the expense of usability, comes at the expense of security." Users don't need to know the difference because the only danger they need to protect themselves from is "my gmail was hacked" and the only requirement for that is that they use an un-guessable password saved somewhere unsophisticated attackers can't access. Any password manager accomplishes this.
> An attacker (or malicious insider) in control of the vendor's network can change the code that is served to your browser
Password managers have servers sending code over to the browser? After the installation process?
Yes, LastPass is all web based IIRC, even 1Password switched to a web based offering when they switched to a subscription model. I'm still a happy customer of their previous product which was a one time purchase and uses software installs instead, database synced with w/e you want (Dropbox, GDrive, etc)
It also has the advantage of scaling in a straightforward way to other secrets that aren't "passwords", like credit card and other account numbers, SSNs for my kids, addresses for relatives who keep moving, etc...
I want account management protocols so I can rotate all my passwords automatically via my password manager. That would be awesome.
I used to have random passwords scattered over multiple browsers, because I change browsers.
Then I got a password manager, and imported all my chrome passwords... and there were hundreds of them. All the old ones, all the weird little ones that I never cared about. It took me ages to clean this data set and delete all the crap.
So no... never going back to storing passwords in the browser, thanks. I realise that technically a malicious site could possibly mess with my password manager. But I'm more worried about what the browser is doing.
What would be really great if the major browser vendors would get together and come up with a way to reliable, secure, cross-browser syncing of passwords.
The main reason I use a password manager instead of the browser’s password storage is because I use different browsers both on the same device and an different devices. I might use Firefox in my Linux desktop and Safari on my Mac. Using a third-party password manager allows me to have the same set of shared passwords on both.
But relying on chrome as password manager - even on Android - has drawbacks as it seems not to support all apps and fields one needs to.
I personally use bitwarden because it seems to work - when I enable all assistive tech - on 99% of situations. I also don't use chrome anymore so using Google password manager isn't as useful.
But I didn't check to synchronise it with devices.
I havent been comfortable with other 3rd party password managers and their integration feels forced
I know its about browser integration, but take a look at the repository of Lockwise android app[1] that released the last version 6 months ago and Bitwarden app[2] with last release being 1 month ago (I tried to find the firefox browser version but its a mess to analyse the activity of it). I know firefox has a much larger team but I it doesnt necessarily mean that more competent devs taking are taking care of the browser password manager's security than 1Password for example - maybe this is true for Google Chrome but who knows about Firefox and Edge.
[1] https://github.com/mozilla-lockwise/lockwise-android [2] https://github.com/bitwarden/mobile
However, I would still advocate for a web based password manager for regular people. The benefits overpower the possible risks which are more targeted than generic.
For security personal, like myself, a reliable local password manager is unbeatable. yes, it is less convenient no doubt, but removes any remote based attacks from the picture which is a huge deal.
The content script attack surface issues simply matter less than the giant gaping hole from password reuse combined with spear-phishing and breaches. Anything that makes it easier for the wetware at scale to do the more secure thing is going to increase overall org security by a step function and is a valuable layer. That it's not infallible shouldn't mean it should be discarded.
Frankly, I find this article irresponsible. Imagine some organization follows the advice here and actually weakens their overall security posture by following its advice. That would be unfortunate.
I use keepass (so no custom browser extensions at all) and I always register for new accounts on my main device. Then, once enough entries amass I manually copy my database into all the other devices I own - usually once a quarter or even less often. That's it.
Trusting that some third party service would keep your passwords private is a stretch.
> An attacker (or malicious insider) in control of the vendor’s network can change the code that is served to your browser, and that code can obviously access your passwords. This isn’t farfetched, altering the content of websites (i.e. defacement) is so common that it’s practically a sport.
Is this actually true? For Lastpass, I would assume the code run in the browser comes from the extension directly, and (for Chrome), the extension comes from the Chrome Web Store. There are some problems here, but in theory the system could be improved so that modifications to the extension in Google Web Store are very obvious, and an attacker couldn't just inject code into the extension and update it without someone noticing immediately.
Actually it has, since the Google Chrome started as a different "chrome" on top of webkit (hence the name).
Got very confused until reaching the end of the article where 'online' was mentioned specifically.
Been using keepassxc with auto type, owncloud based replica, a certificate and yubikey for a while now. It's a slight more hurdle than the lastpass and such but also not as blackbox,and the fact that it ain't as much mainstream might make it less susceptible to the mass attacks that we've seen leaking personal data by the gb these past few years
For the few sites where security matters more than trust in browser vendors it's probably better to memorize those passphrases, or use completely offline password managers.
If I use Chrome's built-in password manager for example and want to get the password for some website in Safari on iOS, I think that would not be as seamless as with LastPass for example.
This is why, while I do use Password Managers, I hate the tiny widgets and prefer to copy/paste or use a typeable password.
Having your password as "@#$!@#-<_" will just annoy you every time you need to type it and/or use it in an automated fashion (because every system gets confused by $, \, /, -, etc, in different ways)
He's a brilliant researcher, but I think he's wrong on this one, and the blog post is an appeal to authority and ends with basically a 'I've already heard your counter arguments and you're wrong'.
He should show his work.
