We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Online password managers... beware?
TMSG
Posts: 233 Forumite
in Techie Stuff
I've always kept all my passwords in an offline password manager (KeePassXC on the desktop and the offline version of keepass2android for mobile). This only accesses a local file which itself is stored on an encrypted local disk and never leaves my devices (OK, it does, but only as a securely encrypted backup).
I've always been wary of those online password managers because a) you effectively give over your passwords to a third party (the absolute minimum would be to use an open-source provider) and b) you're using an inherently unsafe method (ie a web browser) to access the passwords.
This article details an attack that uses variants of method b) to read online-managed passwords for 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass and LogMeOnce:
https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/
AFAICS there's not much a user can do other than to be extremely careful which websites they visit. And even if the providers close those holes, a resourceful threat actor might find other ways to achieve a similar result.
Perhaps it pays to use a separate browser for the really important stuff (and only for that, and always use your own bookmarked web addresses) and to limit access to online passwords to this browser. Unimportant passwords/sites can then be used in a separate browser or browsers with their own online password management.
I've always been wary of those online password managers because a) you effectively give over your passwords to a third party (the absolute minimum would be to use an open-source provider) and b) you're using an inherently unsafe method (ie a web browser) to access the passwords.
This article details an attack that uses variants of method b) to read online-managed passwords for 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass and LogMeOnce:
https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/
AFAICS there's not much a user can do other than to be extremely careful which websites they visit. And even if the providers close those holes, a resourceful threat actor might find other ways to achieve a similar result.
Perhaps it pays to use a separate browser for the really important stuff (and only for that, and always use your own bookmarked web addresses) and to limit access to online passwords to this browser. Unimportant passwords/sites can then be used in a separate browser or browsers with their own online password management.
0
Comments
-
I don't think a local password solution mitigates a clickjacking/XSS exploit - ie the human, you, could still paste/type a password in unwittingly (also would be a problem with keyloggers and other local malware too). Nothing's ever fully secure.
On top of this, a fire could be curtains for your entire password archive. I'd prefer that not to be a risk personally.
EDIT: I believe the exploit discussed in that article regards tricking a password manager into executing its autofill function on a legit site that's been exploited and therefore providing your password to a malicious actor. This could theoretically be set up through clicking a malicious link.
0 -
I have to admit I dont fully follow what the article is alleging; it seems to be saying a malicious or infected site is visited and the password manager is triggered it can be hidden behind a banner or such and the "close the banner" icon is over where the password manager's insert username/password is and so the click actually divulges your username/password
For a start my password manager will only trigger if you are on a site that it already holds a username/password for so going to a random malicious site isnt going to do anything so its actually limited to only infected sites.
Secondly, just clicking on the autofill doesnt actually autofill, it triggers the need for biometrics after which it will fill. So yes if you click to close a banner, get asked for biometrics and are silly enough to give them even though you didnt do anything that should trigger biometrics then maybe it could work but it still feels a lot of things that need to align for it to work and that isnt inline with the articles claim of 1 click is all thats required.
It would only give them the password for that one site and if your using a password manager you are hopefully already getting unique passwords to each site... mine also has unique email address to most sites. So can realistically see someone using this to get my MSE username/password but not my bank details which will be totally different.
I can see the credit card being easier because that will trigger on any site but then I dont have my payment details in my password manager so it's not an issue.
0 -
I can see how the attack would work and I'm pleased to see that Bitwarden (my PM of choice) have fixed it in the latest update. Think it needs autofill running to exploit the vulnerability, turn that off and you'll be safer.1
-
Ever thought of keeping your passwords written down in a little book and kept in your desk at home?0
-
Unfortunately being at home is not the only time of ever needing to log into a website, do online banking etcNorthYorkie said:Ever thought of keeping your passwords written down in a little book and kept in your desk at home?1 -
Was in M&S yesterday. Wanted to pay for my goods with a gift card which lives in my M&S account.NorthYorkie said:Ever thought of keeping your passwords written down in a little book and kept in your desk at home?
App needed me to login with userid/password - not a problem since I can access both on my phone, would have been trickier if the password was in a book at home.
But yes, I take your point. There is always risk involved with trusting (particularly online) technology with sensitive or confidential information, but if you take sensible precautions then the advantages are very compelling.
0 -
As there is also a risk of having them written down, were someone to break into your home and find the book then not only have you lost your laptop but they also have gained access to everything on it plus you dont know any of your passwords any more to be able to change themflaneurs_lobster said:
But yes, I take your point. There is always risk involved with trusting (particularly online) technology with sensitive or confidential information, but if you take sensible precautions then the advantages are very compelling.0 -
Some of us keep our password manager separate from our web browser and use "copy and paste" to input passwords, the security issue described in the link relates to web browsers and dodgy sites.0
-
Useful reminder to enable 2FA and not rely only on passwords, and avoid 2FA that is vulnerable to SIM swapping0
-
Be good if you could have a word with the 90% of banks and BSs I log into that still insist on 2FA via SMS.Vitor said:... and avoid 2FA that is vulnerable to SIM swapping2
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.3K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.8K Spending & Discounts
- 244.3K Work, Benefits & Business
- 599.5K Mortgages, Homes & Bills
- 177.1K Life & Family
- 257.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards