
Browser Extension Password Managers Exposing Passwords Everywhere - beNjiox
http://isecpartners.github.io/whitepapers/passwords/2013/11/05/Browser-Extension-Password-Managers.html
======
subsection1h
I use KeePass and I haven't integrated it into any of the web browsers I use.
When I want to log into a site, I don't load it via my web browser's address
bar; instead, I Alt-Tab to KeePass, Ctrl-F to find the site/account, Ctrl-C to
copy my password, and Ctrl-U to open the site. This takes only a few seconds
longer than using a browser extension like LastPass (which I've used to share
credentials with family members).

In addition to this being potentially more secure, another benefit is that I
can specify that KeePass open certain sites in a non-default web browser. I
prefer not to log into some sites/accounts using my primary web browser, and
KeePass helps me to avoid this. If I were to use a solution like LastPass for
all my password management, I would need to pause and recall which browser I
use to log into a site/account. But with KeePass, I just mindlessly Alt-Tab,
Ctrl-F, Ctrl-C, and Ctrl-U.

~~~
MetaCosm
... this doesn't sound easier, this sounds much more annoying. But each to is
own.

~~~
subsection1h
I didn't assert that it was easier, just potentially more secure. Similarly,
it's arguably annoying to only access financial accounts (and the email
accounts that are associated with the financial accounts) using a dedicated
banking computer, but I think that having a banking computer is worth it.
Others will disagree.

~~~
jpgoldberg
[Disclosure: I work for AgileBits, makers of 1Password]

One way of characterizing the particular paper is "password managers with
browser extensions don't always prevent you from submitting your data to the
wrong place."

Systems that rely on the user to copy/paste offer no such protections
whatsoever (and so, I suppose, can't fail at them.) So I'm curious about what
you may mean by "potentially more secure" in this particular respect. Are you
concerned that you might come to rely too heavily on the password manager's
anti-phishing mechanisms?

[Note that I fully acknowledge that there may be other security reasons you
may wish to keep your password manager out of browser. 1Password and KeePass
have different security architectures, development processes, platform
support, etc, with their own advantages and disadvantages. People need to
figure out which works best for them.]

~~~
aclevernickname
Not knowing the passwords, and keeping them in a locked database you
copy/paste from creates plausible deniability if in a situation where one is
beaten with a $5 wrench.

For some people, the risk of disclosure by violence is more a worry than the
risk of disclosure by the clipboard.

------
josephwegner
Shameful plug... sorry..

I actually just released an account manager for Chrome, called Waltz. Waltz
uses Clef ([http://getclef.com](http://getclef.com)) for multi-factor auth,
and then submits using preconfigured login URLS - not heuristics like most
other password managers.

After a semi-thorough read of the article, I don't believe Waltz falls into
any of the security holes mentioned in the article.

[http://getwaltz.com](http://getwaltz.com)

~~~
nadocrew
Very cool extension. Is there any way to use Clef/Walz to login on a phone?

------
morgante
This title is hyperbolic linkbait and should probably be changed.

From skimming the paper, the only real flaw that seems broadly applicable is
in autofill features which I'm not sure 1Password even has. Those intuitively
seem like a bad idea and are easy to disable.

~~~
city41
It also mentions that auto filling is the default for two of them.

~~~
morgante
Right, and that default should probably be changed.

But that doesn't justify this clickbait title which is simply untrue as
nowhere in the report does it say that passwords are shared "everywhere."

------
eknkc
Looks like LastPass really screws up by auto filling forms within emails and
submitting them. Which means that I can duplicate the yahoo login page, send
it to your yahoo mail and LastPass would fill it up and submit because it's
served under yahoo domain.

1Password seems to be just fine according to this paper. It did not fuck up
like Lastpass and only live flaw is about subdomain matching, which I actually
find useful.

~~~
HaloZero
I honestly think for security purposes in general you shouldn't auto fill in a
form regardless of the domain and the extension builders should just not build
that feature because it exposes issues like this.

~~~
neltnerb
What's the alternative? Generate randomized passwords and memorize them all? I
have 250+ passwords for different websites, and not a great deal of choice
about it. This is certainly way better than the actual likely alternative --
using the same password on all 250+ sites.

~~~
blazingice
1Password's browser extension v4, in contrast, fills in the form only when you
press a key combination (⌘-\ on OSX), and has you enter your master password
into a dropdown from the OSX Menu Bar, and not inside the browser frame.
Pretty snazzy all around.

~~~
neltnerb
Aha, I see the distinction now. Thanks. Enough to simply disable autofill in
LastPass then? I'm loathe to learn a new system because of such a seemingly
small size vulnerability.

LastPass has me enter the master password in a pop up window when I click on
the icon from the extension (firefox/chrome), although I suppose that's maybe
not as good as an independent application?

~~~
korg250
Exactly.

I can, not only disable autofill in the Lastpass configuration, but also set
to require password reprompt for any of my credentials. I could also
individually disable autofill for any credential.

Please should first know how something works before criticizing.

------
neltnerb
Bizarre. I literally submitted this just a few hours ago, about how to use not
only a password vault, but also multifactor grid authentication in order to
ensure that even if someone stole your password, it would be exceedingly
difficult to access your vault.

[https://news.ycombinator.com/item?id=6943837](https://news.ycombinator.com/item?id=6943837)

Actual Link: [https://helpdesk.lastpass.com/security-
options/multifactor-a...](https://helpdesk.lastpass.com/security-
options/multifactor-authentication-options/grid-multifactor-authentication/)

------
Nerdfest
Non--browser-integrated password managers with 2-factor authentication are one
of the best security solutions around right now. Every step away from that
costs you security, but probably is still a good ways better than using
passwords alone purely from memory.

~~~
Guvante
I am curious, is there a way to do OTPs with offline databases?

I tried poking around with the add-in, but couldn't quite determine whether
the implementation could properly protect from replay attacks, most notably
whether a copy of the xml file used and the matching old OTP would be enough
to unlock a newer database file.

~~~
ryan-c
It's impossible to use OTP as part of an encryption key without some sort of
oracle that could do the decryption without the OTP.

~~~
Guvante
I know you can always backdoor it with the root key, and I decided to give up
on this line because of that.

In theory you could guarantee the OTP going forward, but it would be
impossible to protect going backward, which kind of kills the whole point.

------
sb057
The takeaway: Although imperfect, a properly used password manager can still
have a large positive impact on an individual’s security.

------
jpgoldberg
[Disclosure: I work for AgileBits, the makers of 1Password]

We need to put the headline and some of the odd generalizations stated in the
paper aside, and look at the specific security issues raised. When we do that,
we find that 1Password matches or exceeds the "far more secure" built-in form
fillers.

If we ignore the title and some odd generalizations, this paper actually
spells out how well 1Password avoids various risks when you look at the
details.

Readers need to go through section 2 of the paper carefully to see which
studied systems do what. The most worrisome of the kinds of flaws that
browser-based password managers face (filling things for
[https://foo.example](https://foo.example) into
[http://foo.example](http://foo.example) and filling for bar.example origin
forms on foo.example pages) are things that 1Password handles correctly.

The things that we don't do "right" in their eyes are things that their
recommended alternative (built-in browser form fillers) also don't do "right".
I'm not sure that the authors have fully thought through would it would even
mean to do those "right". But I encourage people to read the paper and decide
for themselves whether we've made the correct choices in our handling of
subdomains, and whether filling should be tied to a specific page on a site.

What of course does need to be considered are the risks of not using something
in the browser. If you are copying and pasting from your password manager to
your browser you are far more likely to be tricked by phishing, or cross
origin forms than you would be with 1Password.

1Password tries to make it hard for you to fill in your credentials in the
wrong place (you have to use copy/paste to manually do it where 1Password
refuses to do it automatically), and to the extent that the concerns in the
paper are legitimate, there are cases where browser-based fillers may fail to
"make it hard" where the should.

Contrast that with the alternative of using copy/paste. Copy/paste offers no
protections whatsoever against you filling in credentials to the wrong web
form.

It would be foolish to claim that 1Password's phishing prevention mechanisms
can't ever been defeated. But with respect to what was tested in this paper,
they are the best out there.

------
BadassFractal
How bad is it for LastPass? I've used KeePass for a while, but the convenience
of LastPass is such a killer feature :(

~~~
sixbrx
Basically you just need to turn off auto-login and auto-fill on all sites, no
matter what your password manager is. All of the attacks depended on those two
features, from what I could tell from a quick scan of the paper.

~~~
donniezazen
Can you do that globally?

~~~
aptwebapps
I just did. (Using LastPass).

~~~
donniezazen
How can you set LastPass to globally disable auto-fill and auto-login? I
checked again and I couldn't find any options in the extension or vault
settings.

~~~
aptwebapps
Using the Chrome extension, auto-fill is under Prefereces > General > and
auto-login is under Preferences > Advanced.

~~~
donniezazen
Thanks.

------
goronbjorn
If you don't want to download the PDF: [https://view-
api.box.com/view/1cdbcb3a1a944ab1becab0506d11fb...](https://view-
api.box.com/view/1cdbcb3a1a944ab1becab0506d11fb45)

------
kirtijthorat
I wish iSEC Partners could have added My1Login
([https://www.my1login.com](https://www.my1login.com)) and DashLane
([https://www.dashlane.com/](https://www.dashlane.com/)) to their research
paper so that we could have got deeper insights and comparison. My favorite is
DashLane and I am very impress with its data security mechanism. Read
[https://www.dashlane.com/security](https://www.dashlane.com/security) page
gives DashLane's security model in a nutshell.

------
manicbovine
This just completely ruins LastPass as an enterprise product, which seems to
be a major revenue stream for them. (Unless LP enterprise allows admins the
option to globally disable these insecure "features".)

~~~
jagermo
interesting thought, I'll check it out.

Update: No, not able to set up a global policy - I'll contact them.

------
x0054
On an unrelated note: I am looking for a password manager that would allow me
to assign a system wide shortcut. When the shortcut is pressed, a window would
appear where I can search for the password I am looking for (think Alfred or
Launchy). Searching for the password and hitting enter would type in the
password into whatever field I previously had selected. Something open source
would be perfect. I looked, but did not find anything like that. Something
that works on OSX and Windows.

~~~
jpgoldberg
[Disclosure: I work for AgileBits, the makers of 1Password]

I didn't come here to engage in sales pitches, but when you specifically ask
for a feature introduced in 1Password 4, it is hard for me not to mention it.
1Password Mini lives in the Menubar and does what you wish. There are also
options for Alfred and LaunchBar integration.

------
droptableusers
If you are on GNU/Linux you can use built in tools with PGP (with a little
help of bash scripts, and git if you want). I first saw it explained on this
blog [http://blog.sanctum.geek.nz/linux-crypto-
passwords/](http://blog.sanctum.geek.nz/linux-crypto-passwords/) and has
worked really well for me. Feels more robust and secure than browser password
stores, though probably not as convenient but its up to you, convenience or
security.

------
vermasque
Thanks for posting this.

The takeaway here is to turn off auto-fill and auto-login. You'll still get
most of the convenience of the browser extension password manager: a
repository of strong passwords that you don't have to remember and can access
easily on multiple devices. This is why I use LastPass. I used to use KeePass
and even donated to the project, but I wanted more convenience, support in the
long run, and never liked the .NET dependency.

------
yeukhon
I never use password managers. The reason is simple: I don't want to rely on
another software. If I had to remember 20 passwords I would and in fact I do
carry around 10 different passwords in my head constantly.

I trust my own brain rather more. And if my brain is comprised, what else can
you do with all the security we have on our desktop?

~~~
ye
Because

1) Over the years it ends up being much more than 20 passwords. Bank accounts,
credit cards, stock trading accounts, web servers, email accounts, IRA
accounts, bitcoin passwords/keys, all kinds of work passwords, evernote, etc.
I have more than 50 records in KeePass.

2) If you want secure passwords, they must be long (20 characters minimum) and
random. Remembering something like that is nearly impossible for me. Once I
started using KeePass, I feel way more secure than with my older scheme.

~~~
yeukhon
The issue is not about remembering password or how difficult the password is
to guess, is how responsible one is as a user.

Don't sign up hundreds of accounts. I only have one bank so that's just one
password.

Relying on another software to take care of security like this is not a good
solution to me.

------
marcrosoft
Isn't the solution obvious? Use the password manager to remember a unique
password for each site but combine it with something you know. Prepend a
password, mix your password in the middle, append it, etc. Problem solved?

~~~
PhantomGremlin
I don't think the solution was "obvious" until you mentioned it. What you
suggest might not be perfect (I'm not qualified to judge that) but it's
certainly a very good idea.

------
theboss
It's so obvious when papers like this are released for publicity. "Instead of
reporting small problems we find we should release a paper with a scary
sounding title first"

------
xcyu
Every example in this paper stems from the issue that these password managers
do not respect same origin policy. Sounds like something that's easy to fix
for the developers.

~~~
krallja
SOP does not apply to form fields, which is the exploit vector for the Y! mail
attack.

------
Lazare
Hrm. Seems like a better headline might be "Lastpass has some significant
security flaws"? Doesn't really seem applicable to 1Password (not sure about
KeePass).

------
salient
I see it's not mentioning the open source KeePass.

~~~
ye
Because it's not a browser extension, which auto-fills the login fields. And
that's why I use KeePass.

~~~
crdoconnor
There is a keepass extension, though. It's a pity they didn't review it.

------
chrismeller
Blah blah blah, inflammatory headline, blah blah blah, it doesn't do this one
thing I think it should, blah blah blah.

------
ximeng
Is there a good, ideally free password manager that works on Android, iPhone,
and the web? Any recommendations?

~~~
rallison
I use Keepass for this. The android port
([https://play.google.com/store/apps/details?id=com.android.ke...](https://play.google.com/store/apps/details?id=com.android.keepass))
works perfectly fine for me, and it looks like there are a few ports for iOS
as well. Keepass itself has, of course, long established itself as a solid
password manager. And the cost is $0.

~~~
mehmehshoe
Android has two versions of Keepass. Make sure your read the details before
you choose which one you want to install. The difference between the two is
how/where you store your key file, either on their server or on the local sd
card.

