By Chester Wisniewski
It seems odd to imagine that one piece of software, which doesn’t even require a network connection, can improve the safety of your online life. But password managers certainly appear to fall into that category, though you do need to be extra diligent in how you secure them! While performing research on modern Wi-Fi security, I was reminded how the use of a password manager became an important factor in the safety of insecure Wi-Fi connections.
More than just a memory store
The primary benefit of using a password manager when you may be on a network provided by an unknown or untrustworthy provider is to help prevent phishing and machine-in-the-middle (MiTM) attacks.
These attacks can often direct a victim to a fake look-a-like domain, tricking them into believing they are logging into Facebook, Gmail or another “credible” source. This is because the cybercriminals behind the look-a-like redirection attacks can obtain a Transport Layer Security (TLS) certificate for the fake domains.
Password managers know that a fake domain won’t match the exact domain used by a real service and, in general, will refuse to submit your credentials to attempted phishing scams.
There are other attacks that can occur over Wi-Fi though, so are password managers any good at helping prevent those attacks as well?
Putting password managers to the test
I decided to focus on two other attack styles: the downgrade attack and an attack that uses a fake certificate but still impersonates the real domain of the service provider they are trying to phish victims from, hoping the victim will bypass the browser warning.
For my test, I chose the eight most common ways of managing passwords: Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari/Keychain, LastPass, 1password, Dashlane, and Bitwarden.
To conduct the test, I set up a fake website impersonating a popular news website that allows you to “sign in” to customise your news feed. The site uses TLS encryption but does not advertise a HSTS header. This allowed me to login to an account on the real site, store the password in the password manager tool and then perform both of my attacks.
Test 1: Password managers vs. unencrypted sites
The first attack was to hijack the DNS and redirect myself, aka the “victim,” to an unencrypted HTTP version of the site controlled by the would-be attacker. This would allow me to see if users on unprotected Wi-Fi could count on their password manager to protect them against this type of attack.
The first three I tested passed with flying colours. Google Chrome, Mozilla Firefox, and Microsoft Edge all refused to surrender my stored password. Next up was 1password and Dashlane, both of which didn’t fare quite as well; they warned me the connection was insecure, but if I clicked in the password blank, they did offer to fill it.
Only 1password explained in its warning that the original password had been stored for an HTTPS connection and required me to click OK to continue. This is great, but it does require users to read and understand what that means.
Safari, LastPass, and Bitwarden all offered to fill without warning.
It surprised me that in 2021 there are still tools that think signing into services without HTTPS is ok, especially when they originally stored the password for an HTTPS site.
Test 2: Password managers vs. sites with a forged TLS certificate
The next test was to secure my phishing site with a TLS certificate, but not one signed by a certificate authority trusted by the browser.
Users would need to accept a scary warning from their web browser for this to be possible, but we learned a long time ago that an alarmingly high percentage won’t take the time to read the messages that warnings contain and just proceed with whatever it is they are doing.
Once again, Google Chrome and Microsoft Edge passed with flying colours, but the others fared more poorly. All the others either auto-filled the passwords as if nothing was wrong, or happily filled them once I clicked inside of the password field on the imitation site.
While these behaviours are not technically vulnerabilities, I felt it was worth contacting the security teams of their respective organisations to ensure this was the intended behavior and inquire as to whether they would consider improving the behaviour to provide a higher level of protection against MiTM attacks.
Conclusion
The bottom line is that using a password manager is always better than not to ensure you have long, strong passwords. When they offer multi-factor authentication they are even better, and all the third parties do.
However, while the majority are resilient against HTTP downgrade attacks, there is still room for improvement. And when it comes to forged certificates, the burden is on you. Heed the warnings, don’t ignore them, and be especially suspicious when you are on networks you don’t trust.
(The writer is a principal research scientist at Sophos.)
Password managers can make your network more secure – but mind the gaps
24 Dec 2021
Password managers can make your network more secure – but mind the gaps
24 Dec 2021
Kapruka
Discover Kapruka, the leading online shopping platform in Sri Lanka, where you can conveniently send Gifts and Flowers to your loved ones for any event. Explore a wide range of popular Shopping Categories on Kapruka, including Toys, Groceries, Electronics, Birthday Cakes, Fruits, Chocolates, Automobile, Mother and Baby Products, Clothing, and Fashion. Additionally, Kapruka offers unique online services like Money Remittance, Astrology, Medicine Delivery, and access to over 700 Top Brands. Also If you’re interested in selling with Kapruka, Partner Central by Kapruka is the best solution to start with. Moreover, through Kapruka Global Shop, you can also enjoy the convenience of purchasing products from renowned platforms like Amazon and eBay and have them delivered to Sri Lanka.Send love straight to their heart this Valentine's with our thoughtful gifts!
Discover Kapruka, the leading online shopping platform in Sri Lanka, where you can conveniently send Gifts and Flowers to your loved ones for any event. Explore a wide range of popular Shopping Categories on Kapruka, including Toys, Groceries, Electronics, Birthday Cakes, Fruits, Chocolates, Automobile, Mother and Baby Products, Clothing, and Fashion. Additionally, Kapruka offers unique online services like Money Remittance, Astrology, Medicine Delivery, and access to over 700 Top Brands. Also If you’re interested in selling with Kapruka, Partner Central by Kapruka is the best solution to start with. Moreover, through Kapruka Global Shop, you can also enjoy the convenience of purchasing products from renowned platforms like Amazon and eBay and have them delivered to Sri Lanka.Send love straight to their heart this Valentine's with our thoughtful gifts!