It seems odd to imagine that one piece of software, which doesn’t even require a network connection, can improve the safety of your online life.
But password managers certainly appear to fall into that category, though you do need be extra diligent in how you secure them.
While performing research on modern Wi-Fi security, Chester was reminded how the use of a password manager became an important factor in the safety of insecure Wi-Fi connections.
READ MORE
We must be vigilant in combating cyber attacks
You must prepare your child for the fast changing digital technology era
Protect children against online sexual dangers
Fraud, cyber incidents and corruption are threats to businesses
Chester Wisniewski (pictured) is a principal research scientist at next-generation security leader, Sophos; he gives more insight into password managers and security.
More than just a memory store
The primary benefit of using a password manager when you may be on a network provided by an unknown or untrustworthy provider is to help prevent phishing and machine-in-the-middle (MiTM) attacks.
These attacks can often direct a victim to a fake look-a-like domain, tricking them into believing they are logging into Facebook, Gmail or another “credible” source. This is because the cybercriminals behind the look-a-like redirection attacks can obtain a Transport Layer Security (TLS) certificate for the fake domains.
Password managers know that a fake domain won’t match the exact domain used by a real service and, in general, will refuse to submit your credentials to attempted phishing scams.
There are other attacks that can occur over Wi-Fi though. Are password managers any good at helping prevent those attacks as well?
Putting password managers to the test
Let’s focus on two other attack styles: the downgrade attack and an attack that uses a fake certificate but still impersonates the real domain of the service provider they are trying to phish victims from, hoping the victim will bypass the browser warning.
The eight most common ways of managing passwords: Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari/Keychain, LastPass, 1password, Dashlane, and Bitwarden.
To conduct the test, Chester set up a fake website impersonating a popular news website that allows you to “sign in” to customize your news feed. The site uses TLS encryption but does not advertise a HSTS header. This allowed him to login to an account on the real site, store the password in the password manager tool and then perform both of my attacks.
Test 1: Password managers vs. unencrypted sites
The first attack was to hijack the DNS and redirect himself, aka the “victim,” to an unencrypted HTTP version of the site controlled by the would-be attacker. This would allow him to see if users on unprotected Wi-Fi could count on their password manager to protect them against this type of attack.
The first three passed with flying colors as they refused to surrender the stored password. The others didn’t fare quite as well, they warned that the connection was insecure, but when he clicked in the password blank, they did offer to fill it. The last three however offered to fill in the password without any warning.
It’s surprising that in 2021 there are still tools that think signing into services without HTTPS is OK, especially when they originally stored the password for an HTTPS site.
Test 2: Password managers vs. sites with a forged TLS certificate
The next test was to secure the phishing site with a TLS certificate, but not one signed by a certificate authority trusted by the browser.
Users would need to accept a scary warning from their web browser for this to be possible, but an alarmingly high percentage of people don’t take time to read the messages that warnings contain and just proceed with whatever it is they are doing.
Once again, the first three managers passed with flying colors, but the others fared more poorly. All the others either auto-filled the passwords as if nothing was wrong or filled them upon clicking inside the password field on the imitation site.
It is important to note however, that these behaviors are not technically vulnerabilities.
Bottom line
Using a password manager is always better than not to ensure you have long, strong passwords.
When they offer multi-factor authentication they are even better, and all the third parties do.
However, while the majority are resilient against HTTP downgrade attacks, there is still room for improvement. And when it comes to forged certificates, the burden is on you. Heed the warnings, don’t ignore them, and be especially suspicious when you are on networks you don’t trust.