cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

Browser plug-ins for Password Manager

 

Does a browser plug-in for password manager really safe to use?

 

 

 

 

Chandra Mouli, CISSP, CCSP, CSSLP
5 Replies
MikeGlassman
Contributor II

Well, that is an interesting question.

 

Most modern browsers already have inbuilt password managers, so the real question is, why would you want an add-on ?

 

Take into account, that you don't really know what happens on the back end of any add-on, and it would be pretty simple to initiate an add-on that steals your credentials in the guise of securing it.

 

Personally, I would not use one.

Sincerely,

Mike Glassman, CISSP
Iguana man
AppDefects
Community Champion


@MikeGlassman wrote:

Well, that is an interesting question.

 

Most modern browsers already have inbuilt password managers, so the real question is, why would you want an add-on ?

 

Take into account, that you don't really know what happens on the back end of any add-on, and it would be pretty simple to initiate an add-on that steals your credentials in the guise of securing it.

 

Personally, I would not use one.


I agree. You can't trust what you do not know about the security model of an add-on. Best to use a separate program that does not rely upon the browser. Also built in password managers for browsers are for convenience not security, there's lot of programs that can when your machine is compromised dump and exfiltrate your credentials.

denbesten
Community Champion

@iluom 

...Does a browser plug-in for password manager really safe to use?...


Current thinking (see 800-63B §5.1.1.2) is that long, unique passwords per site are best and that password managers are a good way to encourage this behavior.  How to implement this is fundamentally a risk vs convenience tradeoff.

 

@AppDefects apparently feels that the entire browser environment is not a safe location for passwords, presumably, copy/pasting passwords as necessary.  If one can tolerate the inconvenience, this is excellent advise.  I, on the other hand need a bit more convenience to keep me from short-circuiting the process (e.g. using short passwords for sites I also need on my phone).  

 

To decide if a plugin was safe, I evaluated:

  1. How widely it was used (e.g. Lastpass claim 13.5 Million installs, 1Password claims "millions"). The thought being that the more popular something is, the more scrutiny it gets from the press and from the experts.
  2. Impact to the supplier if the product were breached.  I would prefer to stick with somebody who has lots to lose if they get it wrong (e.g.  company goes out of business; employees lose job) vs a product simply being abandoned or discontinued.
  3. Its reputation in the popular and trade press, app-store ratings, etc.
  4. How long it has been around and how completely it solves the problem.
  5. How the manufacturer makes money.  If they charge a reasonable subscription, they are less likely to need to do unsightly things to make payroll.

In the end, I found a few plugins I felt were "safe enough" for me.

 

@MikeGlassman raises an interesting related topic, are the built in managers good enough?  A few things I found tipped the scales for me:

  1. Included password generator makes "99 random character" passwords easy.
  2. Ability to "link" entries together, so that the same password automatically fills on login.live.com and login.office365.com, 
  3. Works with web pages that oddly name the password field.
  4. Sync between my computers and between my browsers, so I don't need to update passwords in multiple places.
  5. Auto-fill into apps (gmail, banking, etc) on my phone, so I don't have to deal with strong passwords on crappy keyboards.
  6. Audit function identifies accounts that use the same password a long-lived password, or a weak password.
  7. Password history, so I can recover if something goes wrong with a password change.
  8. Comments field allows me to store answers to "3 security questions", which I also auto-generate instead of using factual data.
  9. Comments also allow storage of product keys, account numbers, etc.
  10. Can export the entire database to a clear-text CSV text file, which I occasionally put on a flash drive in my safe to protect against database corruption or vendor suicide.
MikeGlassman
Contributor II

I like that response @denbesten .

 

Especially the bit about vendor suicide 🙂

Sincerely,

Mike Glassman, CISSP
Iguana man
AppDefects
Community Champion

A timely article in ARS Technica today "My browser, the spy: How extensions slurped up browsing histories from 4M users"The term "DataSpii" used in the article was coined by Sam Jadali, the researcher who discovered—or more accurately re-discovered—the browser extension privacy issue