Hot Take Password Managers Auto-filled Credentials on Untrusted sites

enaph

Level 29
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,874
Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn.

The team from Google went public with their findings on Tuesday (17 January), 90 days after notifying the applications – Dashlane, Bitwarden, and the built-in password manager bundled with Apple’s Safari browser – of the vulnerabilities.

Both Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat. The status of any fix for Apple’s Safari built-in password manager remains unconfirmed at the time of writing. The Daily Swig has asked Apple to comment and we’ll update this story as and when more information comes to hand.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Bitwarden never fills logins automatically unless you enable it in settings. 1password also never fills logins automatically, you select the credentials manually before logging in and Sticky Password I disabled since I started using it. Dashlane I can't tell you because I don't use it. 👍
 

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,424
Not sure what you mean by automatically. With Bitwarden if your logged in you just go to any site you have saved and click on the login button, BW pops up for that site, you click on it and your logged in.
 
  • Like
Reactions: Dave Russo

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Not sure what you mean by automatically. With Bitwarden if your logged in you just go to any site you have saved and click on the login button, BW pops up for that site, you click on it and your logged in.
By default in Bitwarden this option is unchecked "If a login form is detected, automatically perform an auto-fill when the web page loads." And then just below the checkbox comes this warning
1674372372538.png
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Regarding the topic. Since BW has updated their software so it means it's safe to use autofill
Yes, it is secure, but I wouldn't use auto-complete if I were you, tomorrow or the day after, a vulnerability arises, suddenly when you least expect it, Bitwarden starts dumping your credentials on any website, then you can have a headache. Remember security and technology and convenience go hand in hand, but it comes at a price. Don't forget that. He who warns is a friend.;)
 

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,152
Yes, it is secure, but I wouldn't use auto-complete if I were you, tomorrow or the day after, a vulnerability arises, suddenly when you least expect it, Bitwarden starts dumping your credentials on any website, then you can have a headache. Remember security and technology and convenience go hand in hand, but it comes at a price. Don't forget that. He who warns is a friend.;)
You can lock/unlock the vault in the extension
 

n8chavez

Level 20
Well-known
Feb 26, 2021
961
If you really want to be safe you'd use keepass, where your database is store on space you control (encrypted cloud or local), use a keyfile (disguised as a random docx or jpg, stored somewhere different than your database), and your 15+ character password. Don't use any browser extension that tie into it. They are not needed, if you learn the features of Keepass. Using any addons only potentially weakens its security.

At this point is it really worth it to use a cloud-based service where you cannot control the storage? I wouldn't trust any of them anymore.
 

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,424
Trying Enpass now, I really like it, nice gui, simple to set up, local storage, not a lot of bells and whistles but it signs me into my sites quite easily, what more do I need? Tried Keepass as well, it was a total mess trying to figure it out. The only possible negative with Enpass in the free version is that it only allows 25 items for mobile vaults, but that's probably 20 more than I need anyways as I never sign into anything on my phone except maybe for Ticketmaster for concert or hockey tickets or email.
 
Last edited:
  • Like
Reactions: Dave Russo

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,152
Trying Enpass now, I really like it, nice gui, simple to set up, local storage, not a lot of bells and whistles but it signs me into my sites quite easily, what more do I need? Tried Keepass as well, it was a total mess trying to figure it out. The only possible negative with Enpass in the free version is that it only allows 25 items for mobile vaults, but that's probably 20 more than I need anyways as I never sign into anything on my phone except maybe for Ticketmaster for concert or hockey tickets or email.


Enpass don't support non-code signed browsers like Ungoogled Chromium and LibreWolf. Also, its android app has trackers

A detailed review here

 

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,364
If you really want to be safe you'd use keepass, where your database is store on space you control (encrypted cloud or local), use a keyfile (disguised as a random docx or jpg, stored somewhere different than your database), and your 15+ character password. Don't use any browser extension that tie into it. They are not needed, if you learn the features of Keepass. Using any addons only potentially weakens its security.

At this point is it really worth it to use a cloud-based service where you cannot control the storage? I wouldn't trust any of them anymore.
Even Keepass is not totally safe, however the creator doesn't agree:
** DISPUTED ** KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
 
Last edited:

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,152
If you really want to be safe you'd use keepass, where your database is store on space you control (encrypted cloud or local), use a keyfile (disguised as a random docx or jpg, stored somewhere different than your database), and your 15+ character password. Don't use any browser extension that tie into it. They are not needed, if you learn the features of Keepass. Using any addons only potentially weakens its security.

At this point is it really worth it to use a cloud-based service where you cannot control the storage? I wouldn't trust any of them anymore.

Correct me if I'm wrong

Does KeePass copy&paste passwords? If yes, then any keylogger can capture what's on the clipboard, right? Does KeePass come with a time setting to clear the clipboard?

BW autofills using copy&paste passwords and it comes with a time setting to clear the clipboard. The time set to clear the clipboard can be chosen from the extension
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
Correct me if I'm wrong

Does KeePass copy&paste passwords? If yes, then any keylogger can capture what's on the clipboard, right? Does KeePass come with a time setting to clear the clipboard?
It does copy passwords and auto-clears the clipboard after a set amount of time (which can be changed in the settings).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top