Hot Take Password Managers Auto-filled Credentials on Untrusted sites

enaph

enaph

Level 29
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,880
Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn.

The team from Google went public with their findings on Tuesday (17 January), 90 days after notifying the applications – Dashlane, Bitwarden, and the built-in password manager bundled with Apple’s Safari browser – of the vulnerabilities.

Both Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat. The status of any fix for Apple’s Safari built-in password manager remains unconfirmed at the time of writing. The Daily Swig has asked Apple to comment and we’ll update this story as and when more information comes to hand.
Click to expand...
portswigger.net

Popular password managers auto-filled credentials on untrusted websites

Dashlane, Bitwarden, and Safari all cited by Google researchers
portswigger.net portswigger.net
 
  • Like
  • Wow
Reactions: DeBenez, Dave Russo, CyberTech and 7 others
piquiteco

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Bitwarden never fills logins automatically unless you enable it in settings. 1password also never fills logins automatically, you select the credentials manually before logging in and Sticky Password I disabled since I started using it. Dashlane I can't tell you because I don't use it. 👍
 
  • Like
Reactions: Dave Russo, Stopspying, Azure and 1 other person
Digmor Crusher

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,430
Not sure what you mean by automatically. With Bitwarden if your logged in you just go to any site you have saved and click on the login button, BW pops up for that site, you click on it and your logged in.
 
  • Like
Reactions: Dave Russo
piquiteco

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Digmor Crusher said:
Not sure what you mean by automatically. With Bitwarden if your logged in you just go to any site you have saved and click on the login button, BW pops up for that site, you click on it and your logged in.
Click to expand...
By default in Bitwarden this option is unchecked "If a login form is detected, automatically perform an auto-fill when the web page loads." And then just below the checkbox comes this warning
1674372372538.png
 
  • Like
Reactions: vtqhtr413, plat, Dave Russo and 3 others
piquiteco

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
HarborFront said:
Regarding the topic. Since BW has updated their software so it means it's safe to use autofill
Click to expand...
Yes, it is secure, but I wouldn't use auto-complete if I were you, tomorrow or the day after, a vulnerability arises, suddenly when you least expect it, Bitwarden starts dumping your credentials on any website, then you can have a headache. Remember security and technology and convenience go hand in hand, but it comes at a price. Don't forget that. He who warns is a friend.;)
 
  • Like
Reactions: vtqhtr413, enaph and Dave Russo
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
piquiteco said:
Yes, it is secure, but I wouldn't use auto-complete if I were you, tomorrow or the day after, a vulnerability arises, suddenly when you least expect it, Bitwarden starts dumping your credentials on any website, then you can have a headache. Remember security and technology and convenience go hand in hand, but it comes at a price. Don't forget that. He who warns is a friend.;)
Click to expand...
You can lock/unlock the vault in the extension
 
  • Like
Reactions: Dave Russo and piquiteco
n8chavez

n8chavez

Level 20
Well-known
Feb 26, 2021
972
If you really want to be safe you'd use keepass, where your database is store on space you control (encrypted cloud or local), use a keyfile (disguised as a random docx or jpg, stored somewhere different than your database), and your 15+ character password. Don't use any browser extension that tie into it. They are not needed, if you learn the features of Keepass. Using any addons only potentially weakens its security.

At this point is it really worth it to use a cloud-based service where you cannot control the storage? I wouldn't trust any of them anymore.
 
  • Like
Reactions: plat, Dave Russo, WhiteMouse and 2 others
Digmor Crusher

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,430
Trying Enpass now, I really like it, nice gui, simple to set up, local storage, not a lot of bells and whistles but it signs me into my sites quite easily, what more do I need? Tried Keepass as well, it was a total mess trying to figure it out. The only possible negative with Enpass in the free version is that it only allows 25 items for mobile vaults, but that's probably 20 more than I need anyways as I never sign into anything on my phone except maybe for Ticketmaster for concert or hockey tickets or email.
 
Last edited:
  • Like
Reactions: Dave Russo
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Digmor Crusher said:
Trying Enpass now, I really like it, nice gui, simple to set up, local storage, not a lot of bells and whistles but it signs me into my sites quite easily, what more do I need? Tried Keepass as well, it was a total mess trying to figure it out. The only possible negative with Enpass in the free version is that it only allows 25 items for mobile vaults, but that's probably 20 more than I need anyways as I never sign into anything on my phone except maybe for Ticketmaster for concert or hockey tickets or email.
Click to expand...


Enpass don't support non-code signed browsers like Ungoogled Chromium and LibreWolf. Also, its android app has trackers

A detailed review here

www.safetydetectives.com

Enpass Review 2024: Is It a Good Password Manager?

Is Enpass the best password manager for you? Is it safe and secure? How well will it protect your computer? Does it work well on mobile or just desktops? Find out all of this and more in this in-depth review of Enpass.
www.safetydetectives.com www.safetydetectives.com
 
  • Thanks
  • Like
Reactions: dinosaur07 and Dave Russo
Gandalf_The_Grey

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,414
n8chavez said:
If you really want to be safe you'd use keepass, where your database is store on space you control (encrypted cloud or local), use a keyfile (disguised as a random docx or jpg, stored somewhere different than your database), and your 15+ character password. Don't use any browser extension that tie into it. They are not needed, if you learn the features of Keepass. Using any addons only potentially weakens its security.

At this point is it really worth it to use a cloud-based service where you cannot control the storage? I wouldn't trust any of them anymore.
Click to expand...
Even Keepass is not totally safe, however the creator doesn't agree:
** DISPUTED ** KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
Click to expand...

NVD - CVE-2023-24055

nvd.nist.gov nvd.nist.gov
 
Last edited:
  • Like
  • Thanks
  • Hundred Points
Reactions: piquiteco, vtqhtr413, n8chavez and 5 others
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
n8chavez said:
If you really want to be safe you'd use keepass, where your database is store on space you control (encrypted cloud or local), use a keyfile (disguised as a random docx or jpg, stored somewhere different than your database), and your 15+ character password. Don't use any browser extension that tie into it. They are not needed, if you learn the features of Keepass. Using any addons only potentially weakens its security.

At this point is it really worth it to use a cloud-based service where you cannot control the storage? I wouldn't trust any of them anymore.
Click to expand...

Correct me if I'm wrong

Does KeePass copy&paste passwords? If yes, then any keylogger can capture what's on the clipboard, right? Does KeePass come with a time setting to clear the clipboard?

BW autofills using copy&paste passwords and it comes with a time setting to clear the clipboard. The time set to clear the clipboard can be chosen from the extension
 
  • Like
Reactions: piquiteco, Gandalf_The_Grey and upnorth
A

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
HarborFront said:
Correct me if I'm wrong

Does KeePass copy&paste passwords? If yes, then any keylogger can capture what's on the clipboard, right? Does KeePass come with a time setting to clear the clipboard?
Click to expand...
It does copy passwords and auto-clears the clipboard after a set amount of time (which can be changed in the settings).
 
  • Like
Reactions: plat and HarborFront

Similar threads

vtqhtr413
    • Like
    • +Reputation
Security News AutoSpill attack steals credentials from Android password managers
Replies
3
Views
1,717
Security News
vtqhtr413
vtqhtr413
BigWrench
    • Like
On Sale! NordPass Password Manager (1-Year Subscription) - Download $9.99 with code LABDDV24297
Replies
0
Views
384
Discounts and Deals
BigWrench
BigWrench
BigWrench
    • Like
    • Thanks
Unlimited Giveaway Sticky Password Premium is a free license for 1 year. For all devices
Replies
2
Views
1,627
Giveaways, Promotions and Contests
Brownie2019
Brownie2019

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top