In recent years, password managers have become an indispensable asset for individuals and organisations, fortifying their IT infrastructure. However, while they deliver unparalleled convenience by securely storing and auto-populating login details and generating robust, unique passwords, they're not without vulnerabilities.
For example, a Google advisory published this year highlighted a concerning flaw where several password managers could be deceived into auto-filling credentials on unauthorized sites. This scenario serves as a pressing reminder that risk often shadows convenience for companies and users alike. It’s crucial to understand these vulnerabilities and maintain constant vigilance, especially concerning website auto-fill features.
The dual edges of password managers
Password managers are sophisticated applications designed to store an extensive database of a user's passwords, making the challenging task of remembering complex credentials a thing of the past. The primary key to this vault is a singular master password. Upon its input, users gain access to all their passwords within the manager.
Many of these utilities have automatic password generators, churning out complex credentials on demand. They offer the advantage of autofill capabilities, eliminating the manual chore of copying credentials – an advantage especially valuable for mobile device users.
However, given the potential vulnerabilities of the hosting servers, utilizing online password managers pose risks of their own. Hence, these tools considerably elevate security standards but don't offer absolute invulnerability.
CTO and Co-Founder, Jscrambler
The pitfalls of automatic auto-filling
Though conceived for bolstering security, password managers auto-fill functionalities can inadvertently populate credentials into dubious or malicious websites.
Cybercriminals deceive these managers by skillfully manipulating website components or crafting persuasive phishing sites. This becomes a greater issue when users don’t put in their due diligence to ascertain the site's authenticity and instead lean too heavily on the auto-fill feature. Such negligence could inadvertently hand over their credentials to adversaries, leading to potential account breaches.
Moreover, Google's advisory in January unveiled that several password managers were susceptible to mistakenly auto-filling credentials on untrustworthy pages, posing a tangible risk of account breaches for users.
Specifically, Safari browsers, and extensions, such as Bitwarden and DashLane, were identified as potentially auto-filling login details within forms embedded in sandboxed iFrames. Fortunately, by the advisory's release, these flaws had been addressed.
Understanding password managers
In light of these revelations, our security research team undertook comprehensive tests on prevalent browsers and password managers, evaluating their responses to same-origin and cross-origin iFrames, notably those unsandboxed.
Our observations highlighted Chrome and Firefox's robust security stance - neither auto-filled credentials nor presented the option. Contrastingly, the Edge browser did auto-fill the username or email field, although it left the password field untouched.
For password managers, Passbolt and 1Password emerged as frontrunners in security, refraining from both auto-filling and offering the option to users. BitWarden and LastPass, whilst adopting a different approach, present users with a precautionary prompt when credentials may be forwarded to a divergent domain. This pivotal prompt allows users to auto-fill or decline, even in unsandboxed cross-origin iFrames.
Secure password management not only relies on users choosing strong passwords but also using due diligence when choosing a password manager and utilizing its functions. We strongly recommend users disable any auto-fill features and only manually trigger the feature when users are confident that the form presented is legitimate and should be filled.
Best practices for a robust password
Password security is paramount, not only for individual users but for the broader integrity of databases. While protective mechanisms can counteract some user lapses, individuals remain particularly vulnerable when employing weak passwords. So, what constitutes a robust password?
1. Incorporate alphanumeric characters: While recent studies suggest that simply adding upper and lowercase letters might not drastically enhance password strength, their inclusion, even marginally, can fortify defences.
2. Embrace length: One of the most effective strategies is lengthening your password. Extended character sequences significantly challenge recovery attempts. Familiarise yourself with the latest methods advocating for comprehensive passwords.
3. Integrate symbols: Current research underlines the effectiveness of symbols. Their inclusion proves more potent than switching between upper and lowercase letters.
4. Prioritise unpredictability: Crafting unconventional passwords is key. Avoid the temptation of dictionary words or predictable sequences. Aim for originality, confounding potential intruders.
By adhering to these principles, users can significantly reduce their vulnerability in the digital sphere. Password management services require a two-way relationship. It’s important we don’t rely solely on this advanced technology and instead remain judicious and proactive in our online conduct. Despite being formidable allies in online security, they are not without their intricacies. Understanding the nuances and potential hazards linked to auto-fill features is central to user protection. We advocate for a more cautious stance - disable the automatic auto-fill function and opt for a manual trigger instead. Users should activate auto-fill exclusively when they are certain of the form's authenticity.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Pedro Fortuna, CTO and Co-Founder, Jscrambler.