Turn off autofill in your password manager

36 minutes ago by emodendroket

Perhaps I'm slow. But if someone's discovered an XSS vulnerability for the site you're on, can't they just as well steal your password when you type it in?

27 minutes ago by nhumrich

Except, if there is XSS, its usually in user submitted data, like a post. You wouldn't type in your password on a user post or alert box. And the login page is usually on a different page altogether, by itself.

9 minutes ago by emodendroket

I disagree about "usually." I would say it is very common now for the login controls to be in the sidebar and visible wherever. Not to mention how many things you would care about compromising are single-page apps or at least very rich apps that might just use a popover.

26 minutes ago by treve

Depends. Many applications will have their login screens on simple server-generated HTML forms without heaps of Javascript, rendered by a service with higher security standards.

If an XSS vulnerability appears on some other page, it may not be the same page that normally has a login form.

Generally I'd say the gates are kinda open if XSS is possible, but many real exploits do require more than 1 vulnerability working together; so defense in depth applies.

an hour ago by 1cvmask

It's great that he differentiates the two different types of "autofill" in the beginning, and regretfully later on refers to automatic autofill as autofill.

"Autofill can be 2 types: automatic autofill (autofilling a password without user interaction) and manual autofill (autofilling a password after some user interaction - clicking in the password manager's UI). In the following article, the term autofill always means automatic autofill."

When we designed the SaaS Paas password manager we opted for the manual autofill as it requires intent and thus mitigates against many of the highlighted attack vectors that come with "automatic autofill." In addition, the password manager extension has a session timeout and has no static master password at (mitigating against replay attacks). You can only unlock the browser extension with passwordless MFA. The added advantage of this is that you can share your browser comfortably with others.

NB: worked on balancing usability and 2fa security.

11 minutes ago by TedDoesntTalk

I don’t see the vulnerability. His demo collects credentials then displays them ... all on the same domain websecurity.dev

So what? What am I missing?

How will he exfiltrate the data? With JS that posts it to another domain?

an hour ago by mjthompson

Good advice. Ever since Tavis Ormandy set his sights on password managers, I have been a very sceptical user. I still use 1Password, but without the browser extension. Putting autofill aside, there's a couple of other concerns I have.

I am hesitant about recommending a password manager to the tech illiterate simply because one piece of malware could compromise the entire vault. In that respect, a sticky note is arguably more secure than a tech illiterate person using a password manager.

Also, I have my usual criticism of client-side browser encryption. Anyone who has the technical ability to compromise a cloud-based service can likely take it a step further and modify JavaScript files enabling total vault compromise. There is no easy way for a user to mitigate this risk.

Password managers must be a stop-gap measure only until webauthn is more widely deployed. I long for the day when phone-based webauthn keys are the norm, and I can stop fielding questions about password managers from friends and family.

40 minutes ago by emodendroket

A piece of paper is the most secure solution, sure, but once you get to the point where you have a hundred passwords, even if you've got them all in the same place, it's too unwieldy to use.

35 minutes ago by ericd

Time to revive the rolodex...

34 minutes ago by bmurphy1976

You still need 2FA and the 2FA absolutely should NOT be a part of your password manager. Use a different app at the very least.

This should help alleviate some of the worst password manager risks.

32 minutes ago by ishtanbul

Bitwarden uses manual autofill which is nice. You hit ctrl shift L to fill

22 minutes ago by purplecats

yeah i have it autofill (its a feature now) but it doesnt auto login. so i built an extension that waits for it to fill it in and then performs some safety checks and then logs in.

finally the bliss i had with lastpass before i was forced to move to bitwarden.

16 minutes ago by rvz

Well it still recognises to autofill in the password on a different subdomain as shown in the PoC, which is not good at all.

2 hours ago by blockarchitech

I like password managers. It keeps people from writing them down on your desk or a notepad, so I'm all for it. I hate autofill. Any form of autofill, automated, user request, any of it. I would like people to just use a small button to open a 'mini instance' of the password manager, like an instant app (or app clips for iphones), and copy your password that way. Autofill is also a huge security risk, excluding if they use biometric authentication. If they use a pin code, forget it. If an attacker is on your device in the first place, chances are they have your pin code. Autofill needs to be deprecated.

43 minutes ago by itsananderson

If an attacker is on your device, they very likely have access to your clipboard, so how is that more secure? I cringe whenever my password manager's autofill fails and I have to fall back to copy/pasting, because I know that I'm now storing my password in system memory in plaintext. Most password managers clear the clipboard after some timeout, but that's hardly helpful against an on-device threat

39 minutes ago by emodendroket

If the attacker has access to your device, you're going to be severely compromised no matter what you do. Why pretend otherwise?

24 minutes ago by itsananderson

True, if an attacker has control of your device you are probably screwed anyway, but there are still different degrees of screwed. There are more and less privileged portions of your system, and keeping sensitive data to less secure areas is still not a great idea. With browsers offering clipboard access as a JavaScript API, it is definitely an area I would consider less well secured than, say, read protected memory or a process-isolated browser extension sandbox.

30 minutes ago by blockarchitech

Both of you're statements are valid. If an attacker has access to your device you are *severely* compromised and you can't do much. I am going off the idea that your password manager clears your clipboard history however, but this is a valid and true statement. The thing is: nothing will be 100% secure. Ever. But if we evolve our security at the same rate loopholes, etc are being found, we can prevent data breaches, identity theft, etc. Before it even happens.

29 minutes ago by tfigment

I like how gopass and gopass-bridge work on desktop in browser and avoid the clipboard and still be easy to use once setup, I just wish it was easier to setup. I use passwdsafe on Android and like that it replaces keyboard for entering credentials but dislike number of clicks it takes to work. Unfortunately neither seem to be that popular so will never grow to point that usability will get much better that others will also benefit.

21 minutes ago by purplecats

really comes at the cost of convenience i just don't care thatttt much. for accounts that my real monies are in, i just dont keep them in account managers

an hour ago by ChrisMarshallNY

My password manager uses manual autofill. I'm not sure it even has auto autofill.

Thanks to AJAX, sites can get text entry immediately.

I remember a guy telling me about a store site he went to, and started to fill out the credit card form, but never completed the purchase. He never hit "BUY."

They charged his card anyway.

an hour ago by seattle_spring

Chase Ultimate Rewards travel portal did this at some point in the past. I got to the checkout stage for a hotel booking, never booked, but it still deducted the points from my account. I had to call Chase CS to get them deposited back.

This was 5+ years ago, I assume it's been since changed for the better.

an hour ago by dylan604

wait, what? that's super duper shady as shit. the darkest of dark patterns, and probably violates something more than my feelings. there's been many a times i've gotten all the way to the review and just before hitting confirm/submit/buy/purchase/complete/etc, i've backed out because I had forgotten something or decided to check another site just to be sure. luckily, nothing like this has ever happened to me.