Does this extend to also not using browser extensions for password managers?
Comment on Should I use a "proper" password manager instead of Firefox?
Quacksalber@sh.itjust.works 2 days ago
Your browser constantly runs 3rd party code and through its sheer complexity has a big attack surface. Password stealers regularly use flaws or social engineering to steal browser passwords. It is simply safer to use an application whose only function it is to store passwords securely.
Dave@lemmy.nz 1 day ago
Quacksalber@sh.itjust.works 1 day ago
Depends on the extension. If it auto-fills without interaction, it can be tricked into auto-filling credentials. Extensions like the one for KeePassXC only auto-fill after you clicked on the auto-fill icon.
Dave@lemmy.nz 1 day ago
Interestingly, auto-filling can also be more secure than just typing in your credentials, because the extensions will only fill if the site URL matches, where as people can be tricked into thinking they are on a different site.
Quacksalber@sh.itjust.works 1 day ago
It’s not auto-fill that is insecure, it’s auto-fill without interaction.
renormalizer@feddit.org 1 day ago
At least you’re limiting exposure with managers like KeePassXC. The manager runs in a separate process and communicates with the extension via a local connection. You have to approve every password given out by the manager. So a malicious actor can’t just ask for every password under the sun. They could still read the contents of the password field once the extension has filled it if they manage to circumvent the restrictions set by the browser. But that’s no different from when you enter the password manually.
Dave@lemmy.nz 1 day ago
Accessing every password would require a breach of the browser or the extension, right? Because the extension will only fill passwordds with a matching URL, so with the browser must be compromised to provide the wrong URL, or the extension compromised to accept a wrong URL? I am not sure how separating the extension and the manager helps with this?
renormalizer@feddit.org 1 day ago
To get every password, you’d have to exploit the password manager process itself. The manager asks you to approve every single password it hands out and you would know something is wrong if the extension starts asking for lots of passwords.
The separation keeps the memory where the passwords are stored away from the browser. No malicious code executing inside the browser can access it. Also, the protocol between the extension and the manager can be really simple and (hopefully) easy to get right without making exploitable mistakes.
It’s the Swiss cheese principle. The attacker has to break out of the website sandbox, get into the extension to copy the secret keys that are needed to impersonate the extension in the connection to the password manager, and exploit the password manager through that connection in order to get to the passwords. If any step fails (the holes in the cheese slices don’t align), the attack doesn’t get through.
paranoid@lemmy.world 2 days ago
This is the way. I use 1Password and love it.