At least you’re limiting exposure with managers like KeePassXC. The manager runs in a separate process and communicates with the extension via a local connection. You have to approve every password given out by the manager. So a malicious actor can’t just ask for every password under the sun. They could still read the contents of the password field once the extension has filled it if they manage to circumvent the restrictions set by the browser. But that’s no different from when you enter the password manually.
Comment on Should I use a "proper" password manager instead of Firefox?
Dave@lemmy.nz 3 weeks agoDoes this extend to also not using browser extensions for password managers?
renormalizer@feddit.org 3 weeks ago
Dave@lemmy.nz 3 weeks ago
Accessing every password would require a breach of the browser or the extension, right? Because the extension will only fill passwordds with a matching URL, so with the browser must be compromised to provide the wrong URL, or the extension compromised to accept a wrong URL? I am not sure how separating the extension and the manager helps with this?
renormalizer@feddit.org 3 weeks ago
To get every password, you’d have to exploit the password manager process itself. The manager asks you to approve every single password it hands out and you would know something is wrong if the extension starts asking for lots of passwords.
The separation keeps the memory where the passwords are stored away from the browser. No malicious code executing inside the browser can access it. Also, the protocol between the extension and the manager can be really simple and (hopefully) easy to get right without making exploitable mistakes.
It’s the Swiss cheese principle. The attacker has to break out of the website sandbox, get into the extension to copy the secret keys that are needed to impersonate the extension in the connection to the password manager, and exploit the password manager through that connection in order to get to the passwords. If any step fails (the holes in the cheese slices don’t align), the attack doesn’t get through.
Quacksalber@sh.itjust.works 3 weeks ago
Depends on the extension. If it auto-fills without interaction, it can be tricked into auto-filling credentials. Extensions like the one for KeePassXC only auto-fill after you clicked on the auto-fill icon.
Dave@lemmy.nz 3 weeks ago
Interestingly, auto-filling can also be more secure than just typing in your credentials, because the extensions will only fill if the site URL matches, where as people can be tricked into thinking they are on a different site.
Quacksalber@sh.itjust.works 3 weeks ago
It’s not auto-fill that is insecure, it’s auto-fill without interaction.