It seems odd to imagine that one piece of software, which doesn’t even require a network connection, can improve the safety of your online life. But password managers certainly appear to fall into that category, though you do need be extra diligent in how you secure them!
While performing research on modern Wi-Fi security, I was reminded how the use of a password manager became an important factor in the safety of insecure Wi-Fi connections.
More Than Just a Memory Store
The primary benefit of using a password manager when you may be on a network provided by an unknown or untrustworthy provider is to help prevent phishing and machine-in-the-middle (MiTM) attacks. These attacks can often direct a victim to a fake look-a-like domain, tricking them into believing they are logging into Facebook, Gmail or another “credible” source. This is because the cybercriminals behind the look-a-like redirection attacks can obtain a Transport Layer Security (TLS) certificate for the fake domains.
Password managers know that a fake domain won’t match the exact domain used by a real service and, in general, will refuse to submit your credentials to attempted phishing scams. There are other attacks that can occur over Wi-Fi though, so are password managers any good at helping prevent those attacks as well?
Putting Password Managers to the Test
I decided to focus on two other attack styles: the downgrade attack and an attack that uses a fake certificate but still impersonates the real domain of the service provider they are trying to phish victims from, hoping the victim will bypass the browser warning. For my test, I chose the eight most common ways of managing passwords: Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari/Keychain, LastPass, 1password, Dashlane, and Bitwarden.
To conduct the test, I set up a fake website impersonating a popular news website that allows you to “sign in” to customize your news feed. The site uses TLS encryption but does not advertise a HSTS header. This allowed me to login to an account on the real site, store the password in the password manager tool and then perform both of my attacks.
Test 1: Password Managers vs. Unencrypted Sites
The first attack was to hijack the DNS and redirect myself, aka the “victim,” to an unencrypted HTTP version of the site controlled by the would-be attacker. This would allow me to see if users on unprotected Wi-Fi could count on their password manager to protect them against this type of attack.
The first three I tested passed with flying colors. Google Chrome, Mozilla Firefox, and Microsoft Edge all refused to surrender my stored password. Next up was 1password and Dashlane, both of which didn’t fare quite as well, they warned me the connection was insecure, but if I clicked in the password blank, they did offer to fill it.
Only 1password explained in its warning that the original password had been stored for an HTTPS connection and required me to click OK to continue. This is great, but it does require users to read and understand what that means. Safari, LastPass and Bitwarden all offered to fill without warning. It surprised me that in 2021 there are still tools that think signing into services without HTTPS is OK, especially when they originally stored the password for an HTTPS site.
Test 2: Password Managers vs. Sites with a Forged TLS Certificate
The next test was to secure my phishing site with a TLS certificate, but not one signed by a certificate authority trusted by the browser. Users would need to accept a scary warning from their web browser for this to be possible, but we learned a long time ago that an alarmingly high percentage won’t take the time to read the messages that warnings contain and just proceed with whatever it is they are doing. Once again, Google Chrome and Microsoft Edge passed with flying colors, but the others fared more poorly. All the others either auto-filled the passwords as if nothing was wrong or happily filled them once I clicked inside of the password field on the imitation site.
While these behaviors are not technically vulnerabilities, I felt it was worth contacting the security teams of their respective organizations to ensure this was the intended behavior and inquire as to whether they would consider improving the behavior to provide a higher level of protection against MiTM attacks.