Password Manager Chrome Extensions- Improve security by requiring click to load

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Ned

New member
Jul 26, 2021
2
0
Hi all, thought I'd share something that occurred to me after Tavi Ormandy's blog about password mangers and then hearing Steve's episode.

One of the biggest risks with the extension aspect of a PM like lastpass is that it is injecting JS on all pages you go to and in turn giving every site a potential opportunity to exploit that code. It seems to me this can be mitigated by setting the extension in chrome "This can read and change site data" (done by right clicking the extension icon in chrome) to "When you click the Extension". Sidenote: this is actually also a great setting for extensions you don't fully trust and rarely need.

Thus anytime you need extension to fill a login or CC you have to click the extension button which then does require you to reload the page but it ensures you only put the extensions JS on sites you intend to log into.

I have tested this with lastpass for past couple of weeks and it works pretty well. It does make it not feasible to just click the icon on any page (without then reloading the page) and search for something like a note which I would do so instead I have switched to using the native app on my OS for things that are not actually related to the page I am on. Also any new tab you open that is blank actually has the extension loaded already (it unloads when you navigate to any site in that tab as this is a per tab and per domain click to activate requirement) so you can do that to use it to find a site you want to open.

This would not mitigate all concerns and having the LP extension logged in at all in any chrome tab probably puts it one step closer to exploitation by any site but this should cover some of the CVEs Tavis previously found with lastpass such as https://bugs.chromium.org/p/project-zero/issues/detail?id=1225
 

PHolder

Well-known member
Sep 16, 2020
721
2
356
Ontario, Canada

Ned

New member
Jul 26, 2021
2
0
Pretty much ANY useful plugin is likely doing the same. I have played around with creating plugins and the way they're designed means you either have them running isolated on a page of their own or else they're in the context of any pages they register to match. (Most just register for all pages.) See https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts
Right, but not all extensions then have direct access to your password vault when exploited.

I should note there can be some buggy things when using LP like above but generally for filling passwords it still works well. The buggiest thing is updating passwords fails so I just use the native app for that.
 

PHolder

Well-known member
Sep 16, 2020
721
2
356
Ontario, Canada
some buggy things when using LP

Well specifically to LastPass they have (and will tell you they require) a non-browser resident piece of code, if you want all features to work. (You need to download their installer from the web site, not just the extension from your browser's "store".) Personally I refuse to do this, but support won't help you unless you do.
 

Dave New

Member
Nov 23, 2020
16
5
I've certainly gotten into the habit of doing a copy to keyboard buffer when generating passwords by clicking on the copy icon (either on a new site or updating a password). I've had LP fail too many times to trigger the update script and ended up having to recover an account that I had just set a password on, and ended up without it in the LP vault. If that happens, I can just edit the password entry in the vault and paste the new password in, and save.

I've also given up on using LP's auto-update scripts. It fails to run on the majority of sites it offers to run on. I figure that's a cat and mouse game, where the sites in question keep changing their plumbing and LP can't keep up.

I will say though, that adopting LP has completely changed my online password strategy. Formerly, I had a small batch of 'favorite' passwords that I used categorically, depending on the kind of data I thought I was protecting on that site (banking, email, etc). After using LP for a few months and working on changing passwords on all the sites I encountered during my daily surfing, plus all the various 'reminder' emails that came in, I found that I had an astounding (to me, at least) over 200 logins on various sites on the web. And I occasionally still find some old site I haven't accessed in years, and change the password there.

I'm a real believer in using a useable password vault, and advise all my friends, family, and colleagues to use one, also. I campaigned with the IT department at work to allow password vault programs, and LP was one of the ones that passed their muster (and they can be pretty tough customers).
 

danlock

Well-known member
Sep 30, 2020
160
53
USA
I've certainly gotten into the habit of doing a copy to keyboard buffer when generating passwords by clicking on the copy icon (either on a new site or updating a password). I've had LP fail too many times to trigger the update script and ended up having to recover an account that I had just set a password on, and ended up without it in the LP vault. If that happens, I can just edit the password entry in the vault and paste the new password in, and save.
Sounds efficient... but don't forget to clear the buffer and/or copy something else to it afterward!

Steve has mentioned in the past that copying the password and pasting it into the password field first and then the username is good for security purposes.

If you want to keep your username out of the clipboard/buffer too, type a space after it and then Ctrl+Left to highlight the space, then Ctrl+X (or Ctrl+C followed by Del or Backspace to remove the space) to cut the space to the buffer/clipboard, leaving behind just the username in the username entry box.

Other password managers, such as Password Safe, have a "clear clipboard" button on the toolbar, which will accomplish the same thing, as well as keeping only the encrypted password vault in RAM while it's in use, clearing the clipboard whenever specified... after a period of time and/or when pwsafe is minimized or closed, etc.

That's all discussed in an early thread here on these forums, and its site can tell you much more as well as linking to the latest version for your favorite platform(s).
 
Last edited: