Password Manager Chrome Extensions- Improve security by requiring click to load

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Ned

New member
Jul 26, 2021
3
0
Hi all, thought I'd share something that occurred to me after Tavi Ormandy's blog about password mangers and then hearing Steve's episode.

One of the biggest risks with the extension aspect of a PM like lastpass is that it is injecting JS on all pages you go to and in turn giving every site a potential opportunity to exploit that code. It seems to me this can be mitigated by setting the extension in chrome "This can read and change site data" (done by right clicking the extension icon in chrome) to "When you click the Extension". Sidenote: this is actually also a great setting for extensions you don't fully trust and rarely need.

Thus anytime you need extension to fill a login or CC you have to click the extension button which then does require you to reload the page but it ensures you only put the extensions JS on sites you intend to log into.

I have tested this with lastpass for past couple of weeks and it works pretty well. It does make it not feasible to just click the icon on any page (without then reloading the page) and search for something like a note which I would do so instead I have switched to using the native app on my OS for things that are not actually related to the page I am on. Also any new tab you open that is blank actually has the extension loaded already (it unloads when you navigate to any site in that tab as this is a per tab and per domain click to activate requirement) so you can do that to use it to find a site you want to open.

This would not mitigate all concerns and having the LP extension logged in at all in any chrome tab probably puts it one step closer to exploitation by any site but this should cover some of the CVEs Tavis previously found with lastpass such as https://bugs.chromium.org/p/project-zero/issues/detail?id=1225
 
Pretty much ANY useful plugin is likely doing the same. I have played around with creating plugins and the way they're designed means you either have them running isolated on a page of their own or else they're in the context of any pages they register to match. (Most just register for all pages.) See https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts
Right, but not all extensions then have direct access to your password vault when exploited.

I should note there can be some buggy things when using LP like above but generally for filling passwords it still works well. The buggiest thing is updating passwords fails so I just use the native app for that.
 
some buggy things when using LP

Well specifically to LastPass they have (and will tell you they require) a non-browser resident piece of code, if you want all features to work. (You need to download their installer from the web site, not just the extension from your browser's "store".) Personally I refuse to do this, but support won't help you unless you do.
 
I've certainly gotten into the habit of doing a copy to keyboard buffer when generating passwords by clicking on the copy icon (either on a new site or updating a password). I've had LP fail too many times to trigger the update script and ended up having to recover an account that I had just set a password on, and ended up without it in the LP vault. If that happens, I can just edit the password entry in the vault and paste the new password in, and save.

I've also given up on using LP's auto-update scripts. It fails to run on the majority of sites it offers to run on. I figure that's a cat and mouse game, where the sites in question keep changing their plumbing and LP can't keep up.

I will say though, that adopting LP has completely changed my online password strategy. Formerly, I had a small batch of 'favorite' passwords that I used categorically, depending on the kind of data I thought I was protecting on that site (banking, email, etc). After using LP for a few months and working on changing passwords on all the sites I encountered during my daily surfing, plus all the various 'reminder' emails that came in, I found that I had an astounding (to me, at least) over 200 logins on various sites on the web. And I occasionally still find some old site I haven't accessed in years, and change the password there.

I'm a real believer in using a useable password vault, and advise all my friends, family, and colleagues to use one, also. I campaigned with the IT department at work to allow password vault programs, and LP was one of the ones that passed their muster (and they can be pretty tough customers).
 
I've certainly gotten into the habit of doing a copy to keyboard buffer when generating passwords by clicking on the copy icon (either on a new site or updating a password). I've had LP fail too many times to trigger the update script and ended up having to recover an account that I had just set a password on, and ended up without it in the LP vault. If that happens, I can just edit the password entry in the vault and paste the new password in, and save.
Sounds efficient... but don't forget to clear the buffer and/or copy something else to it afterward!

Steve has mentioned in the past that copying the password and pasting it into the password field first and then the username is good for security purposes.

If you want to keep your username out of the clipboard/buffer too, type a space after it and then Ctrl+Left to highlight the space, then Ctrl+X (or Ctrl+C followed by Del or Backspace to remove the space) to cut the space to the buffer/clipboard, leaving behind just the username in the username entry box.

Other password managers, such as Password Safe, have a "clear clipboard" button on the toolbar, which will accomplish the same thing, as well as keeping only the encrypted password vault in RAM while it's in use, clearing the clipboard whenever specified... after a period of time and/or when pwsafe is minimized or closed, etc.

That's all discussed in an early thread here on these forums, and its site can tell you much more as well as linking to the latest version for your favorite platform(s).
 
Last edited: