Safety of password managers as an addon to Firefox

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

squirrel

Active member
Oct 4, 2020
36
10
This weeks episode sent a chill down my spine when Steve was talking about crypto addons and the inadvisability of using them. I don’t do crypto at all in any shape or form, but I do use Bitwarden on iOS and as an addon in Firefox using Linux. I gave up Windoze, I never did 10.

I’m now thinking that I shouldn’t be using Bitwarden in a Linux Ubuntu Firefox, can anyone persuade me that I don’t need to worry and to carry on using it?
 
There is no way to remain perfectly safe, except to stay off the Internet and or to turn of the PC and never use it. Otherwise, just keep your system/browser up to date, take all the usual steps to avoid getting malware in your system, and stay logged out of your password manager when it's not in use.
 
This weeks episode sent a chill down my spine when Steve was talking about crypto addons and the inadvisability of using them. I don’t do crypto at all in any shape or form, but I do use Bitwarden on iOS and as an addon in Firefox using Linux. I gave up Windoze, I never did 10.

I’m now thinking that I shouldn’t be using Bitwarden in a Linux Ubuntu Firefox, can anyone persuade me that I don’t need to worry and to carry on using it?
You should be fine assuming you are using 2FA with Bitwarden + strong master password. Also, make sure to go through all the options in Bitwarden to harden it to your satisfaction. Same advice with LastPass.

I would REALLY like to see @Steve and Leo address the elephant in the room regarding Bitwarden/Lastpass. We all know LastPass was bought and eliminated their free tier, but I would be curious to know if Steve’s LastPass recommendation still stands or if he jumped ship to Bitwarden.
 
Maybe more concerning is the move of most password managers to the cloud. Though they claim that most are moved encrypted, the idea of having all my keys in the cloud doesn't encourage me much. It becomes a more attractive target since thousands of people store their passwords there. Also, should a vulnerability in the methods used to be found, it would become a brighter light to attract the flies.

Though having my storage locally might not be more secure, I'm not that interesting to attack. Though nothing guarantees there isn't anything looming already inside my network or even my computer.

Some things shouldn't be sent to the cloud, but it has become the current model
 
As it has been repeatedly said, you sacrifice convenience for security. Use an offline manager, and usually forget to sync my mobile with the main db. Will do it whenever I need to use a service from my phone. You can compartmentalize your logins into multiple vaults and you don't need to sync all to your mobile.
 
  • Like
Reactions: squirrel
As it has been repeatedly said, you sacrifice convenience for security. Use an offline manager, and usually forget to sync my mobile with the main db. Will do it whenever I need to use a service from my phone. You can compartmentalize your logins into multiple vaults and you don't need to sync all to your mobile.
Yes, I’ve been mulling this problem over the past few days and have come to the same conclusion as you and I’m going to re shuffle everything on the lines you suggest. Im currently looking up how to shift, or set up, the vault on my home network. Thanks for confirming my thoughts.
 
Regarding extra security for password manager content...

`don't know if this has been mentioned - but the passwords contained in the password manager don't necessarily need to be the password that will work for the login. For higher risk accounts (financial / domain name registrar / e-mail accounts used for password reset for financial accounts) one might apply a remembered rule to the password manager pre-filled password before hitting login (copy paste from PW manager to login, apply rule, click login).

The rule would be adding/removing (or both) content at a specific position of the filled password (which is typically a set of uniform dots)

Should an undesired party get access to the unencrypted password manager content, they still don't have a working password to copy/paste for the high risk accounts (and hopefully won't have a method to reset a password for a high risk account).
 
Regarding extra security for password manager content...

`don't know if this has been mentioned - but the passwords contained in the password manager don't necessarily need to be the password that will work for the login. For higher risk accounts (financial / domain name registrar / e-mail accounts used for password reset for financial accounts) one might apply a remembered rule to the password manager pre-filled password before hitting login (copy paste from PW manager to login, apply rule, click login).

The rule would be adding/removing (or both) content at a specific position of the filled password (which is typically a set of uniform dots)

Should an undesired party get access to the unencrypted password manager content, they still don't have a working password to copy/paste for the high risk accounts (and hopefully won't have a method to reset a password for a high risk account).
Yes, very good idea, I do actually do just that for my high value accounts.
 
I've been using BItwarden. For a couple sites of value and one email account I just don't have them in BW. Those couple are kept in a 'scrambled' format on paper. That doesn't prevent all the vulnerabilities mentioned above (such as key loggers) but gives a little extra security in some cases.
 
  • Like
Reactions: squirrel