× Business BUSINESS MOTORING SHIPPING & LOGISTICS DR PESA FINANCIAL STANDARD Digital News Videos Health & Science Lifestyle Opinion Education Columnists Moi Cabinets Arts & Culture Fact Check Podcasts E-Paper Lifestyle & Entertainment Nairobian Entertainment Eve Woman Travelog TV Stations KTN Home KTN News BTV KTN Farmers TV Radio Stations Radio Maisha Spice FM Vybez Radio Enterprise VAS E-Learning Digger Classified Jobs Games Crosswords Sudoku The Standard Group Corporate Contact Us Rate Card Vacancies DCX O.M Portal Corporate Email RMS
×

Password managers can make your network more secure – but mind the gaps

SCI & TECH
By Sara Okuoro | Dec 7th 2021 | 3 min read
By Sara Okuoro | December 7th 2021
SCI & TECH

It seems odd to imagine that one piece of software, which doesn’t even require a network connection, can improve the safety of your online life.

But password managers certainly appear to fall into that category, though you do need be extra diligent in how you secure them.

While performing research on modern Wi-Fi security, Chester was reminded how the use of a password manager became an important factor in the safety of insecure Wi-Fi connections.

Chester Wisniewski (pictured) is a principal research scientist at next-generation security leader, Sophos; he gives more insight into password managers and security.

More than just a memory store

The primary benefit of using a password manager when you may be on a network provided by an unknown or untrustworthy provider is to help prevent phishing and machine-in-the-middle (MiTM) attacks.

These attacks can often direct a victim to a fake look-a-like domain, tricking them into believing they are logging into Facebook, Gmail or another “credible” source. This is because the cybercriminals behind the look-a-like redirection attacks can obtain a Transport Layer Security (TLS) certificate for the fake domains.

Password managers know that a fake domain won’t match the exact domain used by a real service and, in general, will refuse to submit your credentials to attempted phishing scams.

There are other attacks that can occur over Wi-Fi though. Are password managers any good at helping prevent those attacks as well?

Putting password managers to the test

Let’s focus on two other attack styles: the downgrade attack and an attack that uses a fake certificate but still impersonates the real domain of the service provider they are trying to phish victims from, hoping the victim will bypass the browser warning.

The eight most common ways of managing passwords: Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari/Keychain, LastPass, 1password, Dashlane, and Bitwarden.

To conduct the test, Chester set up a fake website impersonating a popular news website that allows you to “sign in” to customize your news feed. The site uses TLS encryption but does not advertise a HSTS header. This allowed him to login to an account on the real site, store the password in the password manager tool and then perform both of my attacks.

Test 1: Password managers vs. unencrypted sites

The first attack was to hijack the DNS and redirect himself, aka the “victim,” to an unencrypted HTTP version of the site controlled by the would-be attacker. This would allow him to see if users on unprotected Wi-Fi could count on their password manager to protect them against this type of attack.

The first three passed with flying colors as they refused to surrender the stored password. The others didn’t fare quite as well, they warned that the connection was insecure, but when he clicked in the password blank, they did offer to fill it. The last three however offered to fill in the password without any warning.

It’s surprising that in 2021 there are still tools that think signing into services without HTTPS is OK, especially when they originally stored the password for an HTTPS site.

Test 2: Password managers vs. sites with a forged TLS certificate

The next test was to secure the phishing site with a TLS certificate, but not one signed by a certificate authority trusted by the browser.

Users would need to accept a scary warning from their web browser for this to be possible, but an alarmingly high percentage of people don’t take time to read the messages that warnings contain and just proceed with whatever it is they are doing.

Once again, the first three managers passed with flying colors, but the others fared more poorly. All the others either auto-filled the passwords as if nothing was wrong or filled them upon clicking inside the password field on the imitation site.

It is important to note however, that these behaviors are not technically vulnerabilities.

Bottom line

Using a password manager is always better than not to ensure you have long, strong passwords.

When they offer multi-factor authentication they are even better, and all the third parties do.

However, while the majority are resilient against HTTP downgrade attacks, there is still room for improvement. And when it comes to forged certificates, the burden is on you. Heed the warnings, don’t ignore them, and be especially suspicious when you are on networks you don’t trust.

Share this story
Kenya leads scramble for DRC as Kinshasa opens for business
In keeping with Uhuru's promise, a delegation of more than 250 Kenyan investors landed in DRC last week as part of the first DRC-Kenya trade mission
China rejected Kenya's request for Sh32.8b debt moratorium
China is Kenya’s largest bilateral lender with an outstanding debt of Sh692 billion.
.
RECOMMENDED NEWS
Feedback