This allowed me to login to an account on the real site, store the password in the password manager tool and then perform both of my attacks. The site uses TLS encryption but does not advertise a HSTS header. To conduct the test, I set up a fake website impersonating a popular news website that allows you to “sign in” to customize your news feed. I decided to focus on two other attack styles: the downgrade attack and an attack that uses a fake certificate but still impersonates the real domain of the service provider they are trying to phish victims from, hoping the victim will bypass the browser warning.įor my test, I chose the eight most common ways of managing passwords: Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari/Keychain, LastPass, 1password, Dashlane, and Bitwarden. There are other attacks that can occur over Wi-Fi though, so are password managers any good at helping prevent those attacks as well? Putting password managers to the test Password managers know that a fake domain won’t match the exact domain used by a real service and, in general, will refuse to submit your credentials to attempted phishing scams. This is because the cybercriminals behind the look-a-like redirection attacks can obtain a Transport Layer Security (TLS) certificate for the fake domains. These attacks can often direct a victim to a fake look-a-like domain, tricking them into believing they are logging into Facebook, Gmail or another “credible” source. The primary benefit of using a password manager when you may be on a network provided by an unknown or untrustworthy provider is to help prevent phishing and machine-in-the-middle (MiTM) attacks. But password managers certainly appear to fall into that category, though you do need be extra diligent in how you secure them! While performing research on modern Wi-Fi security, I was reminded how the use of a password manager became an important factor in the safety of insecure Wi-Fi connections. It seems odd to imagine that one piece of software, which doesn’t even require a network connection, can improve the safety of your online life.
#Lastpass series#
Other articles in the series are, The state of World Wide Web Security in 2021, and Don’t fear the Wi-Fi. Editor’s note: This article is one of a three-part series exploring how secure internet users really are in 2021.