Computers & Electronics

PSA: Avoid using browser extensions of password managers

  • Last Updated:
  • Jun 6th, 2021 8:33 pm
[OP]
Deal Addict
User avatar
Apr 29, 2018
1200 posts
756 upvotes
Vancouver

PSA: Avoid using browser extensions of password managers

Password Managers (cmpxchg8b.com) https://lock.cmpxchg8b.com/passmgrs.html

TL;DR Don’t use password manager extensions. The built in browser password storing is safer (as long as your local machine is not compromised, which by itself is easier said than done) Or use the desktop app separately.

Stealing all saved password via a malicious site is a very real possibility. This has been demonstrated several times using LastPass.

They have also demonstrated being able to launch programs (or run any arbitrary code) on your system, via Chrome on Windows through the extension. Though donot expect any other browsers/OSes to be any more secure.

Other password managers have not received as much attention but are expected to be just as bad.

The core problem is that the JS extension has to interact with the desktop app via IPC & due to the nature of browsers it is often trivial for a site to exploit this.

EDIT: Not many people realize this, but websites are essentially unverified code written by a stranger, running on your system. It is a good idea to try and limit the amount of ways they can interact with your system.
Last edited by kramer1 on Jun 6th, 2021 8:36 pm, edited 2 times in total.
2 replies
Deal Addict
User avatar
Sep 10, 2005
4747 posts
2102 upvotes
GTA
The extensions for password managers have been the weak point for a long time. I'm stuck with using the separate apps for as long as I can remember. KeePass and its derivatives have the autotype feature.

Bitwarden might be an exception to the above issue though. I don't think it injects JS
[OP]
Deal Addict
User avatar
Apr 29, 2018
1200 posts
756 upvotes
Vancouver
Been meaning to try KeePass/BitWarden. Guess it’s time to get a self hosted solution going

Top