If you are buying a password manager from a company, you should ask to see the details of their latest source code security review. I use pass because it's simple to understand for technical folks, but I have many friends who use KeePass. Copy and paste the passwords from the app into your browser. If you do use one, do not install the browser extensions. There are many choices to choose from in this category, and none of them suffers from the direct-access-via-JavaScript risk category. What password managers should you use instead?ĭoes this mean you should give up and not use a password manager at all? No, but the choice is trickier than these companies' marketing would leave you to believe.Īny program that is not resident in your browser is safer than one that is. If you think criminals aren't mining LastPass and others for bugs right now, you're naive. If you're using it in a corporate environment to share passwords, now only one user of many needs to be attacked to steal all of your passwords via a previously undisclosed bug. Your password manager extension de jour might not be as bug ridden as LastPass, but it suffers from the same risk vector if it's a browser extension.
Desktop-based password managers have no such access, as they require compromising the local machine first, which is much harder than visiting a webpage. That's how LostPass worked, and it's how many of the new attacks work, too. When you use a browser extension password manager, you give attackers an API to interact with your password manager via JavaScript or the DOM.
0 kommentar(er)
