top | item 27411389

(no title)

I would NOT recommend the chrome password manager. If you sync your passwords, they will not be stored encrypted at the google side. You need to specifically set password encryption in the settings.

I've also spend a lot of time with understanding password managers in my master thesis. What I can recommend is: https://pfp.works/

The creator was auditing password managers like LastPass, found a lot of issues, and used his knowledge to create pfp, which does it right imho.

discuss

baobabKoodaa|4 years ago

The instructions on PFP website for how to do various things, they often begin with the following steps:

> Click PfP icon on any website

> Enter your master password

Can't a website just fake a PFP icon to induce you to reveal your master password, and now the website owner has access to all of your generated passwords? Isn't this exactly the type of attack that caused taviso to write OP?

closeneough|4 years ago

Pfp puts the icon in the browser bar, to counter such action. So the pop-up can only be opened this way and the pop up is in a different context than the website itself.

Yes the pop-up could be faked, but not the button.

Actually Tavis Ormandy found a lot of security breaches in password managers that loaded GUI elements into the website. Not only that you can fake it, but also they are susceptible to clickjacking.

anka-213|4 years ago

They did the thing that Tavis complained about: "No need to trust us, your data stays on your device (safely encrypted)"

You still need to trust that the software is secure.

closeneough|4 years ago

Yes you need to trust the software. But unless you don't store it on your computer, you need to trust software. The hard part is to figure out which software and whom to trust.

I would definitely use the browser password manager, if I could choose where to sync the data to. I think it's possible with firefox, but it's not straight forward.

I personally trust pfp, because the creator is doing audits of browser addons and publishes them on his blog. They are very well explained.

Also the code is quite compact compared to the other password managers. LastPass, 1Password and Bitwarden have more than 100,000 lines of code, including many third party dependencies. So an audit of PfP is more feasible.

dxld|4 years ago

Could you share a link to your thesis?

closeneough|4 years ago

It's still in the works and unfortunately I've written it in German. If you're still interested I'll share a link as soon as it's released. Should be sometime this summer.

whereistimbo|4 years ago

Isn't it encrypted using the Google Account credential, if you don't specifically set a password?

IshKebab|4 years ago

It is locally, but server side it is less obvious. They don't really say explicitly but this page strongly suggests that they are encrypted server-side too: https://support.google.com/chrome/answer/10311524