In partnership with

Try beehiiv absolutely free with no credit card required.

Special Message: Dear Reader,

Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!

🌟 Introduction

Managing passwords has become a challenging task in today’s digital world. From banking to shopping, emails to social media, every account demands a unique and strong password.

The solution?

Password managers — the digital vaults designed to securely store, auto-fill, and generate passwords.

However while they promise convenience and enhanced security, they come with their own set of challenges and risks.

 This guide dives deep into the workings of password managers, how to use them effectively, and why you should be cautious about features such  as auto-fill and synchronization.

 🔑 What Are Password Managers?

 Password managers are applications that securely store your online credentials, generate strong passwords, and help one manage them across accounts.

They ensure that you can have unique, complex passwords for every account without relying on memory.

 🔑 Types of Password Managers

✔      Browser-Based Managers: Built into browsers i.e. Chrome, Firefox, Safari, etc.

✔ Dedicated apps that securely store passwords and provide advanced security features, such as encryption and multi-device synchronization.

 ✔ Cloud-Based Managers: Sync passwords across devices using encrypted cloud storage, e.g., Huawei Password Vault or Google Password Manager for Android.

 ⚙️ How Password Managers Work

 Phase 1: User Logs into a Website

1. User enters login details

• ^{The user types their username and password into the login form of a website.}

2. Browser sends credentials to the website server

• The browser submits the entered credentials to the website’s server for authentication.

3. Server verifies credentials and responds

• The website server processes the login request, checks the credentials, and sends back an authentication response (successful login or failure).

Phase 2: Password Manager Prompts to Save Credentials

4. Browser prompts the user to save credentials

• If the login is successful, the browser asks whether to save the username and password in the password manager.

5. User confirms saving credentials

• The user selects “Save Password” (or a similar option), allowing the password manager to store the credentials.

6. Password Manager encrypts credentials and stores them securely

• The password manager encrypts the credentials before saving them in its local or cloud-based database.

Phase 3: Synchronization with Cloud Storage (Optional)

7. Browser syncs credentials to cloud storage (if enabled)

• If cloud synchronization is turned on, the browser uploads the encrypted credentials to a cloud storage service.

8. Cloud acknowledges the sync

• The cloud service confirms that the encrypted credentials have been stored and are available for retrieval on other devices.

Phase 4: User Returns to the Website

9. User revisits the website

• The user navigates to the same website where they previously saved their credentials.

10. Browser requests stored credentials from the password manager

• The browser automatically communicates with the password manager and requests the saved credentials.

11. Password Manager retrieves credentials and auto-fills them

• The password manager decrypts the stored credentials and fills them into the login fields on the website.

Phase 5: Auto-Filled Login and Authentication

12. Browser submits auto-filled credentials to the website

• The browser automatically sends the credentials to the website server for authentication.

13. Server verifies and logs in the user

• The website server processes the login request and grants access if the credentials are correct.

 To sum up the process...A simplified password manager process:

1.  Storage: Passwords are encrypted and stored in a secure database.

2. Master Password: A single, strong password unlocks the database.

3. Auto-Fill: The manager retrieves and fills credentials when needed.

4.  Synchronization: Passwords can sync across devices for ease of access (optional).

Practical Test  - connecting to a website

 A random test site was used...https://demo.testfire.net/ (server at: 65.61.137.117) using the mozilla firefox (client at:192.168.38.237), just to check and verify if things are as purported. The below is what unfolded, lets break it down:

The provided sequence outlines the interaction between a client and a server during a secure login process, including the role of a password manager. The summarized version:

1. TCP Handshake: The client initiates a connection to the server's port 443, performing a three-step TCP handshake to establish a reliable connection.

2.  TLS Handshake: Following the TCP handshake, the client and server engage in a TLS 1.2 handshake to negotiate encryption parameters and establish a secure channel.

3.  HTTPS Communication: With the secure channel in place, the client requests the login page and submits user credentials via HTTPS. 

4.  Password Manager Interaction:

•  The browser prompts the user to save the credentials.

• Upon user confirmation, the password manager encrypts and stores the credentials securely.

• If cloud synchronization is enabled, the encrypted credentials are synced to the cloud via HTTPS.

5.  Subsequent Login:

•  When the user revisits the website, the password manager retrieves and auto-fills the stored credentials.

• The browser submits these credentials over HTTPS, and the server verifies them to grant access.

 NB: Firefox encrypts passwords using 3DES (Triple DES) by default. However, modern Firefox versions also support AES-256 in newer profiles.

 🤔 Why Aren’t They Used Effectively?

 Studies highlight several barriers to effective adoption:

•  Trust Issues: Concerns about storing sensitive data in a single place.

•  Complexity: Many users find password managers too technical or inconvenient.

•   Risky Defaults: Features such as auto-fill and synchronization can unintentionally expose credentials if misused.

•  Web Browser Proliferation: Web browsers are now ubiquitous, even in Operational Technology (OT) environments. While browsers themselves may not inherently be the issue, the use of password managers within browsers in OT environments introduces significant security risks. Password managers in these spaces must be disallowed entirely to prevent exposure of sensitive credentials.

 🚨 The Security Landscape: Risks and Concerns

 Password managers enhance security, but they’re not immune to threats. Here are some common vulnerabilities:

 1. Auto-Fill Risks

Auto-fill can expose credentials to attackers via invisible iFrames or malicious scripts on compromised websites.

 2. Synchronization Dangers

Syncing passwords across devices increases the attack surface, especially if the cloud storage is compromised.

 3. Rogue Wi-Fi Attacks

Connecting to a malicious Wi-Fi network can allow attackers to exploit auto-fill features and steal stored passwords.

 4. Master Password Weakness

A weak or reused master password (primary password) can compromise the entire vault.

NB: if this password is not set,then all passwords can be retrieved effortlessly.

 5. Physical Access Risks

Sharing laptops or failing to lock them can expose stored passwords to anyone with access to the device.

 🛠️ How to Disable Auto-Fill and Synchronization

✗ Disable Auto-Fill on  popular browsers

 Microsoft Edge: Go to Settings > Profiles > Passwords.

 Toggle off Offer to save passwords and Sign in automatically.

 Google Chrome: ➔ Go to Settings > Autofill > Password Manager.

 ➔ Toggle off Offer to Save Passwords and Auto Sign-In.

 Firefox : ➔ Navigate to Settings > Privacy & Security > Logins and Passwords.

➔ Uncheck Autofill logins and passwords.

 Safari: ➔ Open Preferences > Passwords.

➔ Deselect AutoFill user names and passwords.

✗ Disable Synchronization

 Disabling synchronization is important because it prevents your passwords from being accessible across every browser or device you’ve used. If synchronization is left enabled, any compromised browser or device could expose all your stored passwords. Most password managers allow you to disable syncing:

 In the settings menu, look for options such as “Sync” or “Cloud Storage” and turn them off. Otherwise if this feature is a must due to the convenience it brings about, then one must ensure that the master/primary password is set-up.

✅ Best Practices for Using Password Managers

• ➔ Use Strong Master Passwords: Opt for long, randomly generated pass-phrases.

• ➔ Enable Multi-Factor Authentication (MFA): Add a second layer of security to your password manager.

• ➔ Avoid Public Wi-Fi: Use a VPN when accessing sensitive accounts.

• ➔ Audit Your Passwords Regularly: Check for reused or weak passwords.

• ➔ Be Cautious with Synchronization: Use it only if absolutely necessary and ensure data is encrypted.

🎯 Concluding...

 The average person manages passwords for dozens of accounts—banking, emails, social media, work platforms, and more. This overwhelming number often leads to poor security practices, such as reusing passwords or writing them down. Password managers solve this challenge by securely storing and managing credentials, allowing users to create and maintain strong, unique passwords for every account (and possibly forgetting them!).

Password managers boost security but carry risks like phishing and unauthorized access with features like auto-fill and sync. To stay safe, disable unnecessary features, use a strong master password, and enable multi-factor authentication. Responsible use is key to maximizing their benefits while minimizing risks.

Thanks for reading - until next edition!

Furiouswarrior Team

Follow Securing Things on LinkedIn | X/Twitter & YouTube.

/