Autofill in password managers can allow login credentials to be stolen

I get that this is a theoretical vulnerability, but there&#x27;s no way I&#x27;m turning off automatic autofill. It&#x27;s way too convenient.<p>If some site has an XSS vulnerability, then they&#x27;ve already got access to my session cookies, and have the ability to spoof a &quot;you&#x27;ve been logged out, please log back in&quot; screen where people could type in a password <i>anyways</i>.<p>If a site is vulnerable to XSS it&#x27;s basically game over security-wise. Asking browsers and password managers not to autofill feels more like security theater at that point.<p>That being said, the browsers and password managers that require the username and password fields to actually be genuinely visible to the user on top, non-transparent, in the viewport, are doing the right commonsense thing, and really that seems entirely good enough.<p>(Obviously if you&#x27;re a political dissident or a target of suspected corporate espionage or something then you&#x27;ll take greater security precautions like not using a password manager at all for certain accounts -- I&#x27;m just talking about normal users here.)

Perhaps I&#x27;m slow. But if someone&#x27;s discovered an XSS vulnerability for the site you&#x27;re on, can&#x27;t they just as well steal your password when you type it in?

Good advice. Ever since Tavis Ormandy set his sights on password managers, I have been a very sceptical user. I still use 1Password, but without the browser extension. Putting autofill aside, there&#x27;s a couple of other concerns I have.<p>I am hesitant about recommending a password manager to the tech illiterate simply because one piece of malware could compromise the entire vault. In that respect, a sticky note is arguably <i>more secure</i> than a tech illiterate person using a password manager.<p>Also, I have my usual criticism of client-side browser encryption. Anyone who has the technical ability to compromise a cloud-based service can likely take it a step further and modify JavaScript files enabling total vault compromise. There is no easy way for a user to mitigate this risk.<p>Password managers must be a stop-gap measure only until webauthn is more widely deployed. I long for the day when phone-based webauthn keys are the norm, and I can stop fielding questions about password managers from friends and family.

It&#x27;s great that he differentiates the two different types of &quot;autofill&quot; in the beginning, and regretfully later on refers to automatic autofill as autofill.<p>-<p>&quot;Autofill can be 2 types: automatic autofill (autofilling a password without user interaction) and manual autofill (autofilling a password after some user interaction - clicking in the password manager&#x27;s UI). In the following article, the term autofill always means automatic autofill.&quot;<p>-<p>When we designed the SaaS Paas password manager we opted for the manual autofill as it requires intent and thus mitigates against many of the highlighted attack vectors that come with &quot;automatic autofill.&quot; In addition, the password manager extension has a session timeout and has no static master password at (mitigating against replay attacks). You can only unlock the browser extension with passwordless MFA. The added advantage of this is that you can share your browser comfortably with others.<p>NB: worked on balancing usability and 2fa security.

Besides convenience, one of the benefits of autofill is that it offers some implicit feedback about potential phishing sites. For example, your O365 credentials shouldn&#x27;t autofill on off1ce.com. If I was on a site and noticed that my credentials didn&#x27;t autofill (or offer autofill) when they normally would, this would immediately raise some red flags for me.<p>The article does looks at how password managers autofill on different levels of subdomains, which is relevant to my point above - a hijacked subdomain would be a problem for many of the password managers he tested.

My password manager uses manual autofill. I&#x27;m not sure it even has auto autofill.<p>Thanks to AJAX, sites can get text entry immediately.<p>I remember a guy telling me about a store site he went to, and started to fill out the credit card form, but never completed the purchase. He never hit &quot;BUY.&quot;<p>They charged his card anyway.

I hate these articles. To steal the password you need malicious code running on the website. Autofill or not your data is taken.<p>The only action that needs to be taken by the browser or password manager is to specifically avoid autofilling <i>multiple</i> accounts. THAT is the problem here, not autofill itself.

God bless KeePass. Never have to deal with these. I just double click and ctrl+v whenever I need to use a pass. Takes extra 3 seconds but I feel like I am not giving anything to the browsers to save.

I don’t see the vulnerability. His demo collects credentials then displays them ... all on the same domain websecurity.dev<p>So what? What am I missing?<p>How will he exfiltrate the data? With JS that posts it to another domain?

But autofill also adds a huge amount of safety. If I don&#x27;t get an password autofill suggestion from my password manager, I&#x27;m going to be checking the site I&#x27;m on carefully to be sure it&#x27;s not a phishing site.

I agree, the danger of password theft seems rather low, but I wonder if this mechanism could be abused for tracking.<p>Imagine you&#x27;re Facebook and you want to track your users on non-Facebook sites. Traditionally, this would be done with some iframe-embedded widget and 3rd-party cookies. But browsers are increasingly phasing out 3rd-party cookies, so that won&#x27;t work anymore in the near future.<p>As an alternative, the widget could embed a username and password field. When the browser autofills the field, a script sends the credentials to Facebook, along with the site&#x27;s URL. The account can be linked up without any cookies involved.<p>(This makes some assumptions I haven&#x27;t verified: That autofill works in 3rd-party iframes and that the user gesture can be outside the iframe)<p>In more limited scope, this works for first-party cookies as well: If you logged out of a site and cleared your cookies, the site could use the autofilled credentials to associate your guest session with your account even without you actively logging in.

Bitwarden uses manual autofill which is nice. You hit ctrl shift L to fill

I was fully prepared to berate this article for encouraging manual copy-pasting, which makes people far more prone to phishing attacks. However, it makes this important clarification:<p>&gt; Autofill can be 2 types: automatic autofill (autofilling a password without user interaction) and manual autofill (autofilling a password after some user interaction - clicking in the password manager&#x27;s UI). In the following article, the term autofill always means automatic autofill.

I wrote a little blog post about this in 2016: <a href="https:&#x2F;&#x2F;medium.com&#x2F;@stabbles&#x2F;why-you-should-disable-autofill-bf2e15c65b5c" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@stabbles&#x2F;why-you-should-disable-autofill...</a>

I&#x27;m confused because on my Pixel 4 where I use the built-in password manager (for Chrome and for apps) you always have to interact with the UI (not just the site) to agree to fill in the password but it&#x27;s not at all inconvenient and sounds like it wouldn&#x27;t allow the sort of weaknesses that the article describes. I confirmed on a site that i know has only one set of credentials stored (so it wasn&#x27;t giving me a false sense of security due to that). Is there more than one form of Google password manager available, ie a regular version and a Pixel version?

If login credentials are leaked on a site, it does not necessarily mean that an attacker has accessed the database. He could have just exploited an XSS or other client-side vulnerability and obtained login credentials from users who only followed the advice that they should use a password manager. So please, if recommending password managers, supply that users turn off autofill or be set to fill only upon user request by clicking in password manager&#x27;s UI.

In my opinion, XSS is not a security issue autofill should deal with at all.<p>The real issue is if attackers can trick the autofill to fill in a password for a different site. I did a pentest for a password manager a few years ago, and if I remember correctly this type of exploit had been successful against multiple of the big password managers.

I disable all autofill as one of the first things I do on a new computer. Not just for passwords, for everything.

No shit sherlock!!! This headline reads like &quot;If you shoot yourself in the foot, it might hurt!&quot; :-)

&#x27;&#x27;After all, remembering dozens of unique passwords is almost impossible.&#x27;&#x27;<p>It&#x27;s not dosens but hundreds, and it is impossible if the passwords are secure. The article may have good information, but the advice of turning off autofill and going back to remembering passwords is terrible.

Please add features like secure notes, secure random password generator, credit cards, etc. And add premium features for M365 customers<p>This is my password manager now and going to replace LastPass once above mentioned featured arrived

Where is the input of the pwd fields saved? Is it hashed then discarded before it goes to database? Are the input events logged? Clipboard?<p>Never seen an explanation of any of the pwd managers and am curious.

If I weren&#x27;t using autofill, then I would be re-using the same password for virtually every site. Because memorizing dozens or hundreds of strong passwords, many of which are forced to change periodically, is simply not humanly feasible.<p>So pick your poison. Passwords suck, and you&#x27;re vulnerable no matter how you approach them. Best you can do is 2FA or biometrics, and even that&#x27;s not perfect either.

It looks like 1Password _offers_ autofill. That would seem okay?

Not mentioned in the article -- a good way to prevent Chrome from ever recognizing the &quot;same&quot; field and attempting to autofill it is to include and randomize a &quot;name=&quot; attribute on all &lt;input&gt; tags, or else name them with a string including a unique user id. This should always be done on web apps. Otherwise the next user on a public computer will see autofill options from previous users.

I like password managers. It keeps people from writing them down on your desk or a notepad, so I&#x27;m all for it. I hate autofill. Any form of autofill, automated, user request, any of it. I would like people to just use a small button to open a &#x27;mini instance&#x27; of the password manager, like an instant app (or app clips for iphones), and copy your password that way. Autofill is also a huge security risk, excluding if they use biometric authentication. If they use a pin code, forget it. If an attacker is on your device in the first place, chances are they have your pin code. Autofill needs to be deprecated.