Web Trackers Exploit Browser Login Managers

[DooKey]

Everyone knows that the built-in login managers that some people use to speed up login on oft-visited sites is vulnerable to cross-site scripting attacks that can result in username and password being stolen. Now there's a new exploit that's going around and web trackers are using it to track your movements around the web. Some webpages are using third-party scripts to gather the email address from the auto-login and use it for tracking. The folks at Freedom-to-Tinker have discovered this on approximately 1,000 of 50,000 sites they analyzed and while this isn't a huge number it gives the savvy web browser one more reason not to use auto-login. Practice safe browsing habits [H].

The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.

 

[Master_shake_]

who lets anything save passwords and login information?

wow.

might as well hand out copies of your house keys.

 

[mattchapman]

who lets anything save passwords and login information?

wow.

might as well hand out copies of your house keys.

How do you manage your passwords? On a piece of paper?

 

[Master_shake_]

How do you manage your passwords? On a piece of paper?

i got this brain see...

and this crazy thing called a memory.

 

[Kranium]

I only save forum logins and Twitter, things like that. Financial sites I never save login or pass and I feel that works for me. If someone hijacks my Facebook or something I won't care.

Steam or PSN? Probably risky.

 

[spugm1r3]

Question from the semi-security literate, what is more prevalent: key-logging hacks or exploits of password save features?

 

[Dekoth-E-]

who lets anything save passwords and login information?

wow.

might as well hand out copies of your house keys.

Been saying this about password managers for years..got shouted down by a bunch of people swearing that wasn't possible..Who's laughing now? Oh right! ME! HAHAHAHAAHAHA

Sorry I just have zero capacity for sympathy for such obvious points of failure.

 

[Biznatch]

i got this brain see...

and this crazy thing called a memory.

And most people using 'memory' just use the same login for all sites, typically with a crappy easy to remember password.... Top notch security right there, wcgw?

Password managers are ideal to keep your logins unique with complex passwords. But it should only input the login credentials on the correct login page, not any field in the page asking for email.

But adblock/uBlock/Noscript should keep users safe from this.

 

[Master_shake_]

And most people using 'memory' just use the same login for all sites, typically with a crappy easy to remember password.... Top notch security right there, wcgw?

Password managers are ideal to keep your logins unique with complex passwords. But it should only input the login credentials on the correct login page, not any field in the page asking for email.

But adblock/uBlock/Noscript should keep users safe from this.

i like that the first part was a broad statement.

 

[Dead Parrot]

How do you manage your passwords? On a piece of paper?

Yes. Has yet to be compromised by a rogue script, carefully crafted malware or some remote server getting hacked. Have multiple columns to handle the inevitable changed passwords. Have the master text file saved on a HD normally disconnected from my systems. Update the text file when the paper copy gets a bit ragged.

And web site owners still wonder why the number of folks running script blockers keeps growing.

 

[Biznatch]

Yes. Has yet to be compromised by a rogue script, carefully crafted malware or some remote server getting hacked. Have multiple columns to handle the inevitable changed passwords. Have the master text file saved on a HD normally disconnected from my systems. Update the text file when the paper copy gets a bit ragged.

And web site owners still wonder why the number of folks running script blockers keeps growing.

Why wouldn't you at least store it in an encrypted Onenote book or something? If malware scans your machine (while the drive is attached), it's gonna be looking for *.txt files for this exact reason.

 

[Dekoth-E-]

And most people using 'memory' just use the same login for all sites, typically with a crappy easy to remember password.... Top notch security right there, wcgw?

Password managers are ideal to keep your logins unique with complex passwords. But it should only input the login credentials on the correct login page, not any field in the page asking for email.

But adblock/uBlock/Noscript should keep users safe from this.

Unique and complex passwords are quite easy to remember. The problem is we have taught users entirely wrong on how to create a unique, complex and easy to remember password. The problem isn't passwords, the problem is improper teaching and application. Humans are incredibly good at pattern memorization and all our standard practices when it comes to technology security fail to take advantage of that fact. Password managers are nothing more than a poor crutch to make up for bad IT practices and poor security education.

 

[Biznatch]

Unique and complex passwords are quite easy to remember. The problem is we have taught users entirely wrong on how to create a unique, complex and easy to remember password. The problem isn't passwords, the problem is improper teaching and application. Humans are incredibly good at pattern memorization and all our standard practices when it comes to technology security fail to take advantage of that fact. Password managers are nothing more than a poor crutch to make up for bad IT practices and poor security education.

No, password managers are 1 of the easiest methods to be more secure than 90% of the internet population..... You don't have to use the auto-login features, instead just use it for encrypted storage of all your passwords..... People are not going to remember 20+ different passwords for every site they use (I have to log in far more than that between work and home). You really think your parents/grandparents/non-tech friends are going to put that level of effort to be secure? Hell no, they are going to use some simple password across all sites and get bit in the ass sooner or later. They would be far more secure with a PM than without one.....

 

[Spidey329]

Unique and complex passwords are quite easy to remember. The problem is we have taught users entirely wrong on how to create a unique, complex and easy to remember password. The problem isn't passwords, the problem is improper teaching and application. Humans are incredibly good at pattern memorization and all our standard practices when it comes to technology security fail to take advantage of that fact. Password managers are nothing more than a poor crutch to make up for bad IT practices and poor security education.

Yeah, users were taught that you had to have a ton of uppercase, lowercase, symbols, and random shit to have a secure password. But an arbitrary string of words (not a common phrase) with a single easily remembered kink thrown in can do the trick well. That creates a user who either uses a sticky note (password policies) to remember, or tries to never change their password.

Which is more secure?

5Et+%4"L=3
Length: 10
Entropy: 44.2 bits
Charset Size: 94 characters
Estimated Time to Crack: 53 years (obviously that doesn't take in account the invent of Quantum)
Note: Prevents dictionary attack. Bruteforce would take a long time (or a lot of machines).

sister-apr_icot-WINDOW-mask
Length: 27
Entropy: 133.5 bits
Charset Size: 74 characters
Estimated Time: 16 NONILLION YEARS (I don't know what a Nonillion even is ...)
Note: Prevents dictionary attack with a single character the user inserts to break a common word (forming two unknown strings). Length makes it extremely BruteForce unfriendly even with the reduced character size.

^ Now a random string generated of 27 char length would be even stronger. But the heck with remembering that.

I'd wager the latter one. Just don't use stuff you like. I love hockey and hate baseball. So if I was going to go with a sport, I'd pick something like soccer.

No, password managers are 1 of the easiest methods to be more secure than 90% of the internet population..... You don't have to use the auto-login features, instead just use it for encrypted storage of all your passwords..... People are not going to remember 20+ different passwords for every site they use (I have to log in far more than that between work and home). You really think your parents/grandparents/non-tech friends are going to put that level of effort to be secure? Hell no, they are going to use some simple password across all sites and get bit in the ass sooner or later. They would be far more secure with a PM than without one.....

Agreed, there's a need for them. So many sites have login/passes these days, coming up with unique and rememberable passwords for each site that can't be easily reverse engineered is tricky. Many of us have our own tricks for securing passwords, but we're talking about the general public who seem to always use some form of:

(Kids Birthyear)(Kids/Pets Name)(Kids Age or Favorite Number)

I can't tell you how many times I've seen that pattern.

 

[Biznatch]

Yeah, users were taught that you had to have a ton of uppercase, lowercase, symbols, and random shit to have a secure password. But an arbitrary string of words (not a common phrase) with a single easily remembered kink thrown in can do the trick well. That creates a user who either uses a sticky note (password policies) to remember, or tries to never change their password.

Which is more secure?

5Et+%4"L=3
Length: 10
Entropy: 44.2 bits
Charset Size: 94 characters
Estimated Time to Crack: 53 years (obviously that doesn't take in account the invent of Quantum)
Note: Prevents dictionary attack. Bruteforce would take a long time (or a lot of machines).

sister-apr_icot-WINDOW-mask
Length: 27
Entropy: 133.5 bits
Charset Size: 74 characters
Estimated Time: 16 NONILLION YEARS (I don't know what a Nonillion even is ...)
Note: Prevents dictionary attack with a single character the user inserts to break a common word (forming two unknown strings). Length makes it extremely BruteForce unfriendly even with the reduced character size.

^ Now a random string generated of 27 char length would be even stronger. But the heck with remembering that.

I'd wager the latter one. Just don't use stuff you like. I love hockey and hate baseball. So if I was going to go with a sport, I'd pick something like soccer.

Even that second password has extra complexity for no reason. The easiest to remember is a short sentence, mix in a capitol letter and add a number/symbol or 2. Auntanniesalligator3- is MUCH easier to remember and is complex enough to never be brute forced.

 

[Dekoth-E-]

No, password managers are 1 of the easiest methods to be more secure than 90% of the internet population..... You don't have to use the auto-login features, instead just use it for encrypted storage of all your passwords..... People are not going to remember 20+ different passwords for every site they use (I have to log in far more than that between work and home). You really think your parents/grandparents/non-tech friends are going to put that level of effort to be secure? Hell no, they are going to use some simple password across all sites and get bit in the ass sooner or later. They would be far more secure with a PM than without one.....

Because People were Taught BAD habits...The point clearly went straight over your head. The only reason why PW managers are a thing is because of Shitty password rules and people were taught a shitty way to create and memorize passwords.

Yeah, users were taught that you had to have a ton of uppercase, lowercase, symbols, and random shit to have a secure password. But an arbitrary string of words (not a common phrase) with a single easily remembered kink thrown in can do the trick well. That creates a user who either uses a sticky note (password policies) to remember, or tries to never change their password.

Which is more secure?

5Et+%4"L=3
Length: 10
Entropy: 44.2 bits
Charset Size: 94 characters
Estimated Time to Crack: 53 years (obviously that doesn't take in account the invent of Quantum)
Note: Prevents dictionary attack. Bruteforce would take a long time (or a lot of machines).

sister-apr_icot-WINDOW-mask
Length: 27
Entropy: 133.5 bits
Charset Size: 74 characters
Estimated Time: 16 NONILLION YEARS (I don't know what a Nonillion even is ...)
Note: Prevents dictionary attack with a single character the user inserts to break a common word (forming two unknown strings). Length makes it extremely BruteForce unfriendly even with the reduced character size.

^ Now a random string generated of 27 char length would be even stronger. But the heck with remembering that.

I'd wager the latter one. Just don't use stuff you like. I love hockey and hate baseball. So if I was going to go with a sport, I'd pick something like soccer.



Agreed, there's a need for them. So many sites have login/passes these days, coming up with unique and rememberable passwords for each site that can't be easily reverse engineered is tricky. Many of us have our own tricks for securing passwords, but we're talking about the general public who seem to always use some form of:

(Kids Birthyear)(Kids/Pets Name)(Kids Age or Favorite Number)

I can't tell you how many times I've seen that pattern.

Looky looky..someone understands the actual problem. That said even a sentence or completely normal words if the sentence is long enough works as well. The point being that you get is that !@#%FDDSAdasa4#$@! is a stupid as shit password that people never should have been taught.

 

[Biznatch]

Because People were Taught BAD habits...The point clearly went straight over your head. The only reason why PW managers are a thing is because of Shitty password rules and people were taught a shitty way to create and memorize passwords.



Looky looky..someone understands the actual problem. That said even a sentence or completely normal words if the sentence is long enough works as well. The point being that you get is that !@#%FDDSAdasa4#$@! is a stupid as shit password that people never should have been taught.

No I get your point and agree about passwords being unnecessarily complex for no reason, but you're missing mine. Most people are not going to try and remember a different password for every site no matter how easy you try to make it. It's nice you do, but you're the exception. Regular joe-schmo is not going to, regardless of how he was taught to create easy passwords and told of the risk of not having unique logins. So if we can rule the lazy human part out of the security problem using a password manager and minimize the extend of breaches, why would anyone be against that?

If you spent any time working in IT, you would know how bad regular people are at setting/remembering passwords, even for a single site at work. Password resets are like the number 1 support issue..... It is beyond frustrating because I can't understand how someone can be that dumb, but then you remember we're tech people and have been around it for years/decades. Most people haven't.

 

[otherweeb]

How do you manage your passwords? On a piece of paper?

What wrong with paper? Hack my desk bee-ooch!

 

[Dekoth-E-]

No I get your point and agree about passwords being unnecessarily complex for no reason, but you're missing mine. Most people are not going to try and remember a different password for every site no matter how easy you try to make it. It's nice you do, but you're the exception. Regular joe-schmo is not going to, regardless of how he was taught to create easy passwords and told of the risk of not having unique logins. So if we can rule the lazy human part out of the security problem using a password manager and minimize the extend of breaches, why would anyone be against that?

If you spent any time working in IT, you would know how bad regular people are at setting/remembering passwords, even for a single site at work. Password resets are like the number 1 support issue..... It is beyond frustrating because I can't understand how someone can be that dumb, but then you remember we're tech people and have been around it for years/decades. Most people haven't.

Been doing IT security since win 2000..I don't support the philosophy of putting all your passwords into one basket under any circumstances. That pretty much violates everything I was ever taught about security. Yes people are awful at remembering passwords so instead I adopted teaching people how to create meaningful passwords instead. I find education eliminates far more "Stupid ticket spam" than simply encouraging what I view as a lazy habit.

 

[snowcrash]

A friend uses unique passwords for every website he has an account with and they are all in his head and not written down either. He says it is specially formulated so that it is just as good as random password generators. I'm very impressed and I guess it is as safe as it gets.

 

[ChoGGi]

"The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager."
Good thing mine doesn't automatically fill in anything, it just gives a password when I click the button.

I do wonder if this applies to Chrome/Firefox/etc saving logins and autofilling them?

 

[Kdawg]

do these exploits decrypt the password?

can't do much with just a username.

oh wait, nevermind. Doesn't matter, I only save forum passwords and other useless shit on my browser.

I trust google will patch up any holes.

 

[hexamon]

I use the password manager Keepass. It's not online and my master password for it couldn't fit in a tweet. I think I should be ok. A password manager is pretty much required for me at this point, I just checked and it currently has 414 entries.

 

[Dead Parrot]

Why wouldn't you at least store it in an encrypted Onenote book or something? If malware scans your machine (while the drive is attached), it's gonna be looking for *.txt files for this exact reason.

Considering the drive in question only gets turned on a few times a year, small risk. A encrypted file implies the need for some type of password to access. My luck, given the low frequency of use, I would forget said password or loose the piece of paper it was written on. This drive is one I use for things like loosely scheduled 'quarterly' backups. I have a NAS for the daily/weekly stuff.

 

[M76]

Each time I try to use a different password than usual, I'll forget it by the next time I'm trying to log in to that particular site / service. Might as well just use email confirmation to log in, as i have to reset the password every damn time.

 

[daglesj]

Nothing wrong with keeping passwords on paper in a non-obvious place at home in this digital age.

At least that guy in Russia or wherever has to buy a ticket, fly to my country and physically break into my home to get them. In which case...respect the commitment.

 

[BSmith]

I have a different password for every site. I do not write them down, I remember them. None of them are anything remotely associated with anything about me. None contain words you would find in a dictionary. The shortest one is 13 characters long.

I have a trick I use, but I cannot say what it is or I would be giving away part of the security. Sites that force passwords to contain specific things give away a lot of the security they are intending to force on people.

Rules like;
1) Must be between 8 and 16 characters long. (big no-no)
2) Must contain a mix of numbers, letters, and at least one non-alphanumric (and now you have narrowed the break in paramters).

Well, you get the point. The more a site makes rules about passwords, the easier it it to break those passwords.

 

[Biznatch]

I have a different password for every site. I do not write them down, I remember them. None of them are anything remotely associated with anything about me. None contain words you would find in a dictionary. The shortest one is 13 characters long.

I have a trick I use, but I cannot say what it is or I would be giving away part of the security. Sites that force passwords to contain specific things give away a lot of the security they are intending to force on people.

Rules like;
1) Must be between 8 and 16 characters long. (big no-no)
2) Must contain a mix of numbers, letters, and at least one non-alphanumric (and now you have narrowed the break in paramters).

Well, you get the point. The more a site makes rules about passwords, the easier it it to break those passwords.

There is nothing wrong with rule 2 and it doesn't really help the hacker. I have seen sites that say you can only use these 4 special characters though. That is stupid and definitely helps the hacker.

Rule 1 is stupid, and should just be minimum 8 characters. I absolutely HATE sites that put an upper limit, and 16 is too short for stuff like banks/CC.

Sites need to make complexity requirements for passwords or stupid people will just use their pets name or something else easily guessable.

 

[BSmith]

What we really need is just to have a standard library of functions which can measure the security level of any given password and not make arbitrary rules for users.

 

[Jagger100]

5Et+%4"L=3
Length: 10
Entropy: 44.2 bits
Charset Size: 94 characters
Estimated Time to Crack: 53 years (obviously that doesn't take in account the invent of Quantum)
Note: Prevents dictionary attack. Bruteforce would take a long time (or a lot of machines).

sister-apr_icot-WINDOW-mask
Length: 27
Entropy: 133.5 bits
Charset Size: 74 characters
Estimated Time: 16 NONILLION YEARS (I don't know what a Nonillion even is ...)
Note: Prevents dictionary attack with a single character the user inserts to break a common word (forming two unknown strings). Length makes it extremely BruteForce unfriendly even with the reduced character size.

^ Now a random string generated of 27 char length would be even stronger. But the heck with remembering that.

I'd wager the latter one. Just don't use stuff you like. I love hockey and hate baseball. So if I was going to go with a sport, I'd pick something like soccer.

Really what you have is 4 dictionary words for the at most 400 commonly used words subset
400*400*400*400 -> 34 bits
Say you can mangle each one 100 different ways. = 100*100*100*100 to the above = 61 bits
Say you have the option of 20 different delimiters = 20*20*20 to the above = 72 bits
So if do a random case on each word you are likely to do all lower, all UPPER, first character Upper & rest lower = 3*3*3*3 = 78 bits


Now if someone hacks one password from another site from you e-mail they will know your pattern and you don't vary how you mangle, change case or delimit. The extra bits from mangling, delimiting and changing case drop out and your at 34 bits.

Because a password manager makes anyl ength feasible, I use around 12 characters.
26 lower case + 26 upper case+ 10 Numbers + 10 punctuation marks. = 72 unique characters in each position
72^12 = 74 bits.


So your approach is only better by 4 bits if you truely randomize all you word modifications and delimiters, which I doubt.

 

[MaZa]

And most people using 'memory' just use the same login for all sites, typically with a crappy easy to remember password.... Top notch security right there, wcgw?

Password managers are ideal to keep your logins unique with complex passwords. But it should only input the login credentials on the correct login page, not any field in the page asking for email.

But adblock/uBlock/Noscript should keep users safe from this.

Having unique passwords is good but I think it is unnecessary in the end for the average person. I also memorize my passwords but I use a "tier system" with complexity depending on importance. A simple password on sites which I do not give two shits about if someone guesses it because it doesn't contain any personal information on me, ending into a super complex one that I use ONLY for my email which I can use to restore if any of the previous tiers gets guessed or hacked. If I do have to change passwords when one tier gets leaked it won't affect the other tiers above and below it, much less websites to change passwords in.

Password managers could be more ideal in the long run, but I really have trouble trusting them...

 

[Jagger100]

Having unique passwords is good but I think it is unnecessary in the end for the average person. I also memorize my passwords but I use a "tier system" with complexity depending on importance. A simple password on sites which I do not give two shits about if someone guesses it because it doesn't contain any personal information on me, ending into a super complex one that I use ONLY for my email which I can use to restore if any of the previous tiers gets guessed or hacked. If I do have to change passwords when one tier gets leaked it won't affect the other tiers above and below it, much less websites to change passwords in.

Password managers could be more ideal in the long run, but I really have trouble trusting them...

One of the first things people do with a leaked e-mail/password database is try those combinations at other especially similar institutions. I think a bank like Chase or someone lost it their users, e-mails and hashed passwords. The hashes can be cracked unless you were actually extremely random. Then you have Yahoo who lost it all a few years ago including account recovery questions. Try to remember everywhere you used the same account recovery questions and answers?