You’re sick of hearing this. The exhortations didn’t work in 2013 and they’re not going to work now. Sure. But the truth is that you need a password manager, and it’s worth it to take the time to set one up. At this point, even their shortcomings prove how vital they are.
Research published last week through Princeton’s Center for Information Technology Policy highlights a problematic feature in many browser-based password storage tools that’s actually being exploited by online advertising and tracking firms in practice. The issue is “autofilling,” whereby you store your usernames and passwords with your browser so it can fill in and submit those fields instantly on your behalf. This is convenient for safe sites, but has never been ideal security hygiene. Especially now that researchers have found third-party scripts built to prey on the autofill feature, harvesting email addresses for advertising and user tracking.
“Sometimes you find scripts that are heavily obfuscated that try to hide what they do. This tool wasn’t obfuscated at all, so the companies are pretty open with what they do,” says Gunes Acar, one of the researchers from Princeton’s CITP. “This tracking stood out because it’s very close to just breaching your password and stealing information. It could go way beyond the privacy concerns that we typically have about tracking.”
The security community has known about the potential dangers of credential autofilling for years, imagining a number of attacks to passively gather credentials over time or actively trick password managers into coughing up all sorts of data by impersonating one site after another. Some browsers like Chrome and Firefox have an option to turn autofilling off, but the default endures, because users like the convenience.
‘It’s very close to just breaching your password and stealing information. It could go way beyond the privacy concerns that we typically have about tracking.’
Gunes Acar, Princeton CITP
Even third-party password managers like LastPass have autofilling features. Only some products, like 1Password, have refused to offer autofilling at all. “People ask us for automatic autofill, it’s a commonly requested feature,” says Jeffrey Goldberg, a product security officer at AgileBits, which makes 1Password. “People post on our forums saying ‘your competitors have automatic autofill and you don’t. I need this feature.’ They like the idea of going to a website and just being logged in.”
The research from Princeton shows in practice, though, why security experts have warned about autofilling for so long. The team found trackers that exploited password management autofills on more than 1,000 websites—not a staggering number, but a sign that the technology is being implemented and may be spreading. The data-tracking companies the researchers looked at, AdThink and OnAudience, stop short of collecting passwords, and claim that they protect privacy by hashing (scrambling) the email addresses they collect using standard encryption protocols. But Acar and co-author Arvind Narayanan point out that hashes of email addresses can still be used as unique identifiers to build user profiles for advertising. And the companies don’t disagree that this is their goal.
“Datapoints are linked by unique pseudonymous identifiers,” AdThink said in a statement provided by director of product and communication Jonathan Métillon. “These hashes are compliant with regulations and provide an effective means of uniquely tracking consumers while preserving their privacy.” AdThink also says that the code the Princeton researchers found was “experimental,” and that it has since been deleted.
OnAudience similarly argues that users agree to this type of data collection and marketing in the terms of service of websites that incorporate the autofill scraping tools, and the company notes that because email addresses are hashed, it doesn’t have direct access to that data. “Suggestion that OnAudience.com collects users’ email addresses without their consent is false,” Cloud Technologies CEO Piotr Prajsnar says in a statement. “As a company which specializes in Big Data marketing, we obviously analyze the digital footprint, but we do our best to guarantee the complete anonymity of the web users. We follow all the data privacy regulations. We respect the web browser mechanisms which disable tracking of an individual user (e.g. Do Not Track flag). …We only use data which are available via web browsers.”
Password managers provide the crucial service of helping you avoid password reuse.
All password managers, even the lightweight in-browser options, attempt to identify phishing schemes and scams and avoid exposing data. But 1Password’s Goldberg argues that the underlying architecture of browsers makes it difficult for password managers to do this effectively in all cases. “There are the protections that we all have to make sure that you don’t fill credentials for paypal.com into paypal.evil.com,” he says. “Everybody has defenses against that. But the tools that we have to build those defenses are not really very good, because of how browser infrastructure is defined and works. So this is a known failure of the way that password managers have to deal with the anti-phishing stuff.”
To be clear, password managers without autofill can’t completely protect you either from a site that knowingly includes a script to lift the data you put into the username and password fields, or has been hijacked by hackers to do so. But password managers provide the crucial service of helping you avoid password reuse, and making it easy to change a password if you’re concerned that it’s been compromised.
And by choosing a robust password manager that allows you to turn auto-filling off, or that doesn’t offer it at all, you can minimize your risk. “I think password managers in general are a positive security feature—password reuse is a big problem,” Princeton’s Acar says. “But the defaults [to autofilling] should be reconsidered, users should be in the loop.”
Hopefully by now you’re convinced to actually start using a password manager. Right? Right. So here’s how to do just that, with two of the most prominent providers.
You set most password managers up the same way, and it’s not as annoying as it might seem. First, you create a master password that’s meant to be the only password you have to remember going forward. You want it to be solidly long and complicated—including some numbers and special characters if possible—to make it practically impossible for an attacker to guess.
That’s the hard part. Once you’ve committed that master password to memory, though, the password manager does everything else for you. It stores credential pairs when you enter them into websites, so you never need to manually enter them again, and it makes it easier to change your existing passwords, so you can update all the times you used “password789.”
Managers offer a random password generator tool in which you can control things like the length and number of special characters you want. And password managers can store lots of data, not just login credentials. They’re a good place to keep things like credit card numbers and insurance information, and most can even store files like PDFs or photos. They’re generally not the most convenient place to keep all your files, but it makes sense to use them for storing things like tax forms and photos of your driver’s license.
1Password is known for prioritizing strong, deliberate security, and has had few notable lapses or breaches since its release in 2006. (Thought not none, of course.) It’s slightly more expensive than other options at $36 per year for one person, $60 per year for a family of up to five people, or $65 for a one-time, single-user purchase. 1Password was originally developed for Apple products, but it has steadily expanded its offerings for Windows, Android, and ChromeOS. 1Password is engineered with a lot of options to control where your data goes, who holds it, and what your risk is. There are ways to use 1Password without storing any data in any cloud if that’s a priority to you, and it can also act as a two-factor authentication manager, like Google Authenticator or Authy. And as noted above, 1Password has never offered autofilling as an option, much less a default.
LastPass is one of the most popular and well-known password managers out there. It works with numerous platforms and users can access most of its features for free. The Premium offering, which includes a gigabyte of encrypted file storage, expanded support for two-factor authentication tokens like YubiKeys, and special customer service, is only $24 per year. LastPass has all the required features of storing your credentials and other sensitive data and letting you access them through standalone applications or browser extensions. It helps you change your passwords easily when needed and offers granular controls for things like autofilling so users can choose how they want the manager to behave. The main drawback to LastPass is its mixed security track record—the product has had a number of high-profile, critical bugs and there have even been some data breaches. Overall, LastPass has weathered these storms, but it’s worth noting.