iSECPartners password manager survey

Options
latteine
latteine
Community Member
in Lounge

The survey is located here.
https://www.isecpartners.com/research/white-papers/browser-extension-password-managers.aspx

1Password seems to have the least issues but they still point out some. (although they tested an old version of extension 3.9.19)

— automatic updates in an insecure manner by reaching out to an un-protected endpoint: http://updates.agilebits.com....

— ignored subdomains when comparing origins. That means that a login form encountered on https://forum.example.com will still be treated as equivalent to a login form encounteredonhttps://example.com/log_in—violatingthesame-originpolicy.

— None of the examined password managers appear to verify the login page for a remembered password on a given domain. For example, although Vimeo’s login page is hosted at https://vimeo.com/log_in, all of the examined password managers will detect login forms anywhere on the https://vimeo.com/ domain.

Would like to hear from the devs what do they think about it and if they're going to fix the issues that are (if any) still relevant.

This discussion has been closed.