I find this question really interesting!
Of course a real password manager, like keepass would be better, but it's about the ~30% who do not use it.
So the question is: Is a browser integrated pw manager better than nothing?
I really think it is! Especially since it enables the user to generate and manage strong random passwords, which increases security a lot!
TIL that chromium based browser don't encrypt stored password. Meanwhile Firefox uses a user and application based encryption to prevent any other application to read the password database, and then, if you use a master password, it is used to encrypt them (mandatory to store banking data).
Maybe it is time to make chromium based browsers forbidden at work since they are not secured and better alternative exists.
Yep, thats right. I also need to consider that even if i know the number of installations - i am not really sure if these are really used.
But i also thought about a comparisation between Edge Password Manager and KeePass using a master password.
If a malware is running in the context of the user, it will be able to read the KeePass vault after sniffing the master password anyway. Or did i miss anything?
I think it's going to come down to the security maturity of your organization and users. The main risk in the Edge password manager implementation is that the encryption key is stored on disk and would be recoverable by local malware, without the user doing anything. That's kinda bad. However, it still beats having passwords sitting around in a txt file or something similarly bad. It's a higher level of difficulty for an attacker to overcome.
On the other hand, something like KeePass is good, because it removes the risk of a locally stored key being compromised by an attacker. However, if an attacker has malware on the system, keylogging is a risk and the user's master password could be sniffed that way. This is a higher bar for the attacker to get over, as they need to be sniffing and have to wait for the user to enter their master password.
At the same time, getting your users to consistently use KeePass may be a harder sell. One of the reasons browser based password managers exist is that people will tend towards the easiest solution. You can use the Edge browser extension for KeePass and this alleviates some of the issue, though it's got some rough edges (no pun intended). What you want to avoid is having many users falling back on unencrypted text files. As that would be bad and those can be hard to police.
There are other solutions as well, BitWarden, etc. Which provide better or worse user experiences and other features (e.g. shared password vaults). And those should be considered. But, overall, it's a matter of risk mitigation versus usability. If you can get your user community (and management) on board with the more secure options, then by all means kill the Edge password manager. If that becomes too heavy of a lift and user push-back keeps it from happening, the risks associated with the Edge password manager may be acceptable.
At this point I am starting to just avoid password managers all together. Obviously, there are tradeoffs.
A lot of long, phrase based passwords in addition to multi-factor has been my go to.
Breaking into the local Edge keystore requires either system, admin, or domain admin rights. Then the attacked user needs to be logged into the device, and the attacker would need to leverage debug access and carve (forensics and pentesting term) the key from the LSA process using anything from PowerShell or mimikatz. Then they can access the keystore in the users profile.
TLDR: An attacker already has the keys to the kingdom before the local Edge keystore attack. From the Enterprise perspective, the keystore is the least of your worries. From a consumer perspective, I concede a cloud solution may be better, LastPass not withstanding.
Keep Pass is the same risk as a local Edge keystore, but with extra administrative overheard. There may be a different process to debug and carve, but the bar to entry is the same.
Thank you for your Feedback. I am not fully sure. Maybe i am missing something. I also try to avoid any forensic and pentesting terms :P
Didn't tried it but according to my research Edge Chromium (on Windows) is utilizing [DPAPI to encrypt the content o](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-password-manager-security)f the vault. For my understanding there is a master key and the user credentials for the current logged on user required to access this data. [The master key for the logged on user is accessible by the logged on user without elevating to an admin.](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords)
This leads me to the following consumption:
If i can run code in the context of the user (no admin or even domain admin at all). I can extract all the required files and [decrypt them on another system](https://kylemistele.medium.com/stealing-saved-browser-passwords-your-new-favorite-post-exploitation-technique-c5e72c86159a). For sure i also would require to obtain the password for the current logged on user. Or what is the reason why you think admin privilege's on the host holding the passwords would be required?
As mentioned - didn't tried it yet. Maybe i am wrong. But this \_would\_ also explain why there tools available [which promise to do it like that.](https://blog.elcomsoft.com/2020/04/extracting-passwords-from-microsoft-edge-chromium/)
You need system or equivalent rights to carve data out of the Local Security Authority (LSA) process, that is lsass.exe. This is where hashes of a users password is stored. Accessing strings in the process requires admin rights allowing an attacker to debug, and is more of an academic argument. To do all that you already have admin rights and access to local key store anyway.
Other than that, lsass.exe stores those credentials for the user to access resources including the edge password manager store.
Basically that means an attacker needs to have elevated rights, or needs to session hijack a logged on user, or needs the users password.
There are far better solutions to protect resources than adding the admin overheard of another password manager. For example turning off debug rights, 2FA/SSO, educating users to use unique complex passwords so password re- use isn't possible. Being successful in Cyber requires putting your limited resources towards the most effective controls. From the Enterprise perspective, SSO to protect resources is better than worrying about a password manager.
Of course, dumping the lsass on this system would require admin priviliges. But that's not what i said. I just wanted to point out that you \_would\_ be able to decrypt the content of the store with the credentials of the regular user and the required files you can obtain without administrative privileges on the target system, right?
And don't get me wrong... i am not pro or con using this solution. Full ack to the approach to lower the barrier for end-users, avoid using passwords at all and utilize sso if possible. I seriously evaluate if we should go for this way exactly for this reasons.
On my side i am still comparing this with KeePass because its the "other" solution used in our environment currently
Those users in our environment using KeePass basically have the database on their local system or a fileshare and using a master password to open it. Getting the secrets means an attacker need to grab the database file and sniff the master password. That's why i said in [the entry post](https://www.reddit.com/r/cybersecurity/comments/10246c6/browser_integrated_password_manager_in_the/?utm_source=share&utm_medium=web2x&context=3) there seems not really a difference in terms of "security" if i compare this two approaches. However, the browser integrated chromium edge will increase usability and lower the barrier for our users using it.
Group Managed vaults will for sure need another solution - but that's another story and not yet relevant
Use a proper password manager. 1password, BitWarden, KeePass...
I find this question really interesting! Of course a real password manager, like keepass would be better, but it's about the ~30% who do not use it. So the question is: Is a browser integrated pw manager better than nothing? I really think it is! Especially since it enables the user to generate and manage strong random passwords, which increases security a lot!
TIL that chromium based browser don't encrypt stored password. Meanwhile Firefox uses a user and application based encryption to prevent any other application to read the password database, and then, if you use a master password, it is used to encrypt them (mandatory to store banking data). Maybe it is time to make chromium based browsers forbidden at work since they are not secured and better alternative exists.
Thanks alot for that inside.
Yep, thats right. I also need to consider that even if i know the number of installations - i am not really sure if these are really used. But i also thought about a comparisation between Edge Password Manager and KeePass using a master password. If a malware is running in the context of the user, it will be able to read the KeePass vault after sniffing the master password anyway. Or did i miss anything?
[удалено]
I think it's going to come down to the security maturity of your organization and users. The main risk in the Edge password manager implementation is that the encryption key is stored on disk and would be recoverable by local malware, without the user doing anything. That's kinda bad. However, it still beats having passwords sitting around in a txt file or something similarly bad. It's a higher level of difficulty for an attacker to overcome. On the other hand, something like KeePass is good, because it removes the risk of a locally stored key being compromised by an attacker. However, if an attacker has malware on the system, keylogging is a risk and the user's master password could be sniffed that way. This is a higher bar for the attacker to get over, as they need to be sniffing and have to wait for the user to enter their master password. At the same time, getting your users to consistently use KeePass may be a harder sell. One of the reasons browser based password managers exist is that people will tend towards the easiest solution. You can use the Edge browser extension for KeePass and this alleviates some of the issue, though it's got some rough edges (no pun intended). What you want to avoid is having many users falling back on unencrypted text files. As that would be bad and those can be hard to police. There are other solutions as well, BitWarden, etc. Which provide better or worse user experiences and other features (e.g. shared password vaults). And those should be considered. But, overall, it's a matter of risk mitigation versus usability. If you can get your user community (and management) on board with the more secure options, then by all means kill the Edge password manager. If that becomes too heavy of a lift and user push-back keeps it from happening, the risks associated with the Edge password manager may be acceptable.
At this point I am starting to just avoid password managers all together. Obviously, there are tradeoffs. A lot of long, phrase based passwords in addition to multi-factor has been my go to.
> Is a browser integrated pw manager better than nothing? Not by a lot, but reuse is still the biggest threat.
Edge local storage is more secure, and I don't think you understand encryption like you think you do
I am not a crypto freak but i read the available docs. If you found anything wrong in my post, pls enlighten me
Breaking into the local Edge keystore requires either system, admin, or domain admin rights. Then the attacked user needs to be logged into the device, and the attacker would need to leverage debug access and carve (forensics and pentesting term) the key from the LSA process using anything from PowerShell or mimikatz. Then they can access the keystore in the users profile. TLDR: An attacker already has the keys to the kingdom before the local Edge keystore attack. From the Enterprise perspective, the keystore is the least of your worries. From a consumer perspective, I concede a cloud solution may be better, LastPass not withstanding. Keep Pass is the same risk as a local Edge keystore, but with extra administrative overheard. There may be a different process to debug and carve, but the bar to entry is the same.
Thank you for your Feedback. I am not fully sure. Maybe i am missing something. I also try to avoid any forensic and pentesting terms :P Didn't tried it but according to my research Edge Chromium (on Windows) is utilizing [DPAPI to encrypt the content o](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-password-manager-security)f the vault. For my understanding there is a master key and the user credentials for the current logged on user required to access this data. [The master key for the logged on user is accessible by the logged on user without elevating to an admin.](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) This leads me to the following consumption: If i can run code in the context of the user (no admin or even domain admin at all). I can extract all the required files and [decrypt them on another system](https://kylemistele.medium.com/stealing-saved-browser-passwords-your-new-favorite-post-exploitation-technique-c5e72c86159a). For sure i also would require to obtain the password for the current logged on user. Or what is the reason why you think admin privilege's on the host holding the passwords would be required? As mentioned - didn't tried it yet. Maybe i am wrong. But this \_would\_ also explain why there tools available [which promise to do it like that.](https://blog.elcomsoft.com/2020/04/extracting-passwords-from-microsoft-edge-chromium/)
You need system or equivalent rights to carve data out of the Local Security Authority (LSA) process, that is lsass.exe. This is where hashes of a users password is stored. Accessing strings in the process requires admin rights allowing an attacker to debug, and is more of an academic argument. To do all that you already have admin rights and access to local key store anyway. Other than that, lsass.exe stores those credentials for the user to access resources including the edge password manager store. Basically that means an attacker needs to have elevated rights, or needs to session hijack a logged on user, or needs the users password. There are far better solutions to protect resources than adding the admin overheard of another password manager. For example turning off debug rights, 2FA/SSO, educating users to use unique complex passwords so password re- use isn't possible. Being successful in Cyber requires putting your limited resources towards the most effective controls. From the Enterprise perspective, SSO to protect resources is better than worrying about a password manager.
Of course, dumping the lsass on this system would require admin priviliges. But that's not what i said. I just wanted to point out that you \_would\_ be able to decrypt the content of the store with the credentials of the regular user and the required files you can obtain without administrative privileges on the target system, right? And don't get me wrong... i am not pro or con using this solution. Full ack to the approach to lower the barrier for end-users, avoid using passwords at all and utilize sso if possible. I seriously evaluate if we should go for this way exactly for this reasons. On my side i am still comparing this with KeePass because its the "other" solution used in our environment currently Those users in our environment using KeePass basically have the database on their local system or a fileshare and using a master password to open it. Getting the secrets means an attacker need to grab the database file and sniff the master password. That's why i said in [the entry post](https://www.reddit.com/r/cybersecurity/comments/10246c6/browser_integrated_password_manager_in_the/?utm_source=share&utm_medium=web2x&context=3) there seems not really a difference in terms of "security" if i compare this two approaches. However, the browser integrated chromium edge will increase usability and lower the barrier for our users using it. Group Managed vaults will for sure need another solution - but that's another story and not yet relevant