There is no doubt that Browser Extensions make your browser-based-life easier. The ability to securely manage website logins, while enforcing a reduced attack vector through unique login credentials, should not be understated. The statistics speak for themselves,
- A 2018 Global Password Security Report revealed 50% of users reuse the same passwords for personal and work accounts
- A 2019 online survey by Google identified 65% of people use the same password for multiple or all accounts
- In the first six months of 2019, data breaches exposed 4.1 billion records
- A 2018 Data Breach Incident Report confirmed compromised passwords are responsible for 81% of hacking-related breaches
- Globally businesses are losing $4M on average each year due to credential stuffing attacks using leaked and exposed passwords and credentials
The reuse of usernames and passwords from a compromised site leads to a significantly increased attack vector for your business. So how do Browser Extensions help to reduce this risk, and why do I have issues with some websites.
Encourage and Support the Desired Behaviour
To begin with you need to provide the tools along with the education to your users. There is significant value in encouraging and allowing staff to use Personal Password Lists. This is reflected as one of Click Studios Best Practices for Passwordstate and more information can be found here.
Enabling Personal Password Lists needs to be performed alongside a robust training and education program for staff. This training should help them understand the real world impact associated with credential theft and hacking-related breaches. They’ll need to understand why they should have unique credentials, how they generate and store unique credentials and what to be aware of so they can identify when something doesn’t look right. Don’t forget, to get buy-in you need to show your users what’s in it for them.
Create Strong Passwords Using the Passwordstate Password Generator
One of the features of the Passwordstate Browser Extension is the ability to use the defined Password Generator. This can be set globally, via Administration->System Settings->password options->With the Password Generator on the menu Tools -> Password Generator, select the following Password Generator Policy as the default: and prevent users from selecting a different policy by selecting the Yes radio button,
This will make the default Password Generator for Browser Extensions reflect what was set under System Settings as detailed above. Note, the user can still choose another Generator if they want. This is why the education part is so important, Click Studios provides users the choice, however the business should reinforce the security standards they have put in place and the benefits those standards provide.
Understanding the Add Site to Passwordstate Dialog
When navigating to a website, one that you don’t have any saved credentials for, on logging in you will be prompted to Add Site to Passwordstate? The dialog provides you with 3 options, Close, Ignore and Save (note I’ve removed the username for the image below),
Save is straightforward and will create the password record in the chosen Password List. Clicking Close will simply close down the Add Site to Passwordstate dialog box. The tricky option is Ignore. When you click on Ignore you are not only dismissing the Add Site to Passwordstate dialog box, you are also adding an Ignored URL for that website login screen. The end result is that you will now never be prompted to save your credentials for that website URL again – until you delete the Ignored URL record.
To delete an ignored URL, login to Passwordstate and navigate to Preferences->Preferences->browser extension->Ignored URLs, select the URL to delete and click on the Actions icon and click Delete,
It’s worth noting that clicking on Ignore isn’t the only way to prevent the dialog for Add Site to Passwordstate from appearing. Ignored URLs can be manually entered by Security Administrators under Administration->Browser Extension Settings->ignored urls. These ignored URLs are global in effect and prevent all Passwordstate Users from saving credentials for those websites via the Browser Extensions.
Report Sites that have Issues
On occasion you will find a website that our Browser Extension has an issue with, specifically in correctly mapping the user name and password fields. When you come across this, we encourage you to report the issue by clicking on Report Site Issue. This will open up the Report Site Issue page in another Tab and allow you to record the details of the issue. We encourage you to supply as much detail as possible so that our Technical Support and Development Teams can investigate and provide a fix.
As always, we welcome your feedback via support@clickstudios.com.au.