Anyone who is unsure about the scale of the threat from phishing should read the web descriptions of data breaches recorded on HHS´ Breach Report Archive. Phishing attacks are a common component in most data breaches and are often used by cybercriminals to gain unauthorized access to systems maintaining PHI. But how can password managers help prevent phishing attacks of this nature?
Password managers are excellent security tools that enable users to create strong, unique passwords for each account in order to resist brute force attacks. Because strong, unique passwords are hard to remember, password managers automatically complete the log-in credentials when a user visits a website or opens a web app for which a username and password combination has been saved.
When a user receives a phishing email, the phishing email usually includes a link that will enable the user to respond to one of five emotions – greed, curiosity, urgency, helpfulness, or fear. As the email appears to originate from a trusted source and has bypassed the user´s email filter, a user may be inclined to click on the link to visit the website or open the web app to which the email pertains.
However, when the user is directed by the link to the fake website/app, the login credentials are not completely automatically by the password manager. This is because the URL of the fake website/app is different from the URL for which a username and password have been saved. The fact the password manger does not autocomplete the login credentials should alert the user that they have been directed to an incorrect destination so they can quickly navigate away from it.
Why This Theory Doesn´t Always Work in Practice
In an ideal world, the user who has been directed to an incorrect destination would not only navigate away from it, but also report the event to a supervisor or security officer. This will enable the supervisor or security office to alert other members of the workforce to the phishing email and blacklist the domain from which the phishing email originated on the corporate email filter.
However, regardless of how much security awareness training the recipient has received, it is sometimes the case that the emotion triggered by the phishing email overrides the training they have been provided with. Rather than considering the threat of a phishing email, they believe the password manager is at fault and attempt to enter the fake website/app by copying and pasting the login credentials directly from the password manager – with potentially disastrous consequences.
In these cases, protecting account access with two-step login may not prevent a cybercriminal accessing systems maintaining PHI. With the username and password, a cybercriminal may be able to request a password reset – a feature not always protected by two-step login – or simultaneously login into the genuine website/app, wait for the authenticator code to be sent to and entered by the user on the fake website/app, and then use the code to access the genuine website/app.
How to Overcome this Issue
Cybercriminals are becoming more sophisticated in how they extract login credentials from unsuspecting users, and the threat of a user copying and pasting login credentials directly from a password manager can be a genuine concern. However, there is a way to overcome this issue if you deploy a password manager with the capability of hiding passwords in the password manager.
Password managers such as Bitwarden can be configured to hide passwords, TOTP seeds, and custom fields from end users to prevent the risk of a user copying and pasting login credentials into phishing websites and web apps. This security measure also increases the likelihood of a user flagging a phishing email to a supervisor or security officer – albeit inadvertently – because they are unable to access the website/app via the autocomplete capabilities of the password manager.