topic Re: Password Keepers in General Topics

Password Keepers

Agent_Smith — Thu, 16 Jan 2025 21:12:05 GMT

The firewall is indicating that users are taking advantage of 1Password and Lastpass in the form of a browser plugin. How do I see if they are using them on personal sites or company urls. I want to prove if they are saving company passwords to personal password managers.

Re: Password Keepers

PhoneBoy — Thu, 16 Jan 2025 21:34:35 GMT

Not aware of a way to prove this from the network side of things.
Having said that, controlling the browser plugins used by end users is something organizations typically do (e.g. allow only specific approved ones).

Re: Password Keepers

the_rock — Thu, 16 Jan 2025 23:13:05 GMT

Do you have any log example you can attach? If yes, just blur out any sentisive data.

Andy

Re: Password Keepers

Lesley — Fri, 17 Jan 2025 10:36:33 GMT

You cannot see this with a firewall. It would require HTTPS inspection and all the plain data to be readable for you. Then somehow collect this data what is inside this extension.

From my point of view you should either block these types of extensions (can be done via GPO) or allow them. I would allow them and provide a tool managed by the company. Reason for that is, if a user is not allowed to use a password management tool the user will most likely write down the passwords on a piece of paper or put it in a plain text file on the desktop. Also it will force the user to use more easy passwords and reuse old passwords (just change 1 number and add up every reset). Last reason is that with a password tool a user is more likely to use a different password for different websites. Instead of 1 easy to remember password for all websites.

Re: Password Keepers

the_rock — Fri, 17 Jan 2025 12:05:44 GMT

I was thinking maybe QUIC protocol, but probably not. Cant recall now if there are any browser logins that could be blocked via ssl inspection policy, but will check in the lab later.

Andy

Re: Password Keepers

the_rock — Fri, 17 Jan 2025 12:14:02 GMT

I think this is actually really good response from AI copilot, but it involves harmony endpoint.

Andy

**************************

To monitor and prevent the use of corporate passwords on personal sites, you can use the Password Reuse Protection feature in Harmony Endpoint. This feature alerts users and logs incidents when corporate passwords are used on non-corporate domains. Here’s how you can set it up:

Steps to Configure Password Reuse Protection

Access the Policy Settings:
- Go to Policy > Threat Prevention > Policy Capabilities.
Select the Rule:
- Select the rule set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.
Navigate to Web & Files Protection:
- In the Capabilities & Exclusions pane, select Web & Files Protection.
Configure Credential Protection:
- In the Web & Files Protection tab, scroll down to Credential Protection.
- Under Password Reuse, select a mode:
  - Prevent mode: Blocks the user from entering the corporate password and opens the blocking page in a new tab. If you enable Allow users to dismiss the password reuse alert and access the website, then it allows the user to dismiss the blocking page and continue to enter the corporate password.
  - Detect mode: The system does not block the user from entering the corporate password. If a user enters the corporate password, it is captured in the Harmony Browse logs.
  - Off: Turns off password reuse protection.

Example Configuration

Prevent mode - Blocks the user from entering the corporate password and opens the blocking page in a new tab. If you enable Allow users to dismiss the password reuse alert and access the website, then it allows the user to dismiss the blocking page and continue to enter the corporate password.

Notes:

Detect mode: The system does not block the user from entering the corporate password. If a user enters the corporate password, it is captured in the Harmony Browse logs.
Off: Turns off password reuse protection.

Additional Information:

This feature is not supported with Safari and Internet Explorer browser extensions.
Ensure that the browser extension is installed and configured correctly for Chrome or Edge browsers.

By enabling and configuring the Password Reuse Protection feature, you can monitor and log incidents where corporate passwords are used on personal sites, helping you to prove if users are saving company passwords to personal password managers like 1Password and LastPass.

BE AWARE

Important - To prevent negative impact on your production environment, double-check the provided information in the Administration Guide for the involved product.

Learn more:

Re: Password Keepers

PhoneBoy — Fri, 17 Jan 2025 15:23:29 GMT

That doesn't really tell you if you're using a password manager (the original ask), though it will tell you if you're internal credentials on an external site.

Re: Password Keepers

the_rock — Fri, 17 Jan 2025 15:31:20 GMT

Ah, got it, makes sense.

Re: Password Keepers

Agent_Smith — Fri, 17 Jan 2025 15:56:59 GMT

Yes what I want to do is see which sites they are using the password keeper for. If its Facebook I don't care. If its the AWS, Azure, intranet other corporate sites I do care as these password keepers are not company sanctioned and personal. Which means they are saving company passwords to a personal site. I am sure the firewall can see the URLs accessed but how to associate the password keeper usage. We do run HTTPS inspection.

Re: Password Keepers

the_rock — Fri, 17 Jan 2025 16:19:55 GMT

I see what @PhoneBoy was saying about the answer I pasted from Copilot AI, it most likely would not be useful in your case, since it wont say if they are using pass manager or not, just if say company creds might be on external site. This is really interesting/logical ask. Personally, I would also open TAC case and reference this link, so they can see what was already discussed. I sometimes do that when opening a case, it definitely helps.

Best,

Andy

Re: Password Keepers

PhoneBoy — Fri, 17 Jan 2025 16:22:50 GMT

Your question assumes that the password manager is "queried" over the network each time it is used for a specific site.
Pretty sure none of the password managers operate on that premise.

The only possible way you can see what sites a password manager is using is on the browser itself.
That assumes the password manager is a plugin and not, say, an external application the user copy/pastes the password from.

Re: Password Keepers

the_rock — Fri, 17 Jan 2025 16:25:25 GMT

Would maybe adding below to the right rule for urlf/appc layer help or you dont think so?

Andy

Re: Password Keepers

PhoneBoy — Fri, 17 Jan 2025 16:30:36 GMT

That might be useful in blocking access to ALL browser plugins.
Best way to do that is to use the Enterprise management features of the browser, which can restrict what plugins users are allowed to use.

Re: Password Keepers

Agent_Smith — Fri, 17 Jan 2025 18:21:09 GMT

This is what I'm seeing in the logs. I don't know for sure its a browser plugin but one says.

Re: Password Keepers

the_rock — Fri, 17 Jan 2025 18:25:36 GMT

I was hoping that may give us more info, but does not look like it : - (

Re: Password Keepers

Lesley — Sat, 18 Jan 2025 12:29:10 GMT

You will not get more info then this from a firewall. There is not a way to know what passwords are in the plugin/tool (from fw point of view)