- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
The firewall is indicating that users are taking advantage of 1Password and Lastpass in the form of a browser plugin. How do I see if they are using them on personal sites or company urls. I want to prove if they are saving company passwords to personal password managers.
Not aware of a way to prove this from the network side of things. 
Having said that, controlling the browser plugins used by end users is something organizations typically do (e.g. allow only specific approved ones).
Do you have any log example you can attach? If yes, just blur out any sentisive data.
Andy
You cannot see this with a firewall. It would require HTTPS inspection and all the plain data to be readable for you. Then somehow collect this data what is inside this extension.
From my point of view you should either block these types of extensions (can be done via GPO) or allow them. I would allow them and provide a tool managed by the company. Reason for that is, if a user is not allowed to use a password management tool the user will most likely write down the passwords on a piece of paper or put it in a plain text file on the desktop. Also it will force the user to use more easy passwords and reuse old passwords (just change 1 number and add up every reset). Last reason is that with a password tool a user is more likely to use a different password for different websites. Instead of 1 easy to remember password for all websites.
I was thinking maybe QUIC protocol, but probably not. Cant recall now if there are any browser logins that could be blocked via ssl inspection policy, but will check in the lab later.
Andy
I think this is actually really good response from AI copilot, but it involves harmony endpoint.
Andy
**************************
To monitor and prevent the use of corporate passwords on personal sites, you can use the Password Reuse Protection feature in Harmony Endpoint. This feature alerts users and logs incidents when corporate passwords are used on non-corporate domains. Here’s how you can set it up:
Access the Policy Settings:
Select the Rule:
Navigate to Web & Files Protection:
Configure Credential Protection:
Prevent mode - Blocks the user from entering the corporate password and opens the blocking page in a new tab. If you enable Allow users to dismiss the password reuse alert and access the website, then it allows the user to dismiss the blocking page and continue to enter the corporate password.
By enabling and configuring the Password Reuse Protection feature, you can monitor and log incidents where corporate passwords are used on personal sites, helping you to prove if users are saving company passwords to personal password managers like 1Password and LastPass.
That doesn't really tell you if you're using a password manager (the original ask), though it will tell you if you're internal credentials on an external site.
Ah, got it, makes sense.
Yes what I want to do is see which sites they are using the password keeper for. If its Facebook I don't care. If its the AWS, Azure, intranet other corporate sites I do care as these password keepers are not company sanctioned and personal. Which means they are saving company passwords to a personal site. I am sure the firewall can see the URLs accessed but how to associate the password keeper usage. We do run HTTPS inspection.
I see what @PhoneBoy was saying about the answer I pasted from Copilot AI, it most likely would not be useful in your case, since it wont say if they are using pass manager or not, just if say company creds might be on external site. This is really interesting/logical ask. Personally, I would also open TAC case and reference this link, so they can see what was already discussed. I sometimes do that when opening a case, it definitely helps.
Best,
Andy
Your question assumes that the password manager is "queried" over the network each time it is used for a specific site.
Pretty sure none of the password managers operate on that premise.
The only possible way you can see what sites a password manager is using is on the browser itself.
That assumes the password manager is a plugin and not, say, an external application the user copy/pastes the password from.
Would maybe adding below to the right rule for urlf/appc layer help or you dont think so?
Andy
That might be useful in blocking access to ALL browser plugins.
Best way to do that is to use the Enterprise management features of the browser, which can restrict what plugins users are allowed to use.
I was hoping that may give us more info, but does not look like it : - (
You will not get more info then this from a firewall. There is not a way to know what passwords are in the plugin/tool (from fw point of view)
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 18 | |
| 17 | |
| 13 | |
| 11 | |
| 11 | |
| 7 | |
| 7 | |
| 6 | |
| 6 | |
| 4 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY