(Credit: 1Password)
Password-manager service 1Password won’t let you get past the paste command if it spots a phishing-scam site in your browser.
This addition to the firm’s browser extension provides a software fix for a wetware failing: Although password managers won’t autofill saved credentials at a lookalike phishing page, stressed or tired people will often respond to that perceived malfunction by copying and pasting a password from the password manager to the scam site.
This update to 1Password ($35.88 a year for an individual account, $53.88 a year for a family bundle covering up to five users) will interrupt that copy-and-paste workaround with a warning that you’re on the wrong site: “The website you're on isn't linked to a login in 1Password. Make sure you trust this site before continuing.”
You’ll need to update 1Password’s apps to the new version 8.12.0-14 to get this feature in the browser extensions that the company offers for Chrome, Safari, Firefox, Edge, and Brave.
As security experts will testify, it can be all too easy for a persuasively crafted phishing message warning of the imminent loss of a critical account or a non-trivial sum of money to scare people into making hasty lizard-brain decisions.
That’s exactly what happened last March to Troy Hunt, the manager of the haveibeenpwned clearinghouse of personal information dumped in data breaches: a scam email reached him in a jet-lagged state, warning that he’d been locked out of his Mailchimp email marketing account.
And even though Hunt uses 1Password and saw that the app did not autofill his login on the scam site, he copied and pasted his password into it anyway, and then entered a two-step verification code. The attackers intercepted that and used the purloined login to get into Hunt’s Mailchimp account and export his mailing list.
As Hunt wrote in his recap of this mishap, passkey authentication would have blocked this attack because its exchange of cryptographic keys requires a correct domain name and doesn’t allow copy-and-paste circumvention.
He advised Mailchimp to support it. Ten months later, that Intuit subsidiary still doesn’t offer passkey logins, although Mailchimp has plenty of company in not delivering the security upgrade that’s now a standard feature at Amazon and Google.
1Password doesn’t mention passkeys, a striking omission considering its history of passkey evangelism. Instead, a blog post shares findings from a survey of 2,000 Americans conducted last fall that suggests we need as much software help as we can get with phishing scams.
Among this study’s less-heartwarming findings:
- 89% of respondents have gotten a phishing scam.
- 61% have taken the bait.
- Only 25% hover over a web link in a message before clicking it (although those URLs can get obfuscated with redirect links, making them an unreliable indicator).
- 45% have received a phishing lure in personal email (which seems low to us), 41% via text message, 38% on social media, 28% in a phone call, and 26% in online ads or search results.
- The most effective phishing lures: get a deal or discount, 41%; track a delivery, 31%; apply for work, 25%; carry out a financial task like a bank transfer, 23%; address a legal problem, 17%; make a charitable donation, 13%.
- 31% of employed respondents said they reused passwords for work accounts, making it easier for one successful phish to lead to the compromise of multiple accounts via “credential stuffing” attacks.
- 62% of respondents said they’ve gotten at least one scammy message, call, or ad that they thought was generated by AI.
This remains a massive problem, especially for people not yet using password managers. But using a password manager can itself lead to phishing scams targeting that service, a threat that 1Password’s competitor LastPass had to warn its customers about this week.
(Disclosure: Since 2019, 1Password has provided free service to journalists, an offer I have taken advantage of ever since.)