How password managers help prevent phishing

If you are reading this, you already know the online vulnerabilities people face everyday on the internet. One of the most common threats is called “phishing,” where hackers with malicious intent (i.e. the bad guys) try to trick people into divulging confidential information like login credentials or bank account or social security numbers pretending to be someone or something that a person already trusts. These fake reach outs, or phishing attacks, can be surprisingly convincing, especially when they appear to come from a trusted source such as your boss, or a website for a financial institution that you use frequently, such as your bank or credit card. With more digital work and more remote work occurring every day, phishing has reached the point where everyone needs to keep themselves protected.

There are many ways to stay safe, from developing general awareness techniques to using different tools. In this post we’ll specifically discuss how a password manager can help thwart phishing attacks.

Staying alert

Phishing attacks can come via email, text message, or when accidentally mistyping the url for an intended website and ending up on a fake site. Any of the above can be combined into a socially engineered attack intended to convince the user to give up something valuable like a password, government identification ID, or a credit card number.

To stay alert, the basics of internet safety apply. Here are a couple of examples and recommended steps.

Imagine an email from your bank that states your account has been disabled or that there has been suspicious activity, and requesting that you log in to confirm that everything is okay. The email also includes a link, but instead of that link pointing to your real bank website, it points to a hacker website made to look like the real bank website. For example, the site might be called www.wellsfaigo.com, with an “i” instead of an “r”, which could be easy to miss.

A few recommended steps:

If you inadvertently click a link from a phishing email, you may end up on a website that looks familiar, but not quite right

Thwarting phishing attacks with a password manager

While general awareness will serve you well to avoid phishing, sometimes it helps to have an extra layer of protection. Password managers can fill that gap.

Password managers, by their nature, keep track of the website URLs you visit. They can also show you an indication that the site visited is stored within the password manager by showing an icon in the browser bar. In this example, stackoverflow.com is one of the Logins stored in the Bitwarden Vault.

Password managers retain known and confirmed URLs
Password managers retain known and confirmed URLs

Of course, you could use the browser extension to open that site directly, and quickly autofill credentials, but let’s assume that you typed in the stackoverflow.com web address by hand, or clicked it from a trusted email.

In this case, the browser extension shows a ‘1’ in the corner of the extension icon, reminding users that there is one Login stored for stackoverflow.com in the password manager. If there were multiple Logins associated with the same website, that number would increment to ‘2’ and so on.

Password managers confirm via an icon flag when landing on a known site
Password managers confirm via an icon flag when landing on a known site

In this hypothetical example, if the entry was mistyped or intentionally misspelled in a phishing attack, and the website URL was not exactly correct, the icon would not appear. This would set off an awareness alarm that something is not right. Password managers are not fooled by similarly spelled website URLs, they must be exactly correct. Further inspection may then reveal that the website URL was not entered correctly.

A malicious site would not trigger the known login icon on the browser extension
A malicious site would not trigger the known login icon on the browser extension

Password managers set a secure foundation

Beyond helping to thwart phishing attacks, password managers help you use recommendations for good password hygiene that experts suggest, such as using long, complex, random, and unique passwords for every website. You can sync your passwords across all of your devices, and if working in a team, can share securely with end-to-end encryption.

Whether you want to set yourself or your business up for success, it is easy to get started with Bitwarden, an open source password manager for individuals and organizations. Visit bitwarden.com to learn more and sign up for a free account.