I am not a security expert but wanted to know your views on the following security feature created for preventing phishing attempts.
I recently used a banking portal where it askes for a personal unique message to be set while signing up.
And when we go to their login page it asks for my user id along with a capthca code on their first login page, after filling this it presents us with a 2nd page on which my personal unique message would be shown and below that my master password would be asked for logging into the account.
This way users would have more trust that they are connected to genuine website.
It may also prevent accidentally entering login credentials in self hosted bitwarden instances which may be hosted with similar domain names.
Though i must acknowledge that this doesn’t mean the message can’t be spoofed in a phishing attempt but this would just make the phishing attempt a lot more harder to pull off.
Also 2FA already mitigates phishing attempts very well, but this feature could add to another level of trust for users while accessing their web vaults.
I also understand that implementing this wouldn’t be trivial as it would involve more work at the server end for safely storing the users personal message and also maintaining zero knowledge encryption.
Let me know what you think about this idea including any implementation difficulties that maybe faced.
@Gaurav I agree that Phishing links are a huge risk these days, as phishing gets more and more sophisticated and harder to spot. However, I don’t think it’s a good idea for a password manager like Bitwarden to include security features such as anti-phishing, as that would make Bitwarden’s code more complicated, making it more likely to include security vulnerabilities.
Bookmarking https://vault.bitwarden.com would mitigate the risk of accidentally entering one’s credentials into a phishing/self-hosted site.
Additionally, if you are interested in fighting against phishing and fake websites, you can always Report any Phishing/Suspicious links to Avira, Bitdefender, Sophos, Symantec, Webroot, Microsoft Security Intelligence, and Google Safe Browsing.
If you can report any phishing links impersonating Bitwarden to the above security companies/anti-viruses, the risk of unsuspecting users clicking and actually visiting these links would be reduced greatly, assuming that most users use one of the above antiviruses and/or a browser with Google Safe Browsing enabled (which most do).
Note: In my experience, Google Safe Browsing only blocks a link if a number of antiviruses categorize the link as Phishing, which is why I recommend reporting the suspected phishing links to major antivirus companies first.
Mhh…the benefits derived and the relative cost and complexity involved in implementing such feature would have to be analysed by the developers.
Though one idea i had was to implement it the same way 2FA codes work. As far as i know they don’t effect the encryption mechanism of your vault and works separately.
So lets see what others and devs think about the utility of this feature.
@Nat Just want to make you aware that phishing can also be done through DNS poisoning , in which neither your bookmark nor google safe browsing would be of use.
Currently google chrome’s default browser setting for secure dns is set to “current service provider”.
And majority service provider atleast in my state don’t provide dns over https , so dns queries are unecrypted for majority of users, therefore easier to spoof.
I know about this threat , so i always make sure that i use a provider with dns over https on all my devices.
Though i am not sure as to what extent this attacks can be practically be pulled off or any further safeguards against it.