How to detect Password Manager Usage on a Website using JavaScript

Published in

JavaScript in Plain English

3 min readJan 21, 2021

I was challenged to detect the usage of password managers on my team’s website. In this article, I’m going to explain what a password manager is, why they should be used and the process I used to manage to detect and track their usage.

Password Managers

Password Managers are a great practice to provide your online accounts some extra security. In a nutshell they are programs that store your passwords. There are a couple of good features they provide:

Generate strong passwords (reduce risks of your passwords being discovered in case a data breaches occurs where users passwords are saved using insecure algorithms);
Prevent you from reusing passwords (even if one of your account is stolen you have the guarantee attackers won’t have access to your other accounts);
Prevent phishing attacks (if an imposter recreates the website you want to use, your password manager would know that address is not the usual website to access);
Single source of truth for all your passwords and accounts online (make sure you never lose a password again).

You only need to remember the “master password” for your password manager. However, keep in mind that password is the “key” to all your passwords, so make sure to choose a strong password and use it carefully.

Examples of Password Manager

The most used password managers programs out there include LastPass, OnePassword or KeePass, among others. LastPass provides a cloud-based password which is great if you use multiple devices to access your accounts. OnePassword or KeePass provide stronger encryption since they are not cloud solutions and the information is stored in your devices.

Important to mention that most modern browsers like Chrome, Firefox or Internet explorer provide a password manager feature. These are quite simple to use although they aren’t the most secure since the information is stored unencrypted on your device. An attacker with access to your machine might be able to read your saved passwords. Nevertheless, they were considered for this experiment since a lot of people are using them.

Password Managers Usage In-Browser

My first thought to detect usage of password managers was to search for browser extensions since a lot of password managers provide their own extension, in case of LastPass or OnePassword, for example.

I faced some issues with this approach since there is no way to track installed extensions in your website, tracking their usage seems impossible. So I decide to go in a different direction…

How do people use their password manager? Being Chrome, Firefox, LastPass, OnePassword or any other? Basically there are 2 main ways:

Copy/Paste values; or
Auto-fill Password into the input fields; or

Solution Found

The solution I chose to implement was to detect these 2 user options. Since we are speaking about websites and a password field means an input field, a simple JavaScript code can do the trick and detect users events on the password input field for both of these.

Tracking Paste event on password input field

To track this event I simply added a paste event listener to the input field

Tracking Auto-fill event on password input field

To track this password manager auto-fill I had to execute a number of tests and see which fields were being populated when an auto-fill happened. I’m using the listener for the input event and setting the filter I discovered to provide the best results.

Pro-Tip: Used the function below if you wanna listen for type single character and delete event as well

Conclusion

Although this solution isn’t very elegant, doesn’t seem flaky, it performed very well testing on my website. We focused on auto-fills events since paste events were few in number. Auto-fill events passing this trigger were exclusively from password managers auto-fills. We’ve tested in modern browsers like Firefox and Chrome password managers, and also on browser extensions for both OnePassword and LastPass.

Worked like a charm for me and my team, and although I can’t provide any results we got, I can say it was very insightful. Hope this can help you as well. Let me know your thoughts.

Many Thanks.