Password Managers: Attacks and Defenses

We study the security of popular password managers and their policies on automatically filling in Web passwords. We examine browser built-in password managers, mobile password managers, and 3rd party managers. We observe significant differences in autofill policies among password managers. Several autofill policies can lead to disastrous consequences where a remote network attacker can extract multiple passwords from the user's password manager without any interaction with the user. We experiment with these attacks and with techniques to enhance the security of password managers. We show that our enhancements can be adopted by existing managers.

[1]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[2]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[3]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[4]  Min Wu,et al.  Web wallet: preventing phishing attacks by revealing user intentions , 2006, SOUPS '06.

[5]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.

[6]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[7]  D. Wallach,et al.  Must Die! , 2008 .

[8]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[9]  Dan Boneh,et al.  Busting frame busting a study of clickjacking vulnerabilities on popular sites , 2010 .

[10]  Hristo Bojinov,et al.  Toward Secure Embedded Web Interfaces , 2011, USENIX Security Symposium.

[11]  Helen J. Wang,et al.  Clickjacking: Attacks and Defenses , 2012, USENIX Security Symposium.

[12]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[13]  E. Chen,et al.  Self-Exfiltration : The Dangers of Browser-Enforced Information Flow Control , 2012 .

[14]  Kasper Bonne Rasmussen,et al.  On the Security of Password Manager Database Formats , 2012, ESORICS.

[15]  Matthew Smith,et al.  Hey, You, Get Off of My Clipboard - On How Usability Trumps Security in Android Password Managers , 2013, Financial Cryptography.

[16]  Eric Yawei Chen,et al.  Automated Password Extraction Attack on Modern Password Managers , 2013, ArXiv.

[17]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[18]  Dawn Xiaodong Song,et al.  The Emperor's New Password Manager: Security Analysis of Web-based Password Managers , 2014, USENIX Security Symposium.

[19]  Ben Stock,et al.  Protecting users against XSS-based password manager abuse , 2014, AsiaCCS.

[20]  John B. Haviland Hey! , 2015, Top. Cogn. Sci..