The Emperor's New Password Manager: Security Analysis of Web-based Password Managers

Li, Zhiwei; He, Wei; Akhawe, Devdatta; Song, Dawn

doi:10.21236/ada614474

Cited by 99 publications

(89 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In regard to the latter scenario, there are some future research lines that would boost the adoption of PMs, namely: investigation on how to automatically integrate and enforce company security policies with PMs; combination with SSO technologies highly used inside corporate environments, such as SAML and OAuth; and research on usability improvements by merging implicit authentication with PMs as mechanisms for substituting the Mast er Key. Finally, as future work we would like to develop automatic testing tools that evaluate the security of PMs empirically in order to complement the theoretical analysis given in this paper and cover specific attack scenarios and vulnerabilities as described in [11] .…”

Section: Conclusion and Future Linesmentioning

confidence: 99%

Comparing Password Management Software: Toward Usable and Secure Enterprise Authentication

et al. 2016

View full text Add to dashboard Cite

Abstract-In today's corporate IT systems there is an undeniable pattern that is routinely repeated by employees: access to a huge number of password-protected services. In this regard, though deploying a strong enterprise password policy is a mean to increase security against online breaches and data leaks, it also imposes a significant usability burden for users. To alleviate this problem, Password Managers (PMs) are pointed out as user-friendly tools that automate the processes of password generation and login. But how secure and usable are these tools? In this paper we analyze the four most popular PMs with free version from both security and usability perspectives. The comparison leads to recommendations on enterprise PM selection, as well as to the identification of new lines of research and development on usable authentication.

show abstract

Section: Conclusion and Future Linesmentioning

confidence: 99%

Comparing Password Management Software: Toward Usable and Secure Enterprise Authentication

et al. 2016

View full text Add to dashboard Cite

show abstract

“…These extensions allow the password manager to auto login and auto-populate authentication details to reduce the chances of attacks that involve user participation [9].…”

Section: Background a Password Managersmentioning

confidence: 99%

“…Li et al [9] analysed the security of five cloud-based password managers focusing on protocols used for authentication to a Web application, sharing of passwords with collaborators, encryption and login bookmarklets. They found vulnerabilities related to authorisation, user interface, bookmarklets, and susceptibility to cross-site request forgery and cross-site scripting (XSS) attacks.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Forensically-Sound Analysis of Security Risks of Using Local Password Managers

Joshua¹,

Franqueira²,

Yu³

2016

2016 IEEE 24th International Requirements Engineering Conference Workshops (REW)

View full text Add to dashboard Cite

Abstract-Password managers address the usability challenge of authentication, i.e., to manage the effort in creating, memorising, and entering complex passwords for an end-user. Offering features such as creating strong passwords, managing increasing number of complex passwords, and auto-filling of passwords for variable contexts, their security is as critical as the assets being protected by the passwords. Previous security risk analyses have focused primarily on cloud-and browser-based password managers, whilst the security risks of local password managers were left under-explored. Taking a systematic forensic analysis approach, this paper reports on a case study of three popular local password managers: KeePass (v2.28), Password Safe (v3.35.1) and RoboForm (v7.9.12). It revealed risks that either the master password or the content of the password database could be found unencrypted in Temp folders, Page files or Recycle bin, even after applications had been closed. As a consequence, an attacker or a malware with access to the computer on which the password managers were running may be able to steal sensitive information, even though these password managers are meant to keep the databases encrypted and protected at all times. These findings point to directions to mitigate the identified risks.

show abstract

“…A bookmarklet is a bookmark, which essentially contains JavaScript code, in order to add previously unobtainable features, in a browser. While this on the surface seems like a nifty feature, work in [12] discusses an attack on LastPass, exploiting the users bookmarklet, to gain access to virtually all of the users stored credentials. Finally, it is work mentioning that there has been a recent leak from LastPass [25], that leads to even more users to look suspicious of their services.…”

Section: Toolsmentioning

confidence: 99%

Evaluation of Professional Cloud Password Management Tools

Schougaard

Dragoni

Spognardi

2016

Current Trends in Web Engineering

View full text Add to dashboard Cite

Abstract. Strong passwords have been preached since decades. However, lot of the regular users of IT systems resort to simple and repetitive passwords, especially nowadays in the "service era". To help alleviate this problem, a new class of software grew popular: password managers. Since their introduction, password managers have slowly been migrating into the cloud. In this paper we review and analyze current professional password managers in the cloud. We discuss several functional and nonfunctional requirements to evaluate existing solutions and we sum up their strengths and weaknesses. The main conclusion is that a silver bullet solution is not available yet and that this type of tools still deserve a significant research effort from the privacy and security community.

show abstract

The Emperor's New Password Manager: Security Analysis of Web-based Password Managers

Cited by 99 publications

References 37 publications

Comparing Password Management Software: Toward Usable and Secure Enterprise Authentication

Comparing Password Management Software: Toward Usable and Secure Enterprise Authentication

Forensically-Sound Analysis of Security Risks of Using Local Password Managers

Evaluation of Professional Cloud Password Management Tools

Contact Info

Product

Resources

About