The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers

Zhiwei Li, Warren He, Devdatta Akhawe and Dawn Song

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2014-138
July 7, 2014

http://www.eecs.berkeley.edu/Pubs/TechRpts/2014/EECS-2014-138.pdf

We conduct a security analysis of five popular web-based password managers. Unlike “local” password managers, web-based password managers run in the browser. We identify four key security concerns for web-based password managers and, for each, identify representative vulnerabilities through our case studies. Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS. Our study suggests that it remains to be a challenge for the password managers to be secure; password managers, in their current form, may not provide sufficient security for user secrets. To guide future development of password managers, we provide guidance for password managers. Given the diversity of vulnerabilities we identified, we advocate a defense-in-depth approach to ensure security of password managers.


BibTeX citation:

@techreport{Li:EECS-2014-138,
    Author = {Li, Zhiwei and He, Warren and Akhawe, Devdatta and Song, Dawn},
    Title = {The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2014},
    Month = {Jul},
    URL = {http://www.eecs.berkeley.edu/Pubs/TechRpts/2014/EECS-2014-138.html},
    Number = {UCB/EECS-2014-138},
    Abstract = {We conduct a security analysis of five popular web-based
password managers. Unlike “local” password managers,
web-based password managers run in the browser. We
identify four key security concerns for web-based password
managers and, for each, identify representative vulnerabilities
through our case studies. Our attacks are severe:
in four out of the five password managers we studied,
an attacker can learn a user’s credentials for arbitrary
websites. We find vulnerabilities in diverse features
like one-time passwords, bookmarklets, and shared passwords.
The root-causes of the vulnerabilities are also diverse:
ranging from logic and authorization mistakes to
misunderstandings about the web security model, in addition
to the typical vulnerabilities like CSRF and XSS.
Our study suggests that it remains to be a challenge for
the password managers to be secure; password managers,
in their current form, may not provide sufficient security
for user secrets. To guide future development of password
managers, we provide guidance for password managers.
Given the diversity of vulnerabilities we identified,
we advocate a defense-in-depth approach to ensure
security of password managers.}
}

EndNote citation:

%0 Report
%A Li, Zhiwei
%A He, Warren
%A Akhawe, Devdatta
%A Song, Dawn
%T The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers
%I EECS Department, University of California, Berkeley
%D 2014
%8 July 7
%@ UCB/EECS-2014-138
%U http://www.eecs.berkeley.edu/Pubs/TechRpts/2014/EECS-2014-138.html
%F Li:EECS-2014-138