Password Managers: Attacks and Defenses
Authors: D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson
Abstract:
We study the security of popular password managers and their policies
on automatically filling in Web passwords. We examine
browser built-in password managers, mobile password managers, and 3rd
party managers. We observe significant differences in
autofill policies among password managers. Several autofill policies can
lead to disastrous consequences where a remote network attacker can
extract multiple passwords from the user's password manager without
any interaction with the user. We experiment with these attacks and
with techniques to enhance the security of password managers. We show
that our enhancements can be adopted by existing managers.
Reference:
To appear at Usenix Security 2014