Password Managers: Attacks and Defenses
Date: August 2014
Publication: 23rd USENIX Security Symposium, SEC '14
Source 1: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-silver.pdf
Source 2: http://crypto.stanford.edu/~dabo/pubs/papers/pwdmgrBrowser.pdf
Source 3: http://www.cs.utexas.edu/~suman/publications/suman_pwdmgr.pdf
We study the security of popular password managers and their policies on automatically filling in Web passwords. We examine browser built-in password managers, mobile password managers, and 3rd party managers. We observe significant differences in autofill policies among password managers. Several autofill policies can lead to disastrous consequences where a remote network attacker can extract multiple passwords from the userís password manager without any interaction with the user. We experiment with these attacks and with techniques to enhance the security of password managers. We show that our enhancements can be adopted by existing managers.
PasswordResearch.com Note: Video and audio recordings of paper presentation available here: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.