That was then, this is now: A security evaluation of password generation, storage, and autofill in browser-based password managers

Sean Oesch, Scott Ruoti

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

47 Scopus citations

Abstract

Password managers have the potential to help users more effectively manage their passwords and address many of the concerns surrounding password-based authentication. However, prior research has identified significant vulnerabilities in existing password managers; especially in browser-based password managers, which are the focus of this paper. Since that time, five years has passed, leaving it unclear whether password managers remain vulnerable or whether they have addressed known security concerns. To answer this question, we evaluate thirteen popular password managers and consider all three stages of the password manager lifecycle-password generation, storage, and autofill. Our evaluation is the first analysis of password generation in password managers, finding several non-random character distributions and identifying instances where generated passwords were vulnerable to online and offline guessing attacks. For password storage and autofill, we replicate past evaluations, demonstrating that while password managers have improved in the half-decade since those prior evaluations, there are still significant issues; these problems include unencrypted metadata, insecure defaults, and vulnerabilities to clickjacking attacks. Based on our results, we identify password managers to avoid, provide recommendations on how to improve existing password managers, and identify areas of future research.

Original languageEnglish
Title of host publicationProceedings of the 29th USENIX Security Symposium
PublisherUSENIX Association
Pages2165-2182
Number of pages18
ISBN (Electronic)9781939133175
StatePublished - 2020
Externally publishedYes
Event29th USENIX Security Symposium - Virtual, Online
Duration: Aug 12 2020Aug 14 2020

Publication series

NameProceedings of the 29th USENIX Security Symposium

Conference

Conference29th USENIX Security Symposium
CityVirtual, Online
Period08/12/2008/14/20

Fingerprint

Dive into the research topics of 'That was then, this is now: A security evaluation of password generation, storage, and autofill in browser-based password managers'. Together they form a unique fingerprint.

Cite this