Password Managers: Attacks and Defenses
نویسندگان
چکیده
We study the security of popular password managers and their policies on automatically filling in Web passwords. We examine browser built-in password managers, mobile password managers, and 3rd party managers. We observe significant differences in autofill policies among password managers. Several autofill policies can lead to disastrous consequences where a remote network attacker can extract multiple passwords from the user’s password manager without any interaction with the user. We experiment with these attacks and with techniques to enhance the security of password managers. We show that our enhancements can be adopted by existing managers.
منابع مشابه
An Elective Multibiometric Authentication
This work aims to develop an elective multibiometric authentication. The novelty of this work is to develop the principles of distinction and multibiometric authentication, because at the moment there is no such development. Depending on various conditions and factors, including the availability of electronic means and convenience, resistance to attacks and exploits, disease or injury of users ...
متن کاملSPHINX: A Password Store that Perfectly Hides from Itself
Password managers (aka stores or vaults) represent a security technique that allows a user to store and retrieve (usually high-entropy) passwords for her multiple passwordprotected services by interacting with a “device” serving the role of the manager (e.g., a smartphone or an online third-party service) on the basis of a single (low-entropy) master password. Existing password managers work we...
متن کاملOn the Security of Password Manager Database Formats
Password managers are critical pieces of software relied upon by users to securely store valuable and sensitive information, from online banking passwords and login credentials to passportand social security numbers. Surprisingly, there has been very little academic research on the security these applications provide. This paper presents the first rigorous analysis of storage formats used by po...
متن کاملAndroid UI Deception Revisited: Attacks and Defenses
App-based deception attacks are increasingly a problem on mobile devices and they are used to steal passwords, credit card numbers, text messages, etc. Current versions of Android are susceptible to these attacks. Recently, Bianchi et al. proposed a novel solution “What the App is That” that included a host-based system to identify apps to users via a security indicator and help assure them tha...
متن کاملSpyware Resistant Web Authentication Using Virtual Machines
Password collection by keyloggers and related malware is increasing at an alarming rate. We investigate client-only defenses and methods that require server-side assistance. Password hashing and password injection, in which passwords are isolated from spyware, provide protection against phishing, commonpassword attacks, and spyware on the client platform. To protect against network sniffing and...
متن کامل