Hey, You, Get Off of My Clipboard - On How Usability Trumps Security in Android Password Managers
Date: April 2013
Publication: Proceedings of the 17th International Conference on Financial Cryptography and Data Security 2013 / Lecture Notes in Computer Science, Volume 7859
Page(s): 144 - 161
Source 1: http://fc13.ifca.ai/proc/4-2.pdf
Source 2: http://files.androidpit.info/content/PDF%20Passwortmanager_Studie_Uni_Hannover.pdf
Source 3: http://dx.doi.org/10.1007/978-3-642-39884-1_12 - Subscription or payment required
Abstract or Summary:
Password managers aim to help users manage their ever increasing number of passwords for online authentication. Since users only have to memorise one master secret to unlock an encrypted password database or key chain storing all their (hopefully) different and strong passwords, password managers are intended to increase username/password security. With mobile Internet usage on the rise, password managers have found their way onto smartphones and tablets. In this paper, we analyse the security of password managers on Android devices. While encryption mechanisms are used to protect credentials, we will show that a usability feature of the investigated mobile password managers puts the users’ usernames and passwords at risk. We demonstrate the consequences of our findings by analysing 21 popular free and paid password managers for Android. We then make recommendations how to overcome the current problems and provide an implementation of a secure and usable mobile password manager.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.