|
Password Managers: Attacks and Defenses
Date: August 2014 Publication: 23rd USENIX Security Symposium, SEC '14 Publisher: USENIX Source 1: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-silver.pdf Source 2: http://crypto.stanford.edu/~dabo/pubs/papers/pwdmgrBrowser.pdf Source 3: http://www.cs.utexas.edu/~suman/publications/suman_pwdmgr.pdf Abstract or Summary:
We study the security of popular password managers and their policies on automatically filling in Web passwords. We examine browser built-in password managers, mobile password managers, and 3rd party managers. We observe significant differences in autofill policies among password managers. Several autofill policies can lead to disastrous consequences where a remote network attacker can extract multiple passwords from the user’s password manager without any interaction with the user. We experiment with these attacks and with techniques to enhance the security of password managers. We show that our enhancements can be adopted by existing managers. PasswordResearch.com Note: Video and audio recordings of paper presentation available here: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver
Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.
<-- Back to Authentication Research Paper Index |