All your browser-saved passwords could belong to us: A security analysis and a cloud-based new design

Rui Zhao, Chuan Yue

Research output: Chapter in Book/Report/Conference proceedingConference contribution

20 Scopus citations

Abstract

Web users are confronted with the daunting challenges of creating, remembering, and using more and more strong passwords than ever before in order to protect their valuable assets on different websites. Password manager is one of the most popular approaches designed to address these challenges by saving users' passwords and later automatically filling the login forms on behalf of users. Fortunately, all the five most popular Web browsers have provided password managers as a useful built-in feature. Unfortunately, the designs of all those Browser-based Password Managers (BPMs) have severe security vulnerabilities. In this paper, we uncover the vulnerabilities of existing BPMs and analyze how they can be exploited by attackers to crack users' saved passwords. Moreover, we propose a novel Cloud-based Storage-Free BPM (CSF-BPM) design to achieve a high level of security with the desired confidentiality, integrity, and availability properties. We have implemented a CSFBPM system into Firefox and evaluated its correctness and performance. We believe CSF-BPM is a rational design that can also be integrated into other popular Web browsers.

Original languageEnglish (US)
Title of host publicationCODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy
Pages333-340
Number of pages8
DOIs
StatePublished - 2013
Externally publishedYes
Event3rd ACM Conference on Data and Application Security and Privacy, CODASPY 2013 - San Antonio, TX, United States
Duration: Feb 18 2013Feb 20 2013

Publication series

NameCODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy

Conference

Conference3rd ACM Conference on Data and Application Security and Privacy, CODASPY 2013
Country/TerritoryUnited States
CitySan Antonio, TX
Period2/18/132/20/13

Keywords

  • Cloud
  • Password manager
  • Phishing
  • Security
  • Web browser

ASJC Scopus subject areas

  • Computer Science Applications
  • Software

Fingerprint

Dive into the research topics of 'All your browser-saved passwords could belong to us: A security analysis and a cloud-based new design'. Together they form a unique fingerprint.

Cite this