TY - GEN
T1 - All your browser-saved passwords could belong to us
T2 - 3rd ACM Conference on Data and Application Security and Privacy, CODASPY 2013
AU - Zhao, Rui
AU - Yue, Chuan
N1 - Copyright:
Copyright 2013 Elsevier B.V., All rights reserved.
PY - 2013
Y1 - 2013
N2 - Web users are confronted with the daunting challenges of creating, remembering, and using more and more strong passwords than ever before in order to protect their valuable assets on different websites. Password manager is one of the most popular approaches designed to address these challenges by saving users' passwords and later automatically filling the login forms on behalf of users. Fortunately, all the five most popular Web browsers have provided password managers as a useful built-in feature. Unfortunately, the designs of all those Browser-based Password Managers (BPMs) have severe security vulnerabilities. In this paper, we uncover the vulnerabilities of existing BPMs and analyze how they can be exploited by attackers to crack users' saved passwords. Moreover, we propose a novel Cloud-based Storage-Free BPM (CSF-BPM) design to achieve a high level of security with the desired confidentiality, integrity, and availability properties. We have implemented a CSFBPM system into Firefox and evaluated its correctness and performance. We believe CSF-BPM is a rational design that can also be integrated into other popular Web browsers.
AB - Web users are confronted with the daunting challenges of creating, remembering, and using more and more strong passwords than ever before in order to protect their valuable assets on different websites. Password manager is one of the most popular approaches designed to address these challenges by saving users' passwords and later automatically filling the login forms on behalf of users. Fortunately, all the five most popular Web browsers have provided password managers as a useful built-in feature. Unfortunately, the designs of all those Browser-based Password Managers (BPMs) have severe security vulnerabilities. In this paper, we uncover the vulnerabilities of existing BPMs and analyze how they can be exploited by attackers to crack users' saved passwords. Moreover, we propose a novel Cloud-based Storage-Free BPM (CSF-BPM) design to achieve a high level of security with the desired confidentiality, integrity, and availability properties. We have implemented a CSFBPM system into Firefox and evaluated its correctness and performance. We believe CSF-BPM is a rational design that can also be integrated into other popular Web browsers.
KW - Cloud
KW - Password manager
KW - Phishing
KW - Security
KW - Web browser
UR - http://www.scopus.com/inward/record.url?scp=84874835434&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84874835434&partnerID=8YFLogxK
U2 - 10.1145/2435349.2435397
DO - 10.1145/2435349.2435397
M3 - Conference contribution
AN - SCOPUS:84874835434
SN - 9781450318907
T3 - CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy
SP - 333
EP - 340
BT - CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy
Y2 - 18 February 2013 through 20 February 2013
ER -