Abstract
Password manager and vault applications can be used by users to select strong passwords as well as storing user credentials locally or in the cloud. Such apps have been studied by various security researchers, for example in identifying potential vulnerabilities and bugs, as well as proposing techniques to forensically recover artifacts of interest/relevance to an investigation, which is also the focus of this paper. Specifically, we review the extant literature on the security and forensics of password manager and vault applications with the objective of identifying existing limitations and challenges.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alkaldi, N., Renaud, K.: MIGRANT: modeling smartphone password manager adoption using migration theory. ACM SIGMIS Database: DATABASE Adv. Inf. Syst. 53(2), 63–95 (2022)
AlMuhanna, A., AlFaadhel, A., Ara, A.: Enhanced system for securing password manager using honey encryption. In: 2022 Fifth International Conference of Women in Data Science at Prince Sultan University (WiDS PSU). IEEE (2022)
Aonzo, S., et al.: Phishing attacks on modern android. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (2018)
Apostolopoulos, D., Marinakis, G., Ntantogian, C., Xenakis, C.: Discovering authentication credentials in volatile memory of android mobile devices. In: Douligeris, C., Polemi, N., Karantjias, A., Lamersdorf, W. (eds.) I3E 2013. IFIP Advances in Information and Communication Technology, vol. 399, pp. 178–185. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37437-1_15
Barten, D.: Client-side attacks on the LastPass browser extension (2019)
Carr, M., Shahandashti, S.F.: Revisiting security vulnerabilities in commercial password managers. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds.) SEC 2020. IFIP Advances in Information and Communication Technology, vol. 580, pp. 265–279. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58201-2_18
Chatterjee, R., et al.: Cracking-resistant password vaults using natural language encoders. In: 2015 IEEE Symposium on Security and Privacy. IEEE (2015)
Chaudhary, S., et al.: Usability, security and trust in password managers: a quest for user-centric properties and features. Comput. Sci. Rev. 33, 69–90 (2019)
Dorai, G., et al.: Vide-vault app identification and extraction system for iOS devices. Forensic Sci. Int.: Digit. Invest. 33, 301007 (2020)
Fagan, M., et al.: An investigation into users’ considerations towards using password managers. Hum.-Cent. Comput. Inf. Sci. 7(1), 1–20 (2017)
Fahl, S., Harbach, M., Oltrogge, M., Muders, T., Smith, M.: Hey, you, get off of my clipboard. In: Sadeghi, A.R. (ed.) FC 2013. Lecture Notes in Computer Science, vol. 7859, pp. 144–161. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_12
Gasti, P., Rasmussen, K.B.: On the security of password manager database formats. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 770–787. Springer, Berlin, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_44
Gilbert, A., Seigfried-Spellar, K.C., Gilbert, A.K.: Forensic discoverability of iOS vault applications. J. Digit. Forensics Secur. Law 17(1), 1 (2022)
Gonzalez, R., Chen, E.Y., Jackson, C.: Automated password extraction attack on modern password managers. arXiv preprint arXiv:1309.1416 (2013)
Gray, J., Franqueira, V.N.L., Yu, Y.: Forensically-sound analysis of security risks of using local password managers. In: 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW). IEEE (2016)
He, Y., Wang, R., Shi, W.: Implementation of a TPM-based security enhanced browser password manager. Wuhan Univ. J. Nat. Sci. 21(1), 56–62 (2016)
Huaman, N., et al.: They would do better if they worked together: the case of interaction problems between password managers and websites. In: 2021 IEEE Symposium on Security and Privacy (SP). IEEE (2021)
Li, Z., et al.: The {Emperor’s} new password manager: security analysis of web-based password managers. In: 23rd USENIX Security Symposium (USENIX Security 2014) (2014)
Li, Y., Wang, H., Sun, K.: Bluepass: a secure hand-free password manager. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds.) SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 238, pp. 185–205. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-78813-5_10
Luevanos, C., et al.: Analysis on the security and use of password managers. In: 2017 18th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT). IEEE (2017)
Martini, B., Do, Q., Choo, K.-K.R.: Mobile cloud forensics: an analysis of seven popular Android apps. arXiv preprint arXiv:1506.05533 (2015)
Ntantogian, C., et al.: Evaluating the privacy of Android mobile applications under forensic analysis. Comput. Secur. 42, 66–76 (2014)
Oesch, S., et al.: “It basically started using me”: an observational study of password manager usage. In: CHI Conference on Human Factors in Computing Systems (2022)
Oesch, S., Gautam, A., Ruoti, S.: The emperor’s new autofill framework: a security analysis of autofill on iOS and Android. In: Annual Computer Security Applications Conference (2021)
Oesch, S., Ruoti, S.: That was then, this is now: a security evaluation of password generation, storage, and autofill in browser-based password managers. In: Proceedings of the 29th USENIX Conference on Security Symposium (2020)
Peng, M., et al.: DECADE-deep learning based content-hiding application detection system for Android. In: 2021 IEEE International Conference on Big Data (Big Data). IEEE (2021)
Sabev, P., Petrov, M.: Android password managers and vault applications: data storage security issues identification. J. Inf. Secur. Appl. 67, 103152 (2022)
Sabev, P., Petrov, M.: Android password managers and vault applications: an investigation on data remanence in main memory (2021a)
Ruffin, M., et al.: Casing the vault: security analysis of vault applications. In: Proceedings of the 21st Workshop on Privacy in the Electronic Society (2022)
Sabev, P., Petrov, M.: Android password managers and vault applications: comparative security analysis. In: 2021 International Conference Automatics and Informatics (ICAI). IEEE (2021b)
Shirvanian, M., et al.: A hidden-password online password manager. In: Proceedings of the 36th Annual ACM Symposium on Applied Computing (2021)
Silver, D., et al.: Password managers: attacks and defenses. In: 23rd USENIX Security Symposium (USENIX Security 2014) (2014)
Stobert, E., Biddle, R.: A password manager that doesn’t remember passwords. In: Proceedings of the 2014 New Security Paradigms Workshop (2014)
Stock, B., Johns, M.: Protecting users against XSS-based password manager abuse. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications security (2014)
Walkup, E.: The password problem. No. SAND2016-5208T. Sandia National Lab. (SNL-NM), Albuquerque, NM (United States) (2016)
Yu, F., Yin, H.: A security analysis of the authentication mechanism of password managers. In: 2021 IEEE 21st International Conference on Communication Technology (ICCT). IEEE (20210
Zhang, X., Baggili, I., Breitinger, F.: Breaking into the vault: privacy, security and forensic analysis of Android vault applications. Comput. Secur. 70, 516–531 (2017)
Zhao, R., Yue, C., Sun, K.: A security analysis of two commercial browser and cloud based password managers. In: 2013 International Conference on Social Computing. IEEE (2013)
Zhao, R., Yue, C.: All your browser-saved passwords could belong to us: a security analysis and a cloud-based new design. In: Proceedings of the third ACM Conference on Data and Application Security and Privacy (2013)
Zhao, R., Yue, C., Sun, K.: Vulnerability and risk analysis of two commercial browser and cloud based password managers. ASE Sci. J. 1(4), 1–15 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Nash, A., Choo, KK.R. (2024). Password Managers and Vault Application Security and Forensics: Research Challenges and Future Opportunities. In: Goel, S., Nunes de Souza, P.R. (eds) Digital Forensics and Cyber Crime. ICDF2C 2023. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 571. Springer, Cham. https://doi.org/10.1007/978-3-031-56583-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-56583-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-56582-3
Online ISBN: 978-3-031-56583-0
eBook Packages: Computer ScienceComputer Science (R0)