short-paper

All your browser-saved passwords could belong to us: a security analysis and a cloud-based new design

Authors:

Chuan YueAuthors Info & Claims

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

Pages 333 - 340

https://doi.org/10.1145/2435349.2435397

Published: 18 February 2013 Publication History

Abstract

Web users are confronted with the daunting challenges of creating, remembering, and using more and more strong passwords than ever before in order to protect their valuable assets on different websites. Password manager is one of the most popular approaches designed to address these challenges by saving users' passwords and later automatically filling the login forms on behalf of users. Fortunately, all the five most popular Web browsers have provided password managers as a useful built-in feature. Unfortunately, the designs of all those Browser-based Password Managers (BPMs) have severe security vulnerabilities. In this paper, we uncover the vulnerabilities of existing BPMs and analyze how they can be exploited by attackers to crack users' saved passwords. Moreover, we propose a novel Cloud-based Storage-Free BPM (CSF-BPM) design to achieve a high level of security with the desired confidentiality, integrity, and availability properties. We have implemented a CSF-BPM system into Firefox and evaluated its correctness and performance. We believe CSF-BPM is a rational design that can also be integrated into other popular Web browsers.

References

[1]

Advanced Encryption Standard(AES).In NIST FIPS 197, 2001.

[2]

The CCM Mode for Authentication and Confidentiality. In NIST SP 800-38C, 2004.

[3]

Information Security Handbook: A Guide for Managers. In NIST SP 800-100, 2007.

[4]

Electronic Authentication Guideline. In NIST SP 800-63-1, 2011.

[5]

A. Adams and M. A. Sasse. Users are not the enemy. Commun. ACM, 42(12):40-46, 1999.

Digital Library

[6]

M. Bishop and D. V. Klein. Improving system security via proactive password checking. Computers & Security, 14(3):233--249, 1995.

[7]

J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc. of IEEE S&P, 2012.

Digital Library

[8]

K. D. Bowers, A. Juels, and A. Oprea. Hail: a high-availability and integrity layer for cloud storage. In Proc. of CCS, 2009.

Digital Library

[9]

X. Boyen. Halting password puzzles: hard-to-break encryption from human-memorable keys. In Proc. of USENIX Security Symposium, 2007.

Digital Library

[10]

S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In Proc. of USENIX Security Symposium, 2006.

Digital Library

[11]

D. Davis, F. Monrose, and M. K. Reiter. On user choice in graphical password schemes. In Proc. of USENIX Security Symposium, 2004.

Digital Library

[12]

D. C. Feldmeier and P. R. Karn. Unix password security - ten years later. In Proc. of CRYPTO, 1989.

Digital Library

[13]

D. Florencio and C. Herley. A large-scale study of web password habits. In Proc. of WWW, 2007.

Digital Library

[14]

J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption keys. In Proc. of USENIX Security Symposium, 2008.

Digital Library

[15]

J. A. Halderman, B. Waters, and E. W. Felten. A convenient method for securely managing passwords. In Proc. of WWW, 2005.

Digital Library

[16]

C. Herley and P. C. van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 10(1):28--36, 2012.

Digital Library

[17]

C. Herley, P. C. van Oorschot, and A. S. Patrick. Passwords: If we're so smart, why are we still using them? In Proc. of FC, 2009.

Digital Library

[18]

F. Hsu, H. Chen, T. Ristenpart, J. Li, and Z. Su. Back to the future: A framework for automatic malware removal and system repair. In Proc. of ACSAC, 2006.

Digital Library

[19]

M. Jakobsson and S. Myers. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience, ISBN 0-471-78245-9, 2006.

Digital Library

[20]

B. Kaliski. RFC 2898, PKCS5: Password-Based Cryptography Specification Version 2.0, 1999.

Digital Library

[21]

P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. of IEEE S&P, 2012.

Digital Library

[22]

S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people: Measuring the effect of password-composition policies. In Proc. of CHI, 2011.

Digital Library

[23]

D. P. Kormann and A. D. Rubin. Risks of the passport single signon protocol. Comput. Networks, 33(1-6):51--58, 2000.

Digital Library

[24]

R. Morris and K. Thompson. Password security: a case history. Commun. ACM, 22(11):594--597, 1979.

Digital Library

[25]

R. A. Popa, J. Lorch, D. Molnar, H. J. Wang, and L. Zhuang. Enabling security in cloud storage slas with cloudproof. In Proc. of USENIX ATC, 2011.

Digital Library

[26]

N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proc. of USENIX Security Symposium, 2008.

Digital Library

[27]

Rachna Dhamija and J.D.Tygar and Marti Hearst. Why phishing works. In Proc. of CHI, 2006.

Digital Library

[28]

B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. In Proc. of USENIX Security Symposium, 2005.

Digital Library

[29]

E. Stark, M. Hamburg, and D. Boneh. Symmetric cryptography in javascript. In Proc. of ACSAC, 2009.

Digital Library

[30]

B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. A. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proc. of CCS, 2009.

Digital Library

[31]

S.-T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov. A billion keys, but few locks: the crisis of web single sign-on. In Proc. of NSPW, pages 61--72, 2010.

Digital Library

[32]

J. Thorpe and P. van Oorschot. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proc. of USENIX Security Symposium, 2007.

Digital Library

[33]

Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proc. of NDSS, 2006.

[34]

M. Wu, R. C. Miller, and G. Little. Web wallet: preventing phishing attacks by revealing user intentions. In Proc. of SOUPS, pages 102--113, 2006.

Digital Library

[35]

T. Wu. The secure remote password protocol. In Proc. of NDSS, 1998.

[36]

J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. IEEE Security and Privacy, 2(5):25--31, 2004.

Digital Library

[37]

J. J. Yan. A note on proactive password checking. In Proc. of NSPW, pages 127--135, 2001.

Digital Library

[38]

K.-P. Yee and K. Sitaker. Passpet: convenient password management and phishing protection. In Proc. of SOUPS, pages 32--43, 2006.

Digital Library

[39]

C. Yue. Preventing the Revealing of Online Passwords to Inappropriate Websites with LoginInspector. In Proc. of USENIX LISA, 2012.

Digital Library

[40]

C. Yue and H. Wang. BogusBiter: A Transparent Protection Against Phishing Attacks. ACM Transactions on Internet Technology, 10(2):1--31, 2010.

Digital Library

[41]

Firefox Sync Service. https://wiki.mozilla.org/Services/Sync.

Cited By

Nash AChoo K(2024)Password Managers and Vault Application Security and Forensics: Research Challenges and Future OpportunitiesDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_3(31-53)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_3
Amft SHöltervennhoff SHuaman NAcar YFahl SKelley PKapadia A(2023)"Would you give the same priority to the bank and a game? i do not!"Proceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632196(171-190)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632196
Roy SSharmin NAcosta JKiekintveld CLaszka A(2022)Survey and Taxonomy of Adversarial Reconnaissance TechniquesACM Computing Surveys10.1145/353870455:6(1-38)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1145/3538704
Show More Cited By

Index Terms

All your browser-saved passwords could belong to us: a security analysis and a cloud-based new design

Recommendations

Preventing the revealing of online passwords to inappropriate websites with logininspector
lisa'12: Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques

Modern Web browsers do not provide sufficient protection to prevent users from submitting their online passwords to inappropriate websites. As a result, users may accidentally reveal their passwords for high-security websites to inappropriate low-...
Browser‐in‐the‐middle attacks: A comprehensive analysis and countermeasures
Abstract
A browser‐in‐the‐middle (BITM) attack occurs when an attacker intercepts and manipulates communication between a user's web browser and the website they are attempting to visit. This approach is risky, as it allows the attacker to eavesdrop on ...
A Security Analysis of Two Commercial Browser and Cloud Based Password Managers
SOCIALCOM '13: Proceedings of the 2013 International Conference on Social Computing

In this paper, we analyze the security of two very popular commercial password managers: Last Pass and Robo Form. Both of them are Browser and Cloud based Password Managers (BCPMs), and both of them have millions of active users worldwide. We ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

February 2013

400 pages

ISBN:9781450318907

DOI:10.1145/2435349

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Lujo Bauer
Carnegie Mellon University, USA
,
Publications Chair:
Jaehong Park
University of Texas at San Antonio, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 February 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

CODASPY'13

Sponsor:

SIGSAC

CODASPY'13: Third ACM Conference on Data and Application Security and Privacy

February 18 - 20, 2013

Texas, San Antonio, USA

Acceptance Rates

CODASPY '13 Paper Acceptance Rate 24 of 107 submissions, 22%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
987
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)3

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nash AChoo K(2024)Password Managers and Vault Application Security and Forensics: Research Challenges and Future OpportunitiesDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_3(31-53)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_3
Amft SHöltervennhoff SHuaman NAcar YFahl SKelley PKapadia A(2023)"Would you give the same priority to the bank and a game? i do not!"Proceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632196(171-190)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632196
Roy SSharmin NAcosta JKiekintveld CLaszka A(2022)Survey and Taxonomy of Adversarial Reconnaissance TechniquesACM Computing Surveys10.1145/353870455:6(1-38)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1145/3538704
Huaman NKlivan SOltrogge MAcar YFahl S(2021)They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00094(1367-1381)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00094
Bose J(2021)Intelligent and Secure Autofill System in Web BrowsersProceedings of the 12th International Conference on Soft Computing and Pattern Recognition (SoCPaR 2020)10.1007/978-3-030-73689-7_2(10-19)Online publication date: 16-Apr-2021
https://doi.org/10.1007/978-3-030-73689-7_2
Alodhyani FTheodorakopoulos GReinecke P(2020)Password Managers—It’s All about Trust and TransparencyFuture Internet10.3390/fi1211018912:11(189)Online publication date: 30-Oct-2020
https://doi.org/10.3390/fi12110189
Okike EMogapi G(2020)A Pedagogic Analysis of Information Systems Security Measures in Online Services2020 15th International Conference for Internet Technology and Secured Transactions (ICITST)10.23919/ICITST51030.2020.9351325(1-6)Online publication date: 8-Dec-2020
https://doi.org/10.23919/ICITST51030.2020.9351325
Giuliani KMurty VXu G(2016)Passwords Management via Split-KeyJournal of Information Security10.4236/jis.2016.7301607:03(206-214)Online publication date: 2016
https://doi.org/10.4236/jis.2016.73016
Yang WLi NChowdhury OXiong AProctor RWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)An Empirical Study of Mnemonic Sentence-based Password Generation StrategiesProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978346(1216-1229)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978346
Barbosa NHayes JWang YLukowicz PKrüger ABulling ALim YPatel S(2016)UniPassProceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing10.1145/2971648.2971722(49-60)Online publication date: 12-Sep-2016
https://dl.acm.org/doi/10.1145/2971648.2971722
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten