Password Managers Security Evaluation Report
For the experiment, Google Chrome web browser version 54.0.2840.71 m was chosen. According to W3Schools’ statistics, almost 72.5% of the Internet users browse web pages with Chrome, and the number is steadily growing since it is released in September 2008 (W3School’s Famous Month-by-Month Browser Statistics). Moreover, it there is a huge number of password managers Chrome Web Store, which facilitates the process of random sampling. The operating system platform is Windows 7 SP1 x64 bit.
Next password manager extensions were selected for research:
Passter Password Manager version 1.3.2 (Passter) has 4 755 users and operates login, password and credit card number data (passter.com). Auto-fill feature is controlled and enabled by default
SaferPass: Free Password Manager version 4.2.26 (SaferPass) has 27 157 users and operates login and password credentials (saferpass.com). Controlling the auto-fill function of the extension is impossible.
Limitlesslane – free Password Manager version 1.1.3 (Limitlesslane) has 203 users and operates login and password data (limitlesslane.com). The user has no access to auto-fill function, and it is enabled by default.
As a website template for the experiment, the open-source registration system under Lesser General Public License was used (HTML Form Guide). Code modifications required by the terms of the experiment were made manually.
Experimental Results
During the experiment, the password managers were tested for their behavior visiting the login pages with the following types of attacks embedded: different form actions on load, different form action on submit, and Iframe sweep attack as classified by Silver et al. (3-4). The results of the tests are presented in the table (see Table 1) compared to the password manager behavior on the login page with initial safe properties.
Table 1
Password Managers Tests’ Results
Password Manager
Initial login page properties
Different form action on load
Different for action on submit
Autocomplete = ‘off’
Iframe sweep attack
Passter
Auto
Auto
Auto
Auto
No Fill
SaferPass
Auto
Auto
Auto
Auto
Auto
Limitlesslane
Auto
Controversial
Auto
Auto
Auto
Table 1: password managers behavior tests results depending on the form action used, autocomplete attribute and presence of the iframe HTML element with login page from the dissimilar domain. Auto refers to automatic auto-filling of login and password data. No Fill means that the password manager did not allow filling authorization credentials either automatically or manually. Controversial implies that the manager behaved differently on the same page.
Vulnerabilities Description
The password managers turned out to be vulnerable to numerous attack types. The main vulnerabilities and their manifestation under the experiment are listed below.
Different form action on load. Passter manager filled automatically authorization data when the form action was different on load. The user interface of the extension appeared right after the fields were loaded, so it may be concluded that the extension looked for the fields before page analysis.
SaferPass auto-fill feature was active while the form action was different on load, too. As far as the previous manager, SaferPass added it interface elements right after the form was loaded, and pasted user credentials in a few seconds.
During the first attempt, Limitlesslane disabled auto-filling of form with altered action attribute, and it was possible to paste the data manually by the click. However, after the refreshing of the login …