Password Managers Security Evaluation Report example

Haven't found the essay you need?

We can write it for you. On time. 100% original.

Order Now
Text Preview

Password Managers Security Evaluation Report

For the experiment, Google Chrome web browser version 54.0.2840.71 m was chosen. According to W3Schools’ statistics, almost 72.5% of the Internet users browse web pages with Chrome, and the number is steadily growing since it is released in September 2008 (W3School’s Famous Month-by-Month Browser Statistics). Moreover, it there is a huge number of password managers Chrome Web Store, which facilitates the process of random sampling. The operating system platform is Windows 7 SP1 x64 bit.

Next password manager extensions were selected for research:

Passter Password Manager version 1.3.2 (Passter) has 4 755 users and operates login, password and credit card number data ( Auto-fill feature is controlled and enabled by default

SaferPass: Free Password Manager version 4.2.26 (SaferPass) has 27 157 users and operates login and password credentials ( Controlling the auto-fill function of the extension is impossible.

Limitlesslane – free Password Manager version 1.1.3 (Limitlesslane) has 203 users and operates login and password data ( The user has no access to auto-fill function, and it is enabled by default.

As a website template for the experiment, the open-source registration system under Lesser General Public License was used (HTML Form Guide). Code modifications required by the terms of the experiment were made manually.

Experimental Results

During the experiment, the password managers were tested for their behavior visiting the login pages with the following types of attacks embedded: different form actions on load, different form action on submit, and Iframe sweep attack as classified by Silver et al. (3-4). The results of the tests are presented in the table (see Table 1) compared to the password manager behavior on the login page with initial safe properties.

Table 1

Password Managers Tests’ Results

Password Manager

Initial login page properties

Different form action on load

Different for action on submit

Autocomplete = ‘off’

Iframe sweep attack






No Fill













Table 1: password managers behavior tests results depending on the form action used, autocomplete attribute and presence of the iframe HTML element with login page from the dissimilar domain. Auto refers to automatic auto-filling of login and password data. No Fill means that the password manager did not allow filling authorization credentials either automatically or manually. Controversial implies that the manager behaved differently on the same page.

Vulnerabilities Description

The password managers turned out to be vulnerable to numerous attack types. The main vulnerabilities and their manifestation under the experiment are listed below.

Different form action on load. Passter manager filled automatically authorization data when the form action was different on load. The user interface of the extension appeared right after the fields were loaded, so it may be concluded that the extension looked for the fields before page analysis.

SaferPass auto-fill feature was active while the form action was different on load, too. As far as the previous manager, SaferPass added it interface elements right after the form was loaded, and pasted user credentials in a few seconds.

During the first attempt, Limitlesslane disabled auto-filling of form with altered action attribute, and it was possible to paste the data manually by the click. However, after the refreshing of the login …

Download Full Essay Show full preview


Examples provided by Homework Lab are intended for the motivation and research purposes only. Do not submit any paper as your own piece of work. Every essay example belongs to students, who hold the copyright for the written content. Please, mind that the samples have been submitted to the Turnitin before and may show plagiarism in case of the repeated submission. Homework Lab does not bear any responsibility for the unauthorized submission of the examples.