Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Overview
  • Symposium Organizers
  • At a Glance
  • Registration Information
    • Registration Discounts
    • Venue, Hotel, and Travel
  • Technical Sessions
  • Co-Located Workshops
  • Accepted Posters
  • Activities
    • Birds-of-a-Feather Sessions
    • Work-in-Progress Reports
  • Sponsorship
  • Students and Grants
  • Services
  • Questions?
  • Help Promote!
  • Flyer PDF
  • For Participants
  • Call for Papers
  • Past Symposia

sponsors

Gold Sponsor
Gold Sponsor
Gold Sponsor
Silver Sponsor
Bronze Sponsor
Bronze Sponsor
Bronze Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Media Sponsor
Industry Partner

twitter

Tweets by USENIXSecurity

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers
Tweet

connect with us

http://twitter.com/usenixsecurity
https://www.facebook.com/usenixassociation
http://www.linkedin.com/groups/USENIX-Association-49559/about
https://plus.google.com/108588319090208187909/posts
http://www.youtube.com/user/USENIXAssociation

The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers

Friday, August 1, 2014 - 10:00am
Authors: 

Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song, University of California, Berkeley

Abstract: 

We conduct a security analysis of five popular web-based password managers. Unlike “local” password managers, web-based password managers run in the browser. We identify four key security concerns for web-based pass- word managers and, for each, identify representative vul- nerabilities through our case studies. Our attacks are se- vere: in four out of the five password managers we stud- ied, an attacker can learn a user’s credentials for arbi- trary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared pass- words. The root-causes of the vulnerabilities are also di- verse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in ad- dition to the typical vulnerabilities like CSRF and XSS. Our study suggests that it remains to be a challenge for the password managers to be secure. To guide future de- velopment of password managers, we provide guidance for password managers. Given the diversity of vulner- abilities we identified, we advocate a defense-in-depth approach to ensure security of password managers.

Zhiwei Li, University of California, Berkeley

Warren He, University of California, Berkeley

Devdatta Akhawe, University of California, Berkeley

Dawn Song, University of California, Berkeley

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {184483,
author = {Zhiwei Li and Warren He and Devdatta Akhawe and Dawn Song},
title = {The {Emperor{\textquoteright}s} New Password Manager: Security Analysis of Web-based Password Managers},
booktitle = {23rd USENIX Security Symposium (USENIX Security 14)},
year = {2014},
isbn = {978-1-931971-15-7},
address = {San Diego, CA},
pages = {465--479},
url = {https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/li_zhiwei},
publisher = {USENIX Association},
month = aug,
}
Download
Li PDF
View the slides

Presentation Video

Presentation Audio

MP3 Download OGG Download

Download Audio

  • Log in or    Register to post comments

Gold Sponsors

Silver Sponsors

Bronze Sponsors

Media Sponsors & Industry Partners

© USENIX

  • Privacy Policy
  • Contact Us