acm-header
Sign In

Communications of the ACM

ACM TechNews

Critical Vulnerabilities in Web-Based Password Managers Found


View as: Print Mobile App Share:
A vault with its door open is not very secure.

Researchers have found vulnerabilities in several popular Web-based password managers.

Credit: turbosquid.com

Computer hackers could exploit vulnerabilities in popular Web-based password managers and learn users' credentials for arbitrary websites, according to researchers from the University of California, Berkeley.

The researchers say they analyzed LastPass, RoboForm, My1Login, PasswordBox, and NeedMyPassword to evaluate their security and to provide advice to "guide the design of current and future password managers." The team uncovered problems with different features, such as one-time passwords, bookmarklets, and shared passwords.

The researchers report root causes range from logic and authorization mistakes to misunderstandings about the Web security model, as well as typical vulnerabilities such as CSRF and XSS.

"Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the Web authentication ecosystem," they caution.

The team advocates a defense-in-depth approach to thwart attackers. They plan to develop a tool that automates the process of identifying vulnerabilities, and they also intend to work on a principled, secure-by-construction password manager.

From Help Net Security
View Full Article - May Require Free Registration

 

Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account