Communications of the ACM
Critical Vulnerabilities in Web-Based Password Managers Found
Researchers have found vulnerabilities in several popular Web-based password managers.
Credit: turbosquid.com
Computer hackers could exploit vulnerabilities in popular Web-based password managers and learn users' credentials for arbitrary websites, according to researchers from the University of California, Berkeley.
The researchers say they analyzed LastPass, RoboForm, My1Login, PasswordBox, and NeedMyPassword to evaluate their security and to provide advice to "guide the design of current and future password managers." The team uncovered problems with different features, such as one-time passwords, bookmarklets, and shared passwords.
The researchers report root causes range from logic and authorization mistakes to misunderstandings about the Web security model, as well as typical vulnerabilities such as CSRF and XSS.
"Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the Web authentication ecosystem," they caution.
The team advocates a defense-in-depth approach to thwart attackers. They plan to develop a tool that automates the process of identifying vulnerabilities, and they also intend to work on a principled, secure-by-construction password manager.
From Help Net Security
View Full Article - May Require Free Registration
Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA
No entries found