That Was Then, This Is Now: A Security Evaluation of Password

Generation, Storage, and Autofill in Browser-Based Password Managers

Scott RuotiSean Oesch

Motivation

• Passwords are still the dominant form of authentication, but they have serious shortcomings

• Password managers can help users generate strong, unique passwords, but how secure are the password managers themselves?

2

3

Generation

Storage

Autofill

The password lifecycle

Standalone App Password Managers

4

Extension Based Password Managers

5

Browser Password Managers

6

7

Autofill, Generation, and StorageRecommended behaviors and security concerns

8

Autofill

• Require user interaction before filling credential• Prevents automatic credential scraping

• Increases the probably the user can detect attacks

• Refuse to fill forms in iframes• Significantly reduces the attack surface

• Refuse to submit password over insecure connections

• Avoid filling suspicious forms

9

10

Firefox Credential Scraping Demo

11

Generation

• Generate passwords that are resilient to online/offline attack• Resist ~106 guesses for online resilience

• Resist ~1014 guesses for offline resilience

• Preserve safe settings− Default: length 20, all character sets

− Modify: length 8, letters and digits

− Should restore default secure settings after modification

12

13

Random But Weak Passwords

14

• Most randomly generated passwords are resilient to online and offline attacks

• A small portion will be trivially guessed by brute force attacks• LastPass - 17M users, generate 1

password each, 730 weak passwords

• Probability is negligible for sufficiently long passwords• 10 characters for online resistance• 18 characters for offline resistance

Storage

• Master password should be strong• Single point of failure

• Strong Key Derivation Function (KDF) should be used

• Metadata should be encrypted

15

16

Wrap-upRecommendations and future work

17

Conclusion• Recommendations• Require user interaction for autofill• Filter weak passwords during generation• Better master password policies for storage

• Future Work• Browser-supported password managers− Safer autofill

• Research-derived character sets• HTML-supported password generation• Mobile password managers

18

Thanks for Joining!

Contact: toesch1@vols.utk.edu

19