Corpus ID: 9348888

Vulnerability and Risk Analysis of Two Commercial Browser and Cloud Based Password Managers

@article{Zhao2013VulnerabilityAR,
  title={Vulnerability and Risk Analysis of Two Commercial Browser and Cloud Based Password Managers},
  author={Rui Zhao and Chuan Yue and Kun Sun},
  journal={Science},
  year={2013},
  volume={2},
  pages={183-197}
}
Web users are confronted with the daunting challenges of managing more and more passwords to protect their valuable assets on different online services. Password manager is one of the most popular solutions designed to address such challenges by saving users’ passwords and later auto-filling the login forms on behalf of users. All the major browser vendors have provided password manager as a built-in feature; third-party vendors have also provided many password managers. In this paper, we… Expand
Toward a secure and usable cloud-based password manager for web browsers
TLDR
This paper uncovers the vulnerabilities of existing BPMs and analyzes how they can be exploited by attackers to crack users' saved passwords and proposes a novel Cloud-based Storage-Free BPM (CSF-BPM) design to achieve a high level of security with the desired confidentiality, integrity, and availability properties. Expand
Analysis on the Security and Use of Password Managers
TLDR
This paper will go over three open-source password managers, each chosen for their own uniqueness, and conclude on the overall security of each password manager using a list of established attacks and development of new potential attacks on such software. Expand
Studying the Impact of Managers on Password Strength and Reuse
TLDR
It is quantified for the first time that password managers indeed benefit the password strength and uniqueness, however, also the results suggest that those benefits depend on the users' strategies and that managers without password generators rather aggravate the existing problems. Expand
Privacy Preserving Against Untrusted Browser Origins and Personalized Powerful Password Management
TLDR
This study indicated using, growing, and ongoing of PW, and the necessity of efficient PW management, especially with web browser based applications, and proposed categorization of PW users. Expand
Implementation of a TPM-based security enhanced browser password manager
  • Yuchen He, Rui Wang, W. Shi
  • Computer Science
  • Wuhan University Journal of Natural Sciences
  • 2016
TLDR
This work proposes an approach based on a hardware trusted platform module (TPM) that encrypts users’ passwords with keys generated by the TPM, which uses a master password as the credential for authorization to access the T PM. Expand
Usability, security and trust in password managers: A quest for user-centric properties and features
TLDR
A systematic literature review is performed, in which thirty-two articles with coherent outcomes associated with usability and security are selected and meaningful suggestions for realising a useable, secure and trustworthy password manager are presented. Expand
Killing the Password and Preserving Privacy With Device-Centric and Attribute-Based Authentication
TLDR
This architecture effectively deems the password paradigm obsolete with minimal modification on the service provider’s software stack and proposes a privacy-preserving architecture for device-centric and attribute-based authentication based on the separation of the concerns for Authorization, Authentication, Behavioral Authentication and Identification. Expand
PolyPass - A Convenient Password Manager
Online services are getting more and more integrated into our daily lives. Users rarely concern themselves with strong security practice, even when confronted with massive user credential breaches.Expand
Vulnerability exploration and data protection in end-user applications
TLDR
This dissertation explores the vulnerabilities in both end-user applications and end users, investigates vulnerabilities of the password managers in the five most popular Web browsers, investigate vulnerabilities of two commercial browser extension and cloud based password managers, and investigates cross-site input inference attacks on mobile Web users. Expand
An Analysis of the Virtual Machine Migration Incurred Security Problems in the Cloud
TLDR
It is pinpointed that the migration of VM instances from one physical machine to another can weaken or even nullify the security protections provided by the intrusion prevention systems and intrusion detection systems to the original VM instances. Expand
...
1
2
...

References

SHOWING 1-10 OF 45 REFERENCES
All your browser-saved passwords could belong to us: a security analysis and a cloud-based new design
TLDR
This paper uncovers the vulnerabilities of existing BPMs and proposes a novel Cloud-based Storage-Free BPM (CSF-BPM) design to achieve a high level of security with the desired confidentiality, integrity, and availability properties. Expand
Stronger Password Authentication Using Browser Extensions
We describe a browser extension, PwdHash, that transparently produces a different password for each site, improving web password security and defending against password phishing and other attacks.Expand
Web-based Attacks on Host-Proof Encrypted Storage
TLDR
This work describes a series of web-based attacks on popular host-proof applications that completely circumvent their cryptographic protections, and exploits standard web application vulnerabilities to expose flaws in the encryption mechanisms, authorization policies, and key management implemented by these applications. Expand
Preventing the Revealing of Online Passwords to Inappropriate Websites with LoginInspector
TLDR
LoginInspector is a secure and useful mechanism that can be easily integrated into modern Web browsers to complement their existing protection mechanisms and could be very helpful for them to strengthen campus IT security. Expand
A convenient method for securely managing passwords
TLDR
This paper proposes a technique that uses a strengthened cryptographic hash function to compute secure passwords for arbitrarily many accounts while requiring the user to memorize only a single short password, and presents Password Multiplier, an implementation in the form of an extension to the Mozilla Firefox web browser. Expand
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
TLDR
It is concluded that many academic proposals to replace text passwords for general-purpose user authentication on the web have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Expand
UNIX Password Security - Ten Years Later
TLDR
It is concluded that the single most important step that can be taken to improve password security is to increase password entropy. Expand
Of passwords and people: measuring the effect of password-composition policies
TLDR
A large-scale study investigates password strength, user behavior, and user sentiment across four password-composition policies, and describes the predictability of passwords by calculating their entropy, finding that a number of commonly held beliefs about password composition and strength are inaccurate. Expand
Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures
TLDR
Based on the insights from this analysis, a simple and scalable mitigation technique for OpenID-enabled websites, and an alternative man-in-the-middle defense mechanism for deployments of OpenID without SSL are proposed and evaluated. Expand
Passpet: convenient password management and phishing protection
TLDR
Passpet is described, a tool that improves both the convenience and security of website logins through a combination of techniques, including password hashing, user-assigned site labels, and password-strengthening measures that defend against dictionary attacks. Expand
...
1
2
3
4
5
...