The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers

We conduct a security analysis of five popular web-based password managers. Unlike “local” password managers, web-based password managers run in the browser. We identify four key security concerns for web-based pass- word managers and, for each, identify representative vul- nerabilities through our case studies. Our attacks are se- vere: in four out of the five password managers we stud- ied, an attacker can learn a user’s credentials for arbi- trary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared pass- words. The root-causes of the vulnerabilities are also di- verse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in ad- dition to the typical vulnerabilities like CSRF and XSS. Our study suggests that it remains to be a challenge for the password managers to be secure. To guide future de- velopment of password managers, we provide guidance for password managers. Given the diversity of vulner- abilities we identified, we advocate a defense-in-depth approach to ensure security of password managers.