RESEARCH
The Hottest Ones

That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers
Sean Oesch and Scott Ruoti, University of Tennessee (2020)

Evaluation of password hashing schemes in open source web platforms
Chaudhary, S., Schafeitel-Tähtinen, T., Helenius, M., & Berki, E. (2019).

Attacking Google Chrome's Strict Site Isolation via Speculative Execution and Type Confusion
Ayush Agarwal et al. (2022)

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?
Belenko, A., & Sklyarov, D. (2012).

Password Managers.
Tavis Ormandy (2021.06) vulnerability researcher

The Emperor’s New Password Manager:
Security Analysis of Web-based Password Managers
Zhiwei Li et al. (2014)

Gender Bias in Password Managers
Jeff Yan and Dearbhla McCabe (2022).

Attacking Google Chrome's Strict Site Isolation via Speculative Execution and Type Confusion
Ayush Agarwal et al. (2022)

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?
Belenko, A., & Sklyarov, D. (2012).

The Emperor’s New Password Manager:
Security Analysis of Web-based Password Managers
Dereje Tirfe & Vivek Kumar Anand ( 2021.12.01)
More

PM awareness and use were generally high among our participants. However, when using third-party PMs instead of browser-built-in PMs, password reuse was significantly lower. Researchers also discovered that perceived ease-of-use was the most important factor in encouraging overall PM adoption, implying that PM adoption campaigns should emphasize PM usability. Perceived security appears to be an important factor in the adoption of third-party PMs.

Jeff Yan and Dearbhla McCabe(2022)
“The factors that women and men consider the most important or influential in choosing their password managers differ, too. Choice of convenience and brand are on the top of the women’s consideration, whereas security and the number of features top the list for men. This difference is statistically significant.”

Anuj Gautam, Shan Lalani, and Scott Ruoti, The University of Tennessee(2022)
“It enables websites to harmonize their PCP specification and checking, allowing modifications to the PCP file to update client and server checking automatically. Additionally, it supports opinionated generation algorithms (such as mobile-aware generation [13] and security-focused generation [24]), which would otherwise frequently generate non-compliant passwords. For password managers, this not only enhances the usability and utility of password management but also supports these generation algorithms.”
“Since password managers combine all user passwords in one location, brute force poses a threat to them. Researchers describe an improved approach that uses honey encryption (HE) in the password manager to enable resilience against brute-force assaults in order to get over this limitation.

Ayush Agarwal et al. (2022)
“More specifically, we show that an attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled. We further demonstrate that the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension.”

Dereje Tirfe & Vivek Kumar Anand (2021. 12. 01)
In this survey study, Dereje Tirfe and Vivek Kumar Anand briefly analyze various two-factor authentication types based on their performance and they will offer the best strong multifactor authentication techniques in accordance.

Miguel Grilo1 , Jo˜ao F. Ferreira2 , and Jos´e Bacelar Almeida3 (2021)
“In this paper, we focus on a feature that most password managers offer that might impact the user’s trust, which is the process of generating a random password. We survey which algorithms are most commonly used and we propose a solution for a formally verified reference implementation of a password generation algorithm. We use EasyCrypt as our framework to both specify the reference implementation and to prove its functional correctness and security.”

N. Huaman, S. Amft, M. Oltrogge, Y. Acar and S. Fahl, (2021)
“Our results illustrate that a) password managers struggle to correctly implement authentication features such as HTTP Basic Authentication and modern standards such as the autocomplete-attribute and b) websites fail to implement clean and well-structured authentication forms. We conclude that some of our findings can be addressed by either PWM providers or web-developers by adhering to already existing standards, recommendations and best practices, while other cases are currently almost impossible to implement securely and require further research.”

Marek Tóth (2021. 7. 13)
“Most password managers have the autofill feature enabled by default, even though it reduces the security of the stored password.
If a user uses the default configuration or follows the password manager’s recommendation, it is possible to steal the saved login credentials from 11 of the 16 tested browsers and password managers in one mouse click. So the database/password on the website doesn’t have to be leaked, and the attacker still gets your data – all in readable and unencrypted form (in plaintext).”

Tavis Ormandy (2021.06) vulnerability researcher
“If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.
I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.”

Hirak Ray, Flynn Wolf, and Ravi Kuber, University of Maryland, Baltimore County; Adam J. Aviv, The George Washington University (2021)
“Older adults who adopted PM were repeatedly recommended to do so by close family members. These advocates are crucial in encouraging broader adoption, and so actions to improve adoption among younger adults will percolate to the older population as well. Additionally, we identify the role that education and outreach can play to help provide familiarity to PMs, as well as providing more sense of urgency to utilize them by better describing the risks associated with poor password management practices. We also offer design implications for PM adoption targeted towards older adults.”

Sean Oesch and Scott Ruoti, University of Tennessee (2020)
“For password storage and autofill, we replicate past evaluations, demonstrating that while password managers have improved in the half-decade since those prior evaluations, there are still significant issues; these problems include unencrypted metadata, insecure defaults, and vulnerabilities to clickjacking attacks. “

Michael Carr & Siamak F. Shahandashti. (2020)
As proposed, perceived severity and perceived vulnerability of password loss strongly influenced intent to use password managers. However, perceived ease of use diminished the intent to use password managers, and trust is only partially supported. Our results indicate that ‘security’ aspects of password managers are more important than ‘usability’ aspects. The implications of these findings for password management are discussed.

Sunil Chaudharyab,Tiina Schafeitel-Tähtinena, Marko Heleniusa,Eleni Berkic(2019, August)
“This passage focus on investigating properties and features that can elevate the usability, security, and trustworthiness of password managers, aiming at providing practical, simple, and useful guidelines for building a useable password manager.”

Ramakrishna Ayyagari & Jaejoo Lim & Olger Hoxha (2019)
“As proposed, perceived severity and perceived vulnerability of password loss strongly influenced intent to use password managers. However, perceived ease of use diminished the intent to use password managers, and trust is only partially supported. Our results indicate that ‘security’ aspects of password managers are more important than ‘usability’ aspects. The implications of these findings for password management are discussed.” -Ramakrishna Ayyagari & Jaejoo Lim & Olger Hoxha (2019)

ise (2019. 02. 19)
“However, we found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state. “

Chaudhary, S., Schafeitel-Tähtinen, T., Helenius, M., & Berki, E. (2019).
“Nowadays, the majority of web platforms in the Internet originate either from CMS to easily deploy websites or by web applications frameworks that allow developers to design and implement web applications. Considering the fact that CMS are intended to be plug and play solutions and their main aim is to allow even non-developers to deploy websites, we argue that the default hashing schemes rarely are modified. Also, recent studies suggest that even developers do not use appropriate hash functions to protect passwords, since they may not have adequate security expertise. Therefore, the default settings of CMS and web applications frameworks play an important role in the security of password storage. This paper evaluates the default hashing schemes of popular CMS and web application frameworks. “

AlSabah, M., Oligeri, G., & Riley, R. (2018).
“The contributions provided by this work are many-fold. First, our results contribute to the existing body of knowledge regarding how users include personal information in their passwords. Second, we illustrate the differences that exist in how users from different cultural/linguistic backgrounds create passwords. Finally, we study the (empirical and theoretical) guessability of the dataset based on two attacker models, and show that a state of the art password strength estimator inflates the strength of passwords created by users from non-English speaking backgrounds. We improve its estimations by training it with contextually relevant information.”

Carlos Luevanos1, John Elizarraras2, Khai Hirschi3, and Jyh-haw Ye (2017)
“we will be going over three open-source password managers…Our results will conclude on the overall security of each password manager using a list of established attacks and development of new potential attacks on such software.”
“An attacker can keep a vulnerability they found secret and use it in a future attack. Additionally, quite a few open-source password managers do not have many features that strengthen security like more well-known, closed-source password managers do.

SILVER, David, et al. (2014)
Several autofill policies can lead to disastrous consequences where a remote network attacker can extract multiple passwords from the user’s password manager without any interaction with the user. We experiment with these attacks and with techniques to enhance the security of password managers. We show that our enhancements can be adopted by existing managers.

Zhiwei Li et al. (2014)
“We found critical vulnerabilities in all the password managers and in four password managers, an attacker could steal arbitrary credentials from a user’s account.”

Belenko, A., & Sklyarov, D. (2012).
“In this paper we will analyze applications designed to facilitate storing and management of passwords on mobile platforms, such as Apple iOS and BlackBerry. We will specifically focus our attention on the security of data at rest. We will show that many password keeper apps fail to provide claimed level of protection.”

Alan S. Brown,Elisabeth Bracken,Sandy Zoccoli,King Douglas(2004.6.15)
Two-thirds of passwords are based on personal characteristics, with the majority of the rest relating to relatives, friends, or lovers. Proper names and birthdays are the most common pieces of information used in password creation, accounting for roughly half of all password creations. Almost all respondents reuse passwords, with roughly two-thirds of passwords being duplicates.