Password Manager study shows that passwords may be exposed to attackers

Martin Brinkmann
Dec 21, 2013
Updated • Dec 21, 2013

Using a password manager is one of the few options that you have to make sure to secure all of your online accounts with secure, impossible to guess passwords.

The main reason for it is that most Internet users find it impossible to remember secure passwords for dozens or even hundreds of web services, unless they use simple basic rules or use the same password repeatedly.

While web browsers such as Firefox or Google Chrome make available an abundance of password managers, it usually comes down to selecting a password manager that is offering the features that you require of it.

The actual security of the password manager, how it handles passwords, when it sends them to servers and when not, is not really transparent most of the time.

A recent study "Password Managers Exposing Passwords Everywhere" by Marc Blanchou and Paul Youn of Isecpartners analyzed how browser-based password managers interact with websites when they are activated.

The researchers examined LastPass, IPassword and MaskMe for Chrome and Firefox, and OneLastPass for Chrome. Specifically, they looked at when and how those password managers filled out password information.

The result may come as a surprise to users of password managers, but all four of the examined programs have been found to misbehave in one way or the other.

HTTP vs HTTPS: The MaskMe password manager does not distinguish between HTTP and HTTPS schemes, which means that it will fill out the password form regardless of scheme. This can be exploited by man-in-the-middle attacks for example.

A man-in-the-middle attacker, say on a public wireless network, could simply redirect victims to fake HTTP versions of popular websites with login forms and JavaScript that auto-submits after they are automatically filled in by MaskMe. Anyone using MaskMe with auto-fill enabled (this is the default behavior) could very quickly have their passwords stolen by simply connecting to a malicious access point, and victims would never know.

Submitting Passwords across origins: LastPass, OneLastPass and MaskMe were found to submit passwords accros origins. What is mean by that is that the affected password managers will fill out and send authentication information on sites even if the address the information are submitted to is different from the site the user is on.

Ignore subdomains: All four password managers handle subdomains equal to root domain. This means that login information are filled out on the root domain, but also on all subdomains of the same domain name.

Login Page: All password managers examined in the study do not limit their activities to a login page that was previously used by the user. If a login has been saved for a domain name, all login forms on that domain name are handled as that regardless of whether they have been used before or not.

These practices, some handled this way for convenience, may put users at risk, as attackers may use these issues to steal password information.

The researchers suggest that users do not make use of auto-fill and auto-login functionality that some password managers offer. All companies have been informed about the results.


Previous Post: «
Next Post: «


  1. Jeff said on February 3, 2014 at 11:14 pm

    Another downside to MaskMe. It does not differentiate between a successful login and an unsuccessful one. That means you can accidentally overwrite an important password with another one by guessing when it doesn’t autofill.

  2. Virtualguy said on December 31, 2013 at 8:20 am
  3. Bruce W said on December 31, 2013 at 1:36 am

    No software can replace common sense and a little vigilance, that being said I’m not surprised to see LastPass featured in your screenshot, they were hacked multiple times in the same year and are not exactly known for being the most secure password manager on the market like RoboForm.

  4. Lance said on December 30, 2013 at 9:43 pm

    Can you give RoboForm a try and review it here. That’s the one I’ve been using forever and love it, so it would be interesting to see how it compares.

  5. Virtualguy said on December 23, 2013 at 8:13 pm

    Happy Holidays.

    1. Alan said on December 26, 2013 at 4:02 pm

      KeePass is the best! I’ve been using it for years, no problems to report. Terrific product, and free!

  6. Virtualguy said on December 23, 2013 at 5:23 pm

    This confirms, yet again, that developing one simple keystroke pattern formula is superior to password managers. You only need to remember the formula… one simple formula… that applies to every online account, yet gives each account a different passphrase.

    Start your formula with the last letter in the domain name. You could start with the first letter, or the second letter, or the second to the last letter. But, for this example, we will start with the last letter. Example… ghacks… we start with ‘s’. Hold the shift key and tap out 3 upper case S’s, so your formula starts with ‘SSS.’ You could only do one or two S’s, but there is good reason to start with three.

    Your pattern, in this example, will include the row of keys that starts with Q and the row that starts with A. You will tap a pattern that goes up and down, and right to left, or left to right, whichever you decide works best for you in your default pattern. My default pattern is left to right. But, if the pattern starts with a key on the right side of the keyboard, I move right to left so there will be enough keys to tap for a 10 to 14 key pattern. I know this sounds a bit confusing. But, once you tap out your pattern, you will see how simple and genius it really is.

    So, after you tap out the 3 upper case S’s, start your pattern with the first letter that appears in the domain name. Remember, this is just an example. You could start with any letter… the first, second, third, fourth… as along as you use/apply the exact same formula every time. That way, for any number of online accounts, you only need to remember a single formula and apply that formula, which produces the correct passphrase.

    In this case, we will start our pattern with the first letter in ghacks, which happens to be ‘g’. In this pattern, you tap the lower case ‘g’, then tap the key just above the g (or your could chose the row of keys just below, in which case you would tap the key just below ‘g’). To continue the pattern, you then tap the next two keys to the right, using an down, up, left to right pattern. BUT, on every other set of keys, you hold the Shift key to give you an upper case, lower case passphrase.

    If you follow the instructions above, you would have a passphrase that looks something like this:


    Try to “brute force” that passphrase and tell me how long it takes. ;-)

    Now, you can apply that same, simple formula to any number of online accounts, and that single formula gives you many different passphrases that can be very strong.

    The only hard part is changing the way you think about passwords. Stop using passwords and start using keystroke forumlas. One formula can be applied to any number of accounts and all accounts would have a strong, unique passphrase that doesn’t need to be remembered.

    Some of you may never get this concept. But, those who do will never need a password manager, period.

    1. Netpiot said on December 23, 2013 at 8:47 pm

      @Virtualguy: I’m pretty sure I’ve seen your formula described elsewhere by you. The part I don’t remember is why you triple the first character. Is it just to ‘salt’ and lengthen the password?

      1. Virtualguy said on December 23, 2013 at 9:09 pm

        Yes. Adding 3 consecutive characters is based on something I read by Steve Gibson, of fame. As I recall, on his “Password Haystacks” page, he once wrote that adding three consecutive characters was an easy way to increase the size of the haystack (as in ‘looking for a needle in a haystack’), and no password cracking tool would expect you to use 3 consecutive characters in a row, further confusing a password cracking attempt. I just do it because it is a simple way to way to add a prefix to my keystroke pattern, and the prefix changes, based on the domain or account name.

        You can think of a keystroke pattern as having a prefix, a pattern, and a suffix. My suffix is repeating the last key of the keystroke pattern about 4 or 5 times, to increase the size of the ‘haystack.’ But, the keystroke pattern method of making and remembering passwords doesn’t need either a prefix or a suffix. If the keystroke pattern itself is long enough, it makes a very strong password.

        I only mention this to demonstrate that there are any number of ways that each individual can create their own unique keystroke pattern.

        Using only one keystroke pattern is the easiest. But, you can also have a quick and easy pattern for unimportant accounts, and a more complex, robust pattern for important accounts, like banking.

  7. Eric said on December 23, 2013 at 2:55 pm

    Being a blogger and someone who is managing more than 20 websites, Password Managers are very helpful to me. I’m currently using LastPassword – im just not using the auto-fill and auto-login features.

  8. Martin Turner said on December 23, 2013 at 2:31 pm

    So what do you use ilev? I just became interested in KeePass.

  9. Madhav Tripathi said on December 22, 2013 at 2:31 pm

    I use Last Pass as my password manager so I remember only master password. Getting this exposed will be one of the worst thing.

  10. ilev said on December 22, 2013 at 6:29 am

    According to news the NSA has paid RSA $10 million for adding a backdoor.

    1. Dwight Stegall said on December 23, 2013 at 8:36 pm


  11. Sue said on December 22, 2013 at 12:14 am

    Another +1 for Richard. When traveling, you can’t turn off your brain and blindly follow your GPS. The same is true when traveling the internet. If a hacker’s webpage comes up, it doesn’t much matter if you fill in the form using your password manager or manually type in your username and password from the post-it note stuck to your computer monitor. In both cases your information has been comprised.

  12. Dan said on December 21, 2013 at 9:37 pm

    I give up. It’s impossible to be secure these days. My strategy will be to give away everything to charity so that I have nothing to lose, and then use the same simple password for every site I go to. Oh, but wait, I will have given away my PC . . . .

  13. Richard Steven Hack said on December 21, 2013 at 9:30 pm

    Oh, and one other point. ANY program can be vulnerable to compromise absent a mathematical proof that it can’t – which is next to impossible on any program of serious size. This is why the TrueCrypt encryption program is being audited.

    So password managers could possibly be subverted at any time, either via malware installed on your machine by other means or through its interaction with the browsers. So they should be used judiciously just like any other program.

    In the end, the responsibility for your security resides in you.

  14. Richard Steven Hack said on December 21, 2013 at 9:22 pm

    All this means is that password managers are no better at determining WHEN it’s safe to provide the password they’ve stored than humans are and probably worse. This can’t be a surprise to anyone. One can’t expect a password manager to be able to analyze a situation and determine every possible way a hacker can breach a browser.

    They still provide the immensely useful function of generating decent passwords and then storing multiple passwords so YOU don’t have to remember them all.

    All this means is that you have to be careful you’re entering the password in the right form. And that isn’t easy given how many ways a browser’s UI can be compromised.

    Most experts advise using separate passwords for every site. Frankly, that’s overkill. What you need is one “disposable” password for sites the breach of which wouldn’t affect the REST of the passwords you use for important sites (like your bank.) Ninety percent of the sites you have to use passwords on are sites that if your password was exposed, you wouldn’t care because the fact that you’re on that site is completely irrelevant to anything and is unconnected to anything important.

    Too many sites require logins and passwords these days (for reasons having to do with spam posts and the like.) On those sites, use the same password – as long as you’re not putting ANY other personal information on them. In other words, only do this on sites where the only personal information you are giving out is a user name and a password. DO NOT use the same password for social media sites where you input personal information. THAT information CAN be used to social engineer you or someone else to your or their detriment and should be protected by a strong password.

    And if you use a password manager with auto-fill on those “irrelevant” sites, there’s little harm since the password is useless for extracting your personal information. So you can use a password manager on most of the sites you visit reasonably safely – just don’t use them on sites that require more protection (such as social media sites, your bank, etc.)

    1. Netpiot said on December 21, 2013 at 10:56 pm

      ^ +1

  15. Kulm said on December 21, 2013 at 6:36 pm

    Note on KeePass; there is a plug-in (or two) that auto fills password fields.
    I don’t use them so I’m not sure if they are any different than these others.

  16. ilev said on December 21, 2013 at 6:33 pm

    I don’t use password managers and never save passwords.
    I don’t trust any of them nor the cloud.

  17. Netpiot said on December 21, 2013 at 6:25 pm

    As a long time user of RoboForm (I have no affiliation with them), I would be also be interested in learning about its behavior under the same test conditions.

    I do know that it will warn if the URL (exact page or subdomain) does not match exactly when filling a form manually. Their ‘PassCards’ store a ‘GoTo’ URL and a ‘Match’ URL separately, just for that reason.

    An additional piece of advice for RoboForm users is to always highlight only the fields you want filled before manually filling them, in case there are hidden fields which could collect unintended information. RoboForm also separately warns whenever potentially sensitive information (credit card info) is filled, which adds to their security.

    @Martin: The ‘Contact Us’ page on their web site seems to be intended for press inquiries. It would be most helpful if you contacted them on our behalf about the other password managers mentioned in the comments here and followed up with their reply.

  18. sirpaul2 said on December 21, 2013 at 5:12 pm

    Well, at the moment, that sux! So, they’re not actually safer (as stated on their sites), just more convenient.
    Time to re-think! Any info on KeePass, AI RoboForm, or Kaspersky PM?

  19. Ed said on December 21, 2013 at 4:59 pm

    Would liked to have seen RoboForm included in the research.

  20. RichF said on December 21, 2013 at 3:27 pm

    Yet more reasons to keep to Keepass. I never did trust the browser-based managers, thankfully.

  21. Andrew said on December 21, 2013 at 3:12 pm

    so, you’re saying it’s safer to write passwords down in a little ‘red’ book.

    1. Martin Brinkmann said on December 21, 2013 at 4:50 pm

      No. I’m saying that you may want to configure your password manager to block auto-fill and auto-send, and to check very carefully if the login form is legit.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.