Password Manager study shows that passwords may be exposed to attackers
Using a password manager is one of the few options that you have to make sure to secure all of your online accounts with secure, impossible to guess passwords.
The main reason for it is that most Internet users find it impossible to remember secure passwords for dozens or even hundreds of web services, unless they use simple basic rules or use the same password repeatedly.
While web browsers such as Firefox or Google Chrome make available an abundance of password managers, it usually comes down to selecting a password manager that is offering the features that you require of it.
The actual security of the password manager, how it handles passwords, when it sends them to servers and when not, is not really transparent most of the time.
A recent study "Password Managers Exposing Passwords Everywhere" by Marc Blanchou and Paul Youn of Isecpartners analyzed how browser-based password managers interact with websites when they are activated.
The researchers examined LastPass, IPassword and MaskMe for Chrome and Firefox, and OneLastPass for Chrome. Specifically, they looked at when and how those password managers filled out password information.
The result may come as a surprise to users of password managers, but all four of the examined programs have been found to misbehave in one way or the other.
HTTP vs HTTPS: The MaskMe password manager does not distinguish between HTTP and HTTPS schemes, which means that it will fill out the password form regardless of scheme. This can be exploited by man-in-the-middle attacks for example.
Submitting Passwords across origins: LastPass, OneLastPass and MaskMe were found to submit passwords accros origins. What is mean by that is that the affected password managers will fill out and send authentication information on sites even if the address the information are submitted to is different from the site the user is on.
Ignore subdomains: All four password managers handle subdomains equal to root domain. This means that login information are filled out on the root domain, but also on all subdomains of the same domain name.
Login Page: All password managers examined in the study do not limit their activities to a login page that was previously used by the user. If a login has been saved for a domain name, all login forms on that domain name are handled as that regardless of whether they have been used before or not.
These practices, some handled this way for convenience, may put users at risk, as attackers may use these issues to steal password information.
The researchers suggest that users do not make use of auto-fill and auto-login functionality that some password managers offer. All companies have been informed about the results.Advertisement