That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Thirteen Password Managers

TL;DR

This paper evaluates the security of thirteen popular password managers across password generation, storage, and autofill, revealing ongoing vulnerabilities and improvements since prior assessments, with implications for broad adoption.

Contribution

First comprehensive analysis of password generation in password managers, identifying vulnerabilities and providing recommendations for improvement and future research.

Findings

Generated passwords show non-random patterns, vulnerable to guessing attacks.

Password storage still has issues like unencrypted metadata and unsafe defaults.

Browser-based password managers remain vulnerable to clickjacking and other attacks.

Abstract

Password managers have the potential to help users more effectively manage their passwords and address many of the concerns surrounding password-based authentication, however prior research has identified significant vulnerabilities in existing password managers. Since that time, five years has passed, leaving it unclear whether password managers remain vulnerable or whether they are now ready for broad adoption. To answer this question, we evaluate thirteen popular password managers and consider all three stages of the password manager lifecycle--password generation, storage, and autofill. Our evaluation is the first analysis of password generation in password managers, finding several non-random character distributions and identifying instances where generated passwords were vulnerable to online and offline guessing attacks. For password storage and autofill, we replicate past evaluations, demonstrating that while password managers have improved in the half-decade since those prior evaluations, there are still significant issues, particularly with browser-based password managers; these problems include unencrypted metadata, unsafe defaults, and vulnerabilities to clickjacking attacks. Based on our results, we identify password managers to avoid, provide recommendations on how to improve existing password managers, and identify areas of future research.