Related papers: Passwords Are Meant to Be Secret: A Practical Secure Password Entry Channel for Web Browsers

Passwords Are Meant to Be Secret: A Practical Secure Password Entry Channel for Web Browsers

URL: http://arxiv.org/abs/2402.06159v1
Date: Fri, 9 Feb 2024 03:21:14 GMT
Title: Passwords Are Meant to Be Secret: A Practical Secure Password Entry Channel for Web Browsers
Authors: Anuj Gautam, Tarun Kumar Yadav, Kent Seamons, Scott Ruoti,
Abstract summary: Malicious client-side scripts and browser extensions can steal passwords after they have been autofilled by the manager into the web page. This paper explores what role the password manager can take in preventing the theft of autofilled credentials without requiring a change to user behavior.
Score: 7.049738935364298
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Password-based authentication faces various security and usability issues. Password managers help alleviate some of these issues by enabling users to manage their passwords effectively. However, malicious client-side scripts and browser extensions can steal passwords after they have been autofilled by the manager into the web page. In this paper, we explore what role the password manager can take in preventing the theft of autofilled credentials without requiring a change to user behavior. To this end, we identify a threat model for password exfiltration and then use this threat model to explore the design space for secure password entry implemented using a password manager. We identify five potential designs that address this issue, each with varying security and deployability tradeoffs. Our analysis shows the design that best balances security and usability is for the manager to autofill a fake password and then rely on the browser to replace the fake password with the actual password immediately before the web request is handed over to the operating system to be transmitted over the network. This removes the ability for malicious client-side scripts or browser extensions to access and exfiltrate the real password. We implement our design in the Firefox browser and conduct experiments, which show that it successfully thwarts malicious scripts and extensions on 97\% of the Alexa top 1000 websites, while also maintaining the capability to revert to default behavior on the remaining websites, avoiding functionality regressions. Most importantly, this design is transparent to users, requiring no change to user behavior.

Related papers

A Large-Scale Survey of Password Entry Practices on Non-Desktop Devices [2.8698289487200856]
We find that password entry on devices without password managers is a common occurrence and comes with significant usability challenges. These challenges lead users to weaken their passwords to increase the ease of entry. We conclude this paper with a discussion of how future research could address these challenges and encourage users to adopt generated passwords.
arXiv Detail & Related papers (2024-09-04T19:28:36Z)
Exploiting Leakage in Password Managers via Injection Attacks [16.120271337898235]
This work explores injection attacks against password managers. In this setting, the adversary controls their own application client, which they use to "inject" chosen payloads to a victim's client via, for example, sharing credentials with them.
arXiv Detail & Related papers (2024-08-13T17:45:12Z)
The Emperor is Now Clothed: A Secure Governance Framework for Web User Authentication through Password Managers [0.9599644507730105]
Existing approaches to facilitate the interaction between password managers and web applications fall short of providing adequate functionality and mitigation strategies against prominent attacks. We propose Berytus, a browser-based governance framework that mediates the interaction between password managers and web applications.
arXiv Detail & Related papers (2024-07-09T19:49:49Z)
Nudging Users to Change Breached Passwords Using the Protection Motivation Theory [58.87688846800743]
We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.
arXiv Detail & Related papers (2024-05-24T07:51:15Z)
Not All Prompts Are Secure: A Switchable Backdoor Attack Against Pre-trained Vision Transformers [51.0477382050976]
An extra prompt token, called the switch token in this work, can turn the backdoor mode on, converting a benign model into a backdoored one. To attack a pre-trained model, our proposed attack, named SWARM, learns a trigger and prompt tokens including a switch token. Experiments on diverse visual recognition tasks confirm the success of our switchable backdoor attack, achieving 95%+ attack success rate.
arXiv Detail & Related papers (2024-05-17T08:19:48Z)
Systematic Solutions to Login and Authentication Security Problems: A Dual-Password Login-Authentication Mechanism [0.0]
Credential theft and remote attacks are the most serious threats to user authentication mechanisms. We design a dual-password login-authentication mechanism, where a user-selected secret-free login password is converted into an untypable authentication password. The authenticatable functionality of the login password and the typable functionality of the authentication password can be disabled or invalidated to prevent credential theft and remote attacks.
arXiv Detail & Related papers (2024-04-02T10:05:47Z)
ROSTAM: A Passwordless Web Single Sign-on Solution Mitigating Server Breaches and Integrating Credential Manager and Federated Identity Systems [0.0]
We envision a passwordless future which provides a frictionless and trustworthy online experience for users by integrating credential management and federated identity systems. In this regard, our implementation ROSTAM offers a dashboard that presents all applications the user can access with a single click after a passwordless SSO. The security of web passwords on the credential manager is ensured with a Master Key, rather than a Master Password, so that encrypted passwords can remain secure even if stolen from the server.
arXiv Detail & Related papers (2023-10-08T16:41:04Z)
PassGPT: Password Modeling and (Guided) Generation with Large Language Models [59.11160990637616]
We present PassGPT, a large language model trained on password leaks for password generation. We also introduce the concept of guided password generation, where we leverage PassGPT sampling procedure to generate passwords matching arbitrary constraints.
arXiv Detail & Related papers (2023-06-02T13:49:53Z)
RiDDLE: Reversible and Diversified De-identification with Latent Encryptor [57.66174700276893]
This work presents RiDDLE, short for Reversible and Diversified De-identification with Latent Encryptor. Built upon a pre-learned StyleGAN2 generator, RiDDLE manages to encrypt and decrypt the facial identity within the latent space.
arXiv Detail & Related papers (2023-03-09T11:03:52Z)
Backdoor Attack against Speaker Verification [86.43395230456339]
We show that it is possible to inject the hidden backdoor for infecting speaker verification models by poisoning the training data. We also demonstrate that existing backdoor attacks cannot be directly adopted in attacking speaker verification.
arXiv Detail & Related papers (2020-10-22T11:10:08Z)
Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection [44.040106718326605]
The choice of password composition policy to enforce on a password-protected system represents a critical security decision. In practice, this choice is not usually rigorous or justifiable, with a tendency for system administrators to choose password composition policies based on intuition alone. We propose a novel methodology that draws on password probability distributions constructed from large sets of real-world password data.
arXiv Detail & Related papers (2020-07-07T22:12:13Z)

This list is automatically generated from the titles and abstracts of the papers in this site.