From a computer-security perspective, the best Internet passwords are long and unique to one website, and contain a mix of letters, numbers, and special characters. Unfortunately, abiding by these guidelines can make logging in to different websites a challenging memory test. Password management tools are one solution for people who can’t keep all their passwords straight, but these tools can pose their own security risks. Now researchers have found a way to make some of these systems more secure.
“It’s a problem that needs to be taken seriously,” says Ben Adida, a research fellow with Harvard’s Center for Research on Computation and Society. Adida investigated the problem with Adam Barth, a postdoctoral fellow in computer science at the University of California, Berkeley, and Collin Jackson, a computer-science PhD candidate at Stanford University. Jackson recently gave a speech at MIT outlining the security problem and the team’s solution.
Typically, a bookmarklet-based password manager stores passwords for a user’s favorite websites on a central server somewhere. The next time the user visits one of those sites, he simply clicks on the bookmarklet to log in. “When the user clicks a bookmarklet, they’ve indicated that they want to release a password to the browser,” says Jackson. “The question is, which one?”
Adida, Barth, and Jackson found that while each bookmarklet dealt with the details of the operation differently, they all shared one fundamental problem: they couldn’t be trusted to know what website the user was actually visiting. With a few lines of code, the tool could be tricked into believing, for example, that the user was at her bank’s website when really she was at an attacker’s site.
“The attacks that we found worked a little bit differently for each password manager,” Jackson says. But all of the six tools analyzed could be manipulated to reveal a user’s stored passwords.