They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites

Huaman, Nicolas and Amft, Sabrina and Oltrogge, Marten and Acar, Yasemin and Fahl, Sascha
(2021) They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites.
In: 42nd IEEE Symposium on Security and Privacy, IEEE S&P 2021., May 24-27, 2021.
Conference: SP IEEE Symposium on Security and Privacy

[img]
Preview
 Text
conf-oakland-huaman21.pdf
Download (346kB) | Preview
Official URL: https://www.ieee-security.org/TC/SP2021/program-pa...

Abstract

Password managers are tools to support users with the secure generation and storage of credentials and logins used in online accounts. Previous work illustrated that building password managers means facing various security and usability challenges. For strong security and good usability, the interaction between password managers and websites needs to be smooth and effortless. However, user reviews for popular password managers suggest interaction problems for some websites. Therefore, to the best of our knowledge, this work is the first to systematically identify these interaction problems and investigate how 15 desktop password managers, including the ten most popular ones, are affected. We use a qualitative analysis approach to identify 39 interaction problems from 2,947 user reviews and 372 GitHub issues for 30 password managers. Next, we implement minimal working examples (MWEs) for all interaction problems we found and evaluate them for all password managers in 585 test cases. Our results illustrate that a) password managers struggle to correctly implement authentication features such as HTTP Basic Authentication and modern standards such as the autocompleteattribute and b) websites fail to implement clean and wellstructured authentication forms. We conclude that some of our findings can be addressed by either PWM providers or webdevelopers by adhering to already existing standards, recommendations and best practices, while other cases are currently almost impossible to implement securely and require further research.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Sascha Fahl (SF)
Conference: SP IEEE Symposium on Security and Privacy
Depositing User: Dominik Wermke
Date Deposited: 05 Jul 2021 08:59
Last Modified: 05 Jul 2021 08:59
Primary Research Area: NRA5: Empirical & Behavioral Security
URI: https://publications.cispa.saarland/id/eprint/3440

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.