We conduct a security analysis of five popular web-based
password managers. Unlike “local” password managers,
web-based password managers run in the browser. We
identify four key security concerns for web-based pass-
word managers and, for each, identify representative vul-
nerabilities through our case studies. Our attacks are se-
vere: in four out of the five password managers we stud-
ied, an attacker can learn a user’s credentials for arbi-
trary websites. We find vulnerabilities in diverse features
password managers. Unlike “local” password managers,
web-based password managers run in the browser. We
identify four key security concerns for web-based pass-
word managers and, for each, identify representative vul-
nerabilities through our case studies. Our attacks are se-
vere: in four out of the five password managers we stud-
ied, an attacker can learn a user’s credentials for arbi-
trary websites. We find vulnerabilities in diverse features
like one-time passwords, bookmarklets, and shared pass-
words. The root-causes of the vulnerabilities are also di-
verse: ranging from logic and authorization mistakes to
misunderstandings about the web security model, in ad-
dition to the typical vulnerabilities like CSRF and XSS.
Our study suggests that it remains to be a challenge for
the password managers to be secure. To guide future de-
velopment of password managers, we provide guidance
for password managers. Given the diversity of vulner-
abilities we identified, we advocate a defense-in-depth
approach to ensure security of password managers.
more here..................http://devd.me/papers/pwdmgr-usenix14.pdf