TY - GEN

T1 - They would do better if they worked together

T2 - 42nd IEEE Symposium on Security and Privacy, SP 2021

AU - Huaman, Nicolas

AU - Amft, Sabrina

AU - Oltrogge, Marten

AU - Acar, Yasemin

AU - Fahl, Sascha

PY - 2021/5

Y1 - 2021/5

N2 - Password managers are tools to support users with the secure generation and storage of credentials and logins used in online accounts. Previous work illustrated that building password managers means facing various security and usability challenges. For strong security and good usability, the interaction between password managers and websites needs to be smooth and effortless. However, user reviews for popular password managers suggest interaction problems for some websites. Therefore, to the best of our knowledge, this work is the first to systematically identify these interaction problems and investigate how 15 desktop password managers, including the ten most popular ones, are affected. We use a qualitative analysis approach to identify 39 interaction problems from 2, 947 user reviews and 372 GitHub issues for 30 password managers. Next, we implement minimal working examples (MWEs) for all interaction problems we found and evaluate them for all password managers in 585 test cases.Our results illustrate that a) password managers struggle to correctly implement authentication features such as HTTP Basic Authentication and modern standards such as the autocomplete-attribute and b) websites fail to implement clean and well-structured authentication forms. We conclude that some of our findings can be addressed by either PWM providers or web-developers by adhering to already existing standards, recommendations and best practices, while other cases are currently almost impossible to implement securely and require further research.

AB - Password managers are tools to support users with the secure generation and storage of credentials and logins used in online accounts. Previous work illustrated that building password managers means facing various security and usability challenges. For strong security and good usability, the interaction between password managers and websites needs to be smooth and effortless. However, user reviews for popular password managers suggest interaction problems for some websites. Therefore, to the best of our knowledge, this work is the first to systematically identify these interaction problems and investigate how 15 desktop password managers, including the ten most popular ones, are affected. We use a qualitative analysis approach to identify 39 interaction problems from 2, 947 user reviews and 372 GitHub issues for 30 password managers. Next, we implement minimal working examples (MWEs) for all interaction problems we found and evaluate them for all password managers in 585 test cases.Our results illustrate that a) password managers struggle to correctly implement authentication features such as HTTP Basic Authentication and modern standards such as the autocomplete-attribute and b) websites fail to implement clean and well-structured authentication forms. We conclude that some of our findings can be addressed by either PWM providers or web-developers by adhering to already existing standards, recommendations and best practices, while other cases are currently almost impossible to implement securely and require further research.

KW - Web-Security

UR - http://www.scopus.com/inward/record.url?scp=85115055467&partnerID=8YFLogxK

U2 - 10.1109/SP40001.2021.00094

DO - 10.1109/SP40001.2021.00094

M3 - Conference contribution

AN - SCOPUS:85115055467

SN - 978-1-7281-8935-2

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 1367

EP - 1381

BT - Proceedings - 2021 IEEE Symposium on Security and Privacy, SP 2021

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 24 May 2021 through 27 May 2021

ER -