Security Strategy, Plan, Budget

Security issues present in browser password management

Among web browsers, Google Chrome and Apple's Safari provide the least amount of protection for stored passwords, according to new research from internet security consultancy Chapin Information Services.

Other popular browsers, however, are not free of password management shortfalls.

In the research, 21 tests were used to measure the security of the password management features of the newest versions of the most widely-used browsers -- including Internet Explorer 7, Opera 9.62, Safari 3.2, Chrome and Firefox 3.0.4.

The study concluded that each of the browsers have multiple problems with the password manager feature, but Safari and Chrome tied for the worst.

“If you look at the article and the test results, most of these browsers fail the tests that we put in there,” Robert Chapin, president of Chapin Information Services, told SCMagazineUS.com Monday.

For one test, called “Action Authority Checked on Retrieval,” browsers were tested on whether they would send a password to a domain other than to where the credentials were saved.

To explain the test, Chapin said that when a user logs in to web email, code behind the scenes tells the browser where to transmit the username and password.

When logging into Gmail, for example, a user's credentials will go to the Gmail server. But if the code were to be altered so as to redirect usernames and passwords to a malicious domain, it turns out that IE, Safari and Chrome will send the information to the criminals.

“As an end-user, someone who is putting faith in password manager, I would like to think that it wouldn't send my username and password [to an unintended domain] or that it would send me a warning,” Chapin said.

The issues in Chrome's password management feature, “form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity,” the Chapin report states. In particular, it could enable an attacker to obtain a user's stored passwords without he or she knowing.

The takeaways for enterprises: Don't use the Chrome or Safari password manager features and, given the option, disable them, Chapin said. Firefox and Opera require careful scrutiny as well.

And when it comes to IE, Chapin said it's hard to make the same recommendation because so many people use it.

“If you tell people not to, they might do something less secure like tape a Post-it to their monitor,” Chapin said. 

Google product manager Ian Fette said many of the the tests run by Chapin do not look for security vulnerabilities. Nevertheless, the internet giant intends to review the report.

"Designing a password manager that is secure and also meets users' needs is a complex task with multiple different approaches," Fette said. "The security technology in Google Chrome is the result of designing and testing a variety of security features as well as consideration of their impact on user experience with the browser."

Apple did not respond Monday to a request for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.