Chapin Information Services

Major Brands Fail Password Manager Testing

Opera Scores Best

07/24/2008 — Chapin Information Services (CIS) revealed a large number of faults today in common password management software. After testing six of the most popular brands, five were found to fail even the most basic security requirements.

Internet password managers need to know two things to be secure: Which website is requesting a password? And, to which website is a password being delivered?

Internet Explorer keeps track of the first question, but it will freely submit passwords to the wrong website.

Firefox can keep track of the second question, but it doesn't know the difference between administrative credentials and a guest book login at the same .com domain.

RoboForm and Sticky Password don't seem to know either one, leaving a user helpless when they decide to submit a password.

Clipperz, which creates a one-click sign in using the form details from a user's screen, leaves the user wondering where it might deliver that password when used.

The Opera web browser, in contrast, prompts to save each password with an option to restrict where it may be used. The built-in password manager also prevents saved passwords from going to the wrong website, and it passes as many additional tests as Firefox and Internet Explorer combined.

All six password managers failed to warn if a new password was being directed to a different website from the one displayed on screen. Also, all six failed to check which address "path" should be used to deliver passwords, and failed to prevent passwords from being added to the address bar itself, which is displayed on-screen.

Interestingly, Firefox 3.0 was found to be the only password manager that always obeys the "Autocomplete" feature that many websites use to forbid password management. Even the former Firefox 2.0 is unable to pass this test. And ironically, Firefox 3.0 does not obey the password field name feature, specified as an "Autocomplete alternative" on the Firefox website.

An interactive demonstration of password management vulnerabilities is available at the CIS website.

CIS Testing Results

Test Performed	Opera 9.5	Internet Explorer 7.0	Firefox 3.0	RoboForm 6.9	Sticky Password 3.4	Clipperz
Action Authority Checked on Retrieval	PASSED	FAILED	PASSED	FAILED	FAILED	FAILED
Action Authority Checked on Save	PASSED	FAILED	PASSED	FAILED	FAILED	FAILED
Action Authority Raises Warnings	FAILED	FAILED	FAILED	FAILED	FAILED	FAILED
Action Path Checked on Retrieval	FAILED	FAILED	FAILED	FAILED	FAILED	FAILED
Action Path Checked on Save	FAILED	FAILED	FAILED	FAILED	FAILED	FAILED
Action Scheme Checked on Retrieval	PASSED	FAILED	PASSED	FAILED	FAILED	FAILED
Action Scheme Raises Warnings	PASSED	PASSED	FAILED	FAILED	FAILED	FAILED
Action Scheme Prevented if Unsafe	PASSED	PASSED	FAILED	FAILED	FAILED	FAILED
Autocomplete=Off Prevents Form Fills	FAILED	FAILED	PASSED	FAILED	FAILED	FAILED
Invisiblility Prevents Form Fills	PASSED	PASSED	FAILED	FAILED	FAILED	FAILED
Method Checked on Retrieval	FAILED	FAILED	FAILED	FAILED	FAILED	FAILED
Method Raises Warnings	FAILED	FAILED	FAILED	FAILED	FAILED	FAILED
Multiple Paths Per User Per Authority	FAILED	FAILED	FAILED	FAILED	FAILED	FAILED
Multi. Schemes Per User Per Authority	PASSED	FAILED	PASSED	FAILED	FAILED	FAILED
Page Path Checked on Retrieval	PASSED	PASSED	FAILED	FAILED	FAILED	FAILED
Random Name Attr. Prevents Form Fills	PASSED	FAILED	FAILED	FAILED	FAILED	PASSED
User Required for PW Retrieval	PASSED	PASSED	FAILED	PASSED	FAILED	PASSED
User Required for PW Save	PASSED	PASSED	FAILED	PASSED	PASSED	PASSED
Valid URIs Don't Break Anything	PASSED	PASSED	PASSED	PASSED	PASSED	FAILED

Test Descriptions

Action Authority Checked on Retrieval

To pass this test, the PM must never deliver a password to a domain other than the one to which the password was delivered when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to a different website, then the PM has failed this test.

Action Authority Checked on Save

To pass this test, the PM must never overwrite the destination domain name of a password without explicit user interaction. For example, if a password is first saved on a self-referring form, and then re-saved on a form that points to a different website, and the PM prevents the password from being filled on the original form, then the PM has failed this test. Note the implicit requirement that a PM must distinguish authorities on retrieval.

Action Authority Raises Warnings

To pass this test, the PM must warn the user if the action authority does not match the page authority. For example, if a login form at www.info-svc.com points to google.com, and the PM allows a user to save or submit a password using this form without notice, then the PM has failed this test.

Action Path Checked on Retrieval

To pass this test, the PM must never deliver a password to a path other than the one to which the password was delivered when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to a different parent directory, then the PM has failed this test.

Action Path Checked on Save

To pass this test, the PM must never overwrite the destination path of a password without explicit user interaction. For example, if a password is first saved on a self-referring form, and then re-saved on a form that points to a parent directory, and the PM prevents the password from being filled on the original form, then the PM has failed this test. Note the implicit requirement that a PM must distinguish paths on retrieval.

Action Scheme Checked on Retrieval

To pass this test, the PM must never deliver a password using a protocol other than the one by which the password was delivered when it was saved. For example, if a password is saved on a self-referring web page, and then automatically filled in another form that uses e-mail to deliver the password, then the PM has failed this test.

Action Scheme Raises Warnings

To pass this test, the PM must warn the user if the action scheme is potentially unsafe. For example, if a login form uses an e-mail application that will display the password on screen, and the PM allows the user to save or submit a password using this form without notice, then the PM has failed this test.

Action Scheme Prevented if Unsafe

To pass this test, the PM must successfully abort a password delivery if requested by the user.

Autocomplete=Off Prevents Form Fills

To pass this test, the PM must never deliver a password when the autocomplete attribute is present and set to "off".

Invisiblility Prevents Form Fills

To pass this test, the PM must never deliver a password using a form that is not visible. For example, if a login form is present on a web page but has its display property set to none, and the PM automatically fills the form allowing the password to be transmitted despite being invisible, then the PM has failed this test.

Method Checked on Retrieval

To pass this test, the PM must never deliver a password using an HTTP method other than the one by which the password was delivered when it was saved. For example, if a password is saved on a form that uses POST, and then automatically filled in another form that uses GET to deliver the password, then the PM has failed this test.

Method Raises Warnings

To pass this test, the PM must warn the user if the password submission method is potentially unsafe. For example, if a login form uses GET, which causes the password to be added to the address bar, and the PM allows the user to save or submit a password using this form without notice, then the PM has failed this test.

Multiple Paths per User per Authority

To pass this test, the PM must allow a user to save different passwords in different paths of a single domain using the same user name. Note the implicit requirement that a PM must distinguish paths in both the action URI and page URI.

Multiple Schemes per User per Authority

To pass this test, the PM must allow a user to save different passwords using different schemes on a single domain using the same user name. Note the implicit requirement that a PM must distinguish schemes in both the action URI and page URI.

Page Path Checked on Retrieval

To pass this test, the PM must never deliver a password to a path other than the one at which the password was requested when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to the same path but is located in the parent directory, then the PM has failed this test.

Random Name Attribute Prevents Form Fills

To pass this test, the PM must never fill a password in a form field whose name attribute does not match the name of the field that was used to save the password.

User Required for Password Retrieval

To pass this test, the PM must never fill a password without explicit user interaction.

User Required for Password Save

To pass this test, the PM must never save or overwrite a password without explicit user interaction. For example, if a password is saved with a username, and then the same form is re-submitted with the same username and a different password, and the PM then fills the new password into forms instead of the original password, then the PM has failed this test.

Valid URIs Don't Break Anything

To pass this test, the PM must never submit a password to the wrong URI as a result of erroneous action attribute parsing. For example, if the action attribute value is "mailto:localpart@www.info-svc.com" and the PM delivers a password to "http://www.info-svc.com/mailto:localpart@www.info-svc.com" then the PM has failed this test.