1

A Security Analysis of Two Commercial Browser and Cloud

Based Password Managers

Rui Zhao1, Chuan Yue1, Kun Sun2

University of Colorado Colorado Springs1

George Mason University2

2013 ASE/IEEE International Conference on Privacy, Security, Risk and Trust

PASSAT’13Washington D.C.

2

Background• Different types of password managers:

o Browser’s built-in featureo Browser’s extensiono Stand-alone program

• Our focus: Browser-extension based password managers!

3

Background• LastPass on Firefox & Chrome• RoboForm on Firefox & Chrome

• Storageo LastPass stores both locally and remotelyo RoboForm stores on either locally or remotely

• Online mode• Offline mode

• Browser and Cloud based Password Managers (BCPMs)

4

Our Goal• Do they well protect users’ passwords?

o How do they protect passwords?

o Do they have security vulnerabilities?

o How severe are those vulnerabilities?

5

Threat Model

• The types of credentials

• The types of attackers

• The types of attacks under consideration

6

Security Analysis Methodology

• Win 7 platform

• Open-source in JavaScript: Eclipse IDE

• De-obfuscation: JS Beautify

• Other toolso Debug tools on Firefox and Chromeo Network traffic capture tool: HTTP Analyzer

7

Security Analysis Methodology

• Theoretically estimate the computational effort for performing different attacks

o <Cryptography and Network Security: Principles and Practice> by William Stallings.• One microsecond (μs) to perform a basic cryptographic operation• One microsecond (μs) to perform a million basic cryptographic

operations

o DES, AES, SHA-1, SHA-2: a basic cryptographic operation

8

LastPass Security Design and Vulnerability Analysis

• LastPass-Vul-1: Outsider Attackers’ Local Decryption Attacks ← insecure design of the master password remembering mechanism in LastPass

LastPass-Vul-1

9

LastPass Security Design and Vulnerability Analysis

• LastPass-Vul-2: Outsider Attackers’ Brute Force Attacks ← insecure design of the local user authentication mechanism and the insecure application of the PBKDF2 function in LastPass

LastPass-Vul-2

10

LastPass Security Design and Vulnerability Analysis

• LastPass-Vul-3: Insider Attackers’ Brute Force Attacks ← insecure association of the master password with authenticators in LastPass

LastPass-Vul-3

11

LastPass Security Design and Vulnerability Analysis• The master password brute force attack

effort for LastPass-Vul-2 and LastPass-Vul-3

LastPass-Vul-2 LastPass-Vul-3

12

RoboForm Security Design and Vulnerability Analysis

• RoboForm-Vul-1: Outsider Attackers’ Local Decoding Attacks ← zero protection to local storage when a master password is not used in RoboForm

RoboForm-Vul-1

Website Credentials

*.rfpEncoding

13

RoboForm Security Design and Vulnerability Analysis

• RoboForm-Vul-2: Outsider Attackers’ Brute Force Attacks ← weak protection to local storage when a master password is used in RoboForm

RoboForm-Vul-2-rfo

RoboForm-Vul-2-rfp

14

RoboForm Security Design and Vulnerability Analysis

• RoboForm-Vul-3: Insider Attackers’ Server-side Request Monitoring Attacks ← zero protection to the data received by the insiders of RoboForm

RoboForm-Vul-3

RoboForm-Vul-3

RoboForm-Vul-3

15

RoboForm Security Design and Vulnerability Analysis• The master password brute force attack

effort

RoboForm-Vul-2-rfp RoboForm-Vul-2-rfo

16

Likelihood, impact, and overall risk ratings

• OWASP (Open Web Application Security Project)o Risk rating methodology

o Likelihood: how likely this particular vulnerability is to be uncovered and exploited by an attacker. HIGH, MEDIUM, LOW.

o Impact: the impact of a successful attack: technical impact, business impact. HIGH, MEDIUM, LOW

o Overall Risk Severity: from Likelihood and Impact

17

Suggestions• 1. User data should be protected with

confidentiality and authenticity mechanisms before being sent to cloud storage servers o RoboForm-Vul-3

• 2. Outsider attackers’ client-side stealing capability should be seriously consideredo LastPass-Vul-1o RoboForm-Vul-1

18

Suggestions• 3. A master password mechanism must be

provided in a BCPM, and users should be mandated to use a strong master password with the strength assured by a pure client-side proactive password checkero RoboForm-Vul-1o LastPass-Vul-3o LastPass-Vul-2o RoboForm-Vul-2

19

Suggestions• 4. Large iteration count values should be used in

the password based key derivation functionso LastPass-Vul-3o LastPass-Vul-2o RoboForm-Vul-2

• 5. A user’s master password should be used to authenticate a user, but it should not be insecurely associated with any authenticator that will be sent to the cloud storage servers or saved locally to the user’s computero LastPass-Vul-2o RoboForm-Vul-2

20

Suggestions• 6. Data authenticity should be assured and

authenticity verification should not weaken confidentialityo RoboForm-Vul-2

21

Conclusion• Define a threat model for analyzing the security of

BCPMs• Investigate the design and implementation of two

very popular commercial BCPMs: LastPass, RoboForm• Identify several vulnerabilities of these two BCPMs

that could be exploited by outsider and insider attackers to obtain users’ saved website passwords

• Detailed figures, risk analysis and suggestions are in “Vulnerability and Risk Analysis of Two Commercial Browser and Cloud Based Password Managers” (invited paper), ASE Science Journal, 1(4): pages 1--15, 2013.

22