"Password Managers: Risks, Pitfalls, and Improvements" (2014) I'm not sure if this paper has been released yet, but slides are available at Code: hxxp://forum.stanford.edu/events/2014slides/security/Suman%20pwdmgr.pdf -------------------- "Vulnerability and Risk Analysis of Two Commercial Browser and Cloud Based Password Managers" (2013) Code: hxxp://www.cs.uccs.edu/~cyue/papers/ASEScience13.pdf -------------------- "Automated Password Extraction Attack on Modern Password Managers" (2013) Code: hxxp://arxiv.org/pdf/1309.1416 -------------------- "Protecting Users Against XSS-based Password Manager Abuse" (2014) Code: hxxps://ben-stock.de/wp-content/uploads/asiacss2014.pdf
"Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage" (2013) Code: hxxp://www.doc.ic.ac.uk/~maffeis/papers/post13.pdf
"On The Security of Password Manager Database Formats" (2012) Code: hxxp://www.6nelweb.com/bio/papers/pwvault-ESORICS12-ext.pdf
Very interesting. Thanks for sharing. Have you posted those link in Lastpass Forum? It would be interesting to know their thoughts.
Yeah thanks, it´s interesting indeed. Perhaps auto-fill is not a good idea, at least not on all sites.
@dogbite and @Rasheed187: You're welcome . I haven't posted these links in the LastPass forum. If anyone wants to, go ahead.
Aside from the security implications, it can also be a problem with certain places on the site, like the page to change your password (which often requires that you enter old and new passwords) or sites which have multiple passwords (like a router interface, which needs an admin password and a wi-fi password).
This one. Anyway, they got back to me and said that their development team is going to look at that. Actually I invited them to read the whole thread here and eventually give us their thoughts.
You need to bump that thread tlu, No one would notice it on the 3rd page and if it doesn't get a reply soon then most probably will end up in obscurity.
Thanks for posting . The paper referenced there is "The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers" (2014) Code: hxxp://devd.me/papers/pwdmgr-usenix14.pdf
So for the users of password managers are you going to stop using them based on this info? I think updates have been made but this will always be a potential problem. I've been considering using one but frankly I'm scared to death of putting all my passwords in one place. Although I'm also loosing my mind trying to keep my logins/passwords straight...which also leads to duplicate logins/passwords which is almost as bad, if not worse.
Same over here, need to do some more reading. But I have to admit that I´m getting tired of having to manually fill in usernames/passwords stored in KeePass. I´m looking for a simple password manager (not cloud based) that can integrate into Opera v11 and 12, but I guess I´m out of luck.
Bruce Schneier's password manager advice: https://www.schneier.com/blog/archives/2014/09/security_of_pas.html.
The response, even if not coming from lastpass, seems interesting and practically trashing the supposed vulnerability...