Chromium Blog: Security in Depth: The Password Manager

Security in Depth: The Password Manager

Wednesday, December 17, 2008

Recently a number of articles have discussed the security of browsers' password managers. There are many ways to build a secure password manager, and each browser uses a slightly different approach. In this edition of Security in Depth, we'll look at some of the key security decisions that went into designing the password manager for Google Chrome. As always, we welcome your feedback and suggestions.

Password managers improve security in two ways. First, they let users use more complex, harder-to-guess passwords because the password manager does the work of remembering them. Second, they help protect users from phishing pages (spoof pages that pretend to be from another site) by carefully scrutinizing the web page's URL before revealing the password. The key to the security of a password manager is the algorithm for deciding when to reveal passwords to the current web page. An algorithm that isn't strict enough can reveal users' passwords to compromised or malicious pages. On the other hand, an algorithm that's too strict won't function on some legitimate web sites. This may cause users to use more memorable (and less secure) passwords. Worse, users typically assume the browser is "broken," and become more willing to supply passwords to any page (including harmful ones), since they no longer trust the browser to make correct distinctions. The same side effects are possible if the password manager produces spurious warnings on legitimate sites; this simply trains users to ignore the warnings.

The password manager's algorithm is based on the browser's same-origin policy, which we've touched on before. The password manager supplies a password to a page only if the page is from the same origin (same scheme, host, and port) as the original page that saved the password. For example, this algorithm protects passwords from active network attackers by not revealing passwords saved on HTTPS pages to HTTP pages.

Because the same-origin policy does not distinguish between different paths, it's tempting to think that we could further improve security by requiring the paths to match as well; for example, passwords saved at https://example.com/login would not be sent to https://example.com/blog. However, this design works poorly with sites where users can log in from several places (like Facebook), as well as sites which store dynamically-generated state in the path. Furthermore, creating this "finer-grained" origin wouldn't actually improve security against compromised sites because other parts of the browser (like the JavaScript engine) still obey the same-origin policy. Imagine that example.com has a cross-site scripting vulnerability that lets an attacker inject malicious content into https://example.com/blog. An attacker would not need users to log in to this page; instead, the attacker could simply inject an <iframe> pointing to https://example.com/login and use JavaScript to read the password from that frame.

Besides checking the page hosting the password field, we can also check where password data is going to be sent when users submit their information. Consider a scenario that occurred a few years ago on a popular social networking site that let users (or in this case, attackers) customize their profile pages. At the time, an attacker could not include JavaScript on his profile page, but could still use malicious HTML — a password field set to send data back to the attacker's web server. When users viewed the attacker's profile, their password managers would automatically fill in their passwords because the profile page was part of the same origin as the site's login page. Lacking JavaScript, the attacker could not read these passwords immediately, but once the users clicked on the page, their data was sent to the attacker's server. Google Chrome defends against this subtle attack by checking the page to which the password data is submitted, once again using the same-origin policy. If this check fails, the password manager will not automatically fill in passwords when the page is loaded. The downside is that this can trip up legitimate web sites that dynamically generate their login URLs. To help users in both cases, the password manager waits for users to type their user names manually before filling in any passwords. At this point, if a page is really malicious, these users have most likely already fallen for the scam and would have proceeded to type in their passwords manually; continuing to refuse to fill in passwords would merely give the impression that the browser is "broken."

A number of other proposals to improve password manager security seem reasonable but don't actually make users more secure. For example, the password manager could refuse to supply passwords to invisible login fields, on the theory that legitimate sites have no need to do this and invisible fields are used only by attackers. Unfortunately, attackers trying to hide password fields from users can make the fields visible but only one pixel tall, or 99% transparent, hidden behind another part of the page, or simply scrolled to a position where users don't normally look. It is impossible for browsers to detect all the various ways password fields can be made difficult to notice, so blocking just one doesn't protect users. Plus, a legitimate site might hide the password field initially (similar to Washington Mutual), and if it does, the password manager wouldn't be able to fill in passwords for this site.

We've put a lot of thought into the password manager's design and carefully considered how to defend against a number of threats including phishing, cross-site scripting, and HTTPS certificate errors. By using the password manager, you can choose stronger, more complex passwords that are more difficult to remember. When the password manager refuses to automatically fill in your password, you should pause and consider whether you're viewing a spoof web site. We're also keen to improve the compatibility of the password manager. If you're having trouble using the password manager with your favorite site, consider filing a bug.

Posted by Adam Barth and Tim Steele, Software Engineers

24 comments:

Chris Mayer said...: A lot of people still seem surprised at the lack of a master password to lock the password manager. Right now if someone gains access to your browser they get all your passwords for free. It would seem the extra level of physical password protection would seem warranted.; December 17, 2008 5:38 PM
Mxx said...: There is a password manager called LastPass. Presently it's compatible only with IE and Firefox.
I asked them about that same password manager test and here's their reply http://forums.lastpass.com/viewtopic.php?f=6&t=629#p2329

It seems like Chrome and LastPass have quiet a conflicting viewpoints regarding features which are important to protect users from.
Would love to hear what Adam or Tim or anybody else from Chrome team have to say about that.; December 17, 2008 8:05 PM
cpu said...: @Mxx: Adams's post does a good job explaining in what we place value and *why* we place value.

Your link does not come with much a rationale, just a redistribution of weights. Maybe you can find a link with a better explanation.

In case the main point was lost, I can cook an analogy: there are places that will sell you an F16 seat that you can bolt to your car. It is fine if what you want is to sit with comfort but your car will not behave like an F16. Ok, I give you that the car is now 0.0005% of an F16.

Browsers security live and die by the good'ol same origin policy and we feel that the password manager must match that in order to have the seat that matches the car.; December 17, 2008 8:53 PM
Mxx said...: so none of the concerns brought up in that test are valid? there is nothing Chome developers feel needs improvement based on those results?

i'm not worried about the times when Chrome doesn't fill in my password, as much as i'm worried about when it does do it. I get the feeling that "user's convenience" is more important than safety/security.
i'm willing to go through some additional prompts that would confirm/inform me that my login is being submitted to the proper place.; December 17, 2008 9:14 PM
Adam said...: @Mxx: I'm not sure about the methodology used by that test. For example, contrary to what's listed on that page, we do check the action's authority on retrieval. This check is important for security, as we discuss in the post.

For other items, like invisible fields, I don't know of a security reason to alter the password manager's behavior. Can you describe a threat model in which not filling invisible fields provides additional security guarantees?

If you look at the bigger security picture, you should be concerned about the times the password manager fails to correctly fill in the password. Every time the password manager makes this mistake, it trains the user to be more susceptible to phishing.; December 17, 2008 10:17 PM
Triram said...: Is the Blog created by me with a password,is property of Google/Public or mine?; December 17, 2008 10:29 PM
pkasting said...: @Mxx: We try and address some of these, such as the "invisible field" issue, in the blog post you're replying to. Was the post not clear? We don't think there's security benefit (and in fact think there's an indirect security loss) to avoiding filling invisible fields, and we provide a few reasons why. People who disagree should probably also say why, so their arguments can be evaluated. The forum page you linked says it's "the end of the world" if you do this but provides no motivation for this viewpoint.

We can be wrong, and have been wrong in the past, but a link that simply says "this is bad" isn't very convincing. It's not as if password management security is something we (or other browser vendors) were too stupid to think about -- in most cases we simply don't agree about what makes sense to do.; December 17, 2008 10:44 PM
Mxx said...: Following Adam's reply regarding 'action authority on retrieval', I took that test myself with Chrome 154.36 and indeed, it passed that check.
As a matter of fact, in my test it passed the following 4(vs 2 in the official result)
Action Authority Checked on Retrieval PASSED
Action Scheme Checked on Retrieval PASSED
Autocomplete=Off Prevents Form Fills PASSED
Method Checked on Retrieval PASSED
Everything else FAILED.

However during the whole test Chrome never asked me to confirm to update my password. I started the test with password "aaaa", and advanced by 1 letter each time I was prompted to select a new password. At the end of the test Chrome is showing my password as "hhhh". That it means it got updated at least 5 times without a single confirmation. I think that's pretty disturbing. If I’m going to use a random unique password, I can come across a situation where Chrome will get confused by some form and will blow out that password without me knowing.

Regarding the hidden forms, if I'm using Chrome's PM vs manually entering password. I'm automatically becoming more vulnerable with Chrome's PM. I wouldn't be able to fill in that form manually, but Chrome will do it for me, silently. Regardless of the origin policy and if it can or can't be exploited, the fact is Chrome is silently disclosing a pretty sensitive info, which it supposed to help to protect.
Unfortunately, I’m not a vulnerability or penetration testing expert, so I’m not qualified to give you a specific example of such a threat model. Hopefully somebody else reading this will chime in.

Pkasting, in no way did i mean to say that Chrome’s dev added it just as a checkmark off their feature list and it wasn’t thought out. But I feel that some of the decisions are overwriting functionality to make it “wife-accepted”. Don’t show some messages because they will sound scary to users...; December 17, 2008 11:36 PM
JezC said...: I think you're wrong about password completion. Why? Because users don't understand what you understand. Users routinely enter search queries in browser bars, and URLs in search fields. Any sufficiently wide field on the screen will be stuffed with "hotmail.com" or whatever their webmail user agent is. Users aren't security experts; they aren't even really aware of the difference between the browser and the web page.

I've even sat next to confused users who've typed their passwords to the username field of confusingly labelled authentication forms. You impute too much knowledge to users.

You expect users to identify that a web browser failing to complete a password authentication, implies an authentication problem. It won't happen for a very large fraction of users. Systems with re-authentication (like AdWords - leave the screen for a few minutes, return, and it reruns the login without user data entry of any sort) simply confuse users as to what is happening. Why, sometimes, does a form like this require revalidation, and at other times it does not? The (to a user) inconsistent behaviour makes completing account names and passwords into a trained activity. They'll respond to any request because they have been trained that they should have no expectations of consistency.

Because the consistency of presentation of account names (even whether it is an email address, a label, or a nick) and passwords (sometimes offering two fields, sometimes one, sometimes with the user account field prefilled), users have been trained to expect almost anything from account authorisation systems.

Rather than a "silent refusal" to complete passwords, offer a clue to the user. Flash the browser frame. Give a popup. Hell, *migrate the authentication to the browser properly*. The current model for allowing any site to adopt their own conventions for authentication mechanisms trains users to accept *any* authentication activity as legitimate, and incomplete fields are as common for real sites as for spoofers. I regularly use standard commercial sites that have a re-authentication screen that is different from the initial login (e.g. authenticate to view a catalogue, and then re-authenticate for purchase, on a different subdomain). User have been trained by this kind of design to expect rekeying.

So users will rekey to a spoofing site, no problem. They will rekey to a site that isn't running SSL, when every other time they use the service the site has been SSL. The sudden lack of SSL doesn't trigger *any* awareness of a problem. Why would a failure to complete a password be any more notice of a problem than the absence of a golden padlock, or the (for safari users) absence of an SSL frame decoration? Users simply don't notice these decorations.

So, in a way, you're right - completing passwords for positively identified sites, in invisible of otherwise concealed fields isn't an issue. The more significant problem is the failure to appropriately alert users to the likelihood of password theft, and the bizarre and non-standardised re-authentication mechanisms adopted by many sites, including some of Google's own properties, that inure users to uncompleted fields on resources they commonly use.

IOW, until browsers offer authentication services, web site owners cause damage to user expectations that will create problem for browser security designers. IOW... I think you're applying lots of cleverness to solving the wrong problem - you are solving a technical problem when the real issue is psychology and behaviour.; December 17, 2008 11:39 PM
Darky said...: Chrome should really implement a master password for the password manager, so in addition to protecting the user from malicious websites, it can also protect the user from mischievous acquaintance.; December 18, 2008 4:38 AM
Jason said...: I love how Google thinks everything over, they thought the same thing I did: if a user sees a warning various times, they will eventually ignore the warning and treat it as a browser malfunction.

A warning for conflicting origins is not needed for the password manager, as stated in the blog post. If it conflicts, it just doesn't auto-fill it in -- however if the user starts to enter their credentials themselves, then auto-complete kicks in.

Moreover, I'm not really concerned about how the password manager functions, rather I'm concerned about how it stores the passwords on my drive. I want some assurance that my password is tightly encrypted. Also, a "master password" like Firefox has would be a splendid addition -- just for the manager in Options. The master password could also be used as a key for the encryption ;-); December 18, 2008 5:19 PM
kashmiri said...: @JezC, one of better pieces of text I have ever read on passwords. Agree with you 100%. I think Microsoft has once tried to standardise authentication (HTTP authentication) but for many reasons it has not been widely accepted.; December 19, 2008 10:13 AM
seth reeder said...: I have no issue with what's been said. In general the explanation for filling invisible fields makes sense to me, and the practical example of a website where not filling would be bad helps allot. I will say I think there should be a keystroke to override the default security screenings which could be enabled by advanced users. It's important to remember that not all users are equal, those who understand the issues should be able to easily tweak the browser to their preference without considerable effort, especially the effort involved in recompilation. The one example I can provide where I would absolutely want this feature is meebo.com, they have autocomplete=off set and a keystroke to over ride would be very welcome.; December 20, 2008 2:37 AM
Kenny said...: Hi google :)

I have thought about this for a while, as I designed parts of the login page for tuenti

So, similar to yahoo.com, we decided that sending the md5 of the password would be better than sending the actual password. the way we solved this is to create a separate textbox and read the password, transform it to md5, and paste it into the second (hidden) one.

When doing that, we ran into all kinds of problems with IE and other browsers getting confused (for example, if we replaced the password with spaces, then the password manager could remember all spaces, or if we deleted the field, the password manager could not save the password, etc.)

Anyway, I'd like to see:
1. password boxes get a new property called "transform" -- in which this function will be called right before onsubmit of the form.
2. The autofill="no" (or something) property could be specified to verify a virgin password box if needed
3. autofilled password boxes can no longer be read from (no matter the origin)
4. transform function cannot modify the DOM (create iframes) or use AJAX related functions (eg. only mathamatical functions for transformation)

The reason for this is, there is absolutely no other reason for javascript to read an autofilled password field if there is a transform function. Additionally, it'd solve all of the headaches of trying to transform a password and not break the password manager. The password checkers which verify strength / correctness, would not be affected, because these will not be filled by the password manager.

-------------

I don't know if this is possible or not because it would change html standards, but it could effectively solve all injection to read existing passwords problems. Just my two cents.. HTML is the world of hackery anyway :)

peace; December 21, 2008 9:38 AM
welshsimon31 said...: @ Mxx and also Adam. well i just did the test you did Mxx and i passed the first 3 out of the 4 you passed (the last one - method checked on retrieval failed).

What is a little strange and odd though, is that on some of the question's where i was expecting the password manager to prompt me to save the password, it did something i have never seen before, and that was - it opened windows live mail and presented a new compose message screen, and in the subject it had the username and password visable for you to see plus the address of the website that was conducting the test, and also in the message body it revealed the username and password, and the address field had a yahoo e mail address!! naturally i didnt click on send lol! but as god as my witness, and after pinching myself- this did infact happen, and so i did the test again, and the exact same thing happened. I cant tell you how confusing this is to me and probably yourselfs too - i have never in all my life seen anything like this happen, and considering i only had 3 passes and all the rest failed, not to mention google chrome auto opening a new compose message screen with the username and password filled out and a yahoo e mail address in the to field, has gotten me feeling nervous and immediately cancelled the compose new mail screen. THIS has me concerned in more ways than one,
1 - i kinda have doubts as to the security of google chrome and why it opened up this windows live mail compose screen instead of saving a password to the password manager.

2- i am disturbed by how windows live mail automatically opened up this dialogue box, with all personal details filled out with a e mail address filled out ready to send it to the said address say if i did press sent!!!

Until i seek clarification and re assurance from google and microsoft on this, giving me an explanation as to why this happened - ie a bug or clitch in the test, chrome or windows live mail, or worst all the above was responible for this to happen, then i cant possibly continue using google chrome as my default browser, and that is a shame, as i have all of my passwords for all sites i use stored in the password manager, and i have been blown away by its speed and quick rendering and load times, but heck safety is first, and as much as i hate using opera, i will use that browser as my everyday browser, since that faired the best in this test, and will not use chrome at all until i feel confident using it again, and also i will have to change my default e mail client to either thunderbird or the built in mail client that comes with opera until i understand more about this.

And just for the record, I'm on the current dev release of google chrome 1.0.154.42 as this is the same as the stable "just out of beta version 1, only with the hotmail fix"

i'm using a HP dv 9702 ea
vista home premium sp 1 - 64 BIT

4gb RAM.; December 30, 2008 7:15 PM
Mxx said...: welshsimon31, that is a normal and acceptable behavior.
you need to read up on mailto: protocol.; December 30, 2008 7:40 PM
undu said...: --------
If this check fails, the password manager will not automatically fill in passwords when the page is loaded. The downside is that this can trip up legitimate web sites that dynamically generate their login URLs. To help users in both cases, the password manager waits for users to type their user names manually before filling in any passwords. At this point, if a page is really malicious, these users have most likely already fallen for the scam and would have proceeded to type in their passwords manually; continuing to refuse to fill in passwords would merely give the impression that the browser is "broken."
-------

Instead of doing that, why not display a warning page, like you do when entering a page known to have malware?

In case the page is really legitimate, add the option to really send the data, or if it's not the the first time it happens, add an exception for the site.

I always prefer to be nagged when there could be a security issue instead of knowing absolutely nothing.; January 4, 2009 4:53 AM
welshsimon31 said...: @ Mxx ...Ah yeah i see what you mean now Mxx, i looked up on mailto protocols as you said, as to be honest i dont hardly if rarely come over a situation where i stumble across mailto links in web pages, as im a copy and paste man and a bit old fashioned lol! but i see youre valid point as to the behaviour in google chrome and how mailto links and protocol works, so i take everything back that i said and doubted about google chrome,

@ undu - i would agree about that with you, and me for one would rather be alerted when there is a security issue regarding malicious script or malware on a page, and true as with myself, being alerted instead of doing guess work and entering my password - it would be better if we had some kind of warning system, even for average joe public aswell as us more technically advance ppl- such a system could and should be simple and accurate without alienating the general user,whilst at the same time alerting them and us of the immpending danger on a site posing as genuine when not - sure till then we all should just exercise caution and use our seventh sense and watch out - if in doubt on a certain page, then sure check it in a dif web browser and see if you get the same feeling on a certain site and if so report it as poss scam or phishing site! sure if we all look out for one another and do this then hopefully that and more improvements from google on the password manager would be excellent

Happy new year to all and keep up the good work mark larson and all at google !! have still got chrome as my main browser by dafault as its so fast, im actually saving time and getting all things done that bit quicker; January 4, 2009 8:40 AM
vin said...: sir
i want to know about ..how we can hide "save as" option in chrome .
because chrome is open sourced so it is possible .but i dont know how it is possible.
please provide a solution.; January 5, 2009 2:50 AM
j$ said...: I have a very hard time trusting the security of the Chrome Password Manager when something like ChromePass exists. ChromePass will instantly reveal all the passwords and user names and URL's that are stored in Chrome.

Hows that for security...; January 14, 2009 3:40 PM
jeanius said...: The first comment to this article (by Chris Mayer) was concerning the lack of a master password to lock Chrome's password manager. I quickly read through all subsequent comments and no one from Google responded to Mayer's comment.

Why does Chrome not have a master password?; January 30, 2009 9:43 AM
Danny Boy, FCD said...: Is there a way to force Chrome to save passwords from sites that explicitly has "autocomplete=off"?; February 4, 2009 2:44 AM
Win said...: I did not save a login name and password for several of my financial accounts. Is there a way to save them now?

Win; March 5, 2009 8:05 AM
Nikolai said...: Hi.. look like chrome developers forgot about the lack of master password for password manager I just asking again ;); April 27, 2009 12:53 PM

Search our Blog

Archive

Subscribe

More Blogs from Google

Useful links

Security in Depth: The Password Manager

24 comments: