1. Introduction

This two-part paper presents an analysis of the security mechanisms, risks, attacks, and defenses of the two most commonly used password management systems for web browsers, found in Internet Explorer and Firefox. The article specifically addresses IE 6 and 7 and Firefox 1.5 and 2.0. Attention is devoted to the following areas:

• Password storage mechanisms: The means of safeguarding usernames and passwords on the local file system through encryption (addressed in part 1).
• Attacks on Password Managers: The methods of subverting or bypassing safeguards (partially addressed in part 1; continued in part 2).
• False sense of security: Users employing password managers without any awareness of the risk factors (discussed in part 2).
• Usability: Features that enhance or deter the usability of security features (discussed in part 2).
• Mitigation and Countermeasures: Actions that can be taken by users and corporations to reduce the risk (part 2).

Internet Explorer and Firefox together amass roughly ninety-five percent of all browser market share. [ref 1] AutoComplete [ref 2] and Password Manager [ref 3] are the features that store web form usernames, passwords, and URLs for Internet Explorer (since version 4), and Firefox (since version 0.7), respectively.

Each browser has helpful features to aid the user from being tasked with remembering different usernames and passwords as a means of authentication for web sites. Thus when navigating to a URL such as http://www.gmail.com where form input fields are present, both IE and Firefox will prompt the user if he or she wants to save their username and password. When the user re-visits the same web site the browser will automatically fill the fields.

Although these features greatly simplify the responsibility of the user, they also introduce security considerations that are addressed in the next few sections.

2. A case for password managers

The need for password managers is tied directly to the difficulty of memorizing numerous sets of usernames, and passwords for specific web sites. Indeed it can be noted that password managers can increase the overall security because they allow for greater entropy in the use of identifiers and passwords. Thus a user can generate many different usernames instead of relying on just one, making it more difficult for the attacker to guess.

The tradeoff is that the user has to trust the application to perform its role (securely storing, processing, and forwarding credentials to authorized entities). Password managers are not a panacea, however they leverage technology, effectively raising the bar for attackers, by improving the user interface to computing environments that routinely require authentication.

Users and businesses alike need to be ensured that password management systems are both properly implemented and used, including an awareness of risk factors that may be involved. This article can be used as a basis for the design of more secure password managers by reviewing possible attacks, thus acting a potential bulwark to future attacks.

3. Previous work

The use of the same username and password in multiple web sites increases the likelihood of compromise, whereby the attacker would only need to discover one username and password, to compromise all of the user's resources. The use of passwords, [ref 4] techniques of memorization, [ref 5, ref 6] and the dangers of password reuse [ref 7] all have been extensively studied. Additionally, extensions to Firefox have been studied to reduce the success of password guessing brute force attacks on its password manager. [ref 8]

4. Password storage mechanisms

The locations and mechanisms of storing usernames and passwords are described below. This information was used as the basis of studying attack vectors that are reviewed in section 5 (which spans both part one and two of this article).

4.1 Storage location

4.1.1 Internet Explorer 6 & 7

On Internet Explorer (versions 4 through 6) AutoComplete web form information is stored in the Registry in the following hive locations:

Encrypted usernames and passwords:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\SPW

Web addresses:

HKEY_LOCAL_MACHINE\Software\MicrosoftProtected Storage System Provider\

Cryptographic symmetric keys: [ref 9]

HKEY_CURRENT_USER\Software\Microsoft\ Protected Storage System Provider\Data\\

On Internet Explorer 7, AutoComplete information is stored in the Registry as well but in a slightly different location.

Encrypted Usernames and Passwords: [ref 10]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

Entries in the registry are only created when the user is prompted to save login information (the username and password) for a web site. The acronym SPW is short for SavedPassWords.

4.1.2 Firefox 1.5 and 2.0

On Firefox, Uniform Resource Locators (URLs), usernames, and passwords are stored in a file called signons.txt:

Encrypted usernames, and passwords on Windows systems are stored in:

%userprofile%\Application Data\Mozilla\Firefox Profiles\xxxxxxxx.default\signons.txt

Where %userprofile% is the environment variable in Windows that shows the path to the user's home directory.

Encrypted usernames, and passwords on Linux systems running Firefox are stored in the following location:

~/.mozilla/firefox/ xxxxxxxx.default/signons.txt

Where the xxxxxxxx is randomly chosen when Firefox is installed. The signons.txt file is created the first time that any login for a website is saved. Subsequent logins for different URLs are inserted into the file. It is irrelevant to the password manager if the site is accessed using HTTP or HTTPS. URLs are not encrypted because they are used as a reference (lookup) for matching login credentials. More specifically, when a browser password manager needs to auto-fill the login for a particular site, that site's URL is referenced with the signons.txt file, if that URL exists, the respective username and password are filled into the login of the web site.

Continued on page 2...

[ref 1] C, Galvin. "Firefox doubles market share as IE slips," 2005, The Register.co.uk, (Accessed February 2006).
[ref 2] MSDN "Using AutoComplete in HTML Forms," 2005, msdn.microsoft.com/library (Accessed March 2006)
[http://www.mozilla.com/firefox/releases/0.7.html, (Accessed March 2006)
[ref 4] R. Morris and K. Thomson. "Password Security: A Case History," in Communications of ACM, vol.22 no.11, 1979, pp 594 - 597,.
[ref 5] A. Blackwell, A. Grant, R. Anderson, and J. Yan. "Password Memorability and Security: Emperical Results", IEEE Security & Privacy, 2004, pp 25-31
[ref 6] S. Jeyaraman and U. Topkara. "Have the cake and eat it too - Infusing usability into text-password based authentication systems," in Proceedings of the 21st Annual Computer Security Applications Conference, 2005, pp.473-482.
[ref 7] Ives, B., Walsh, K. R., Schneider, H. (2004). "The domino effect of password reuse," in Communications of the ACM, 47, 2004 pp. 75-78.
[ref 8] E. W. Felten, A. Halderman and B. Waters. "A convenient method for securely managing passwords," in Proceedings of the 14th international conference on World Wide Web Chiba, Japan, 2005.
[ref 9] NIST. Federal information processing standard (FIPS) 140-1 Documentation: Security Policy. Windows NT Operating System, Microsoft DSS/Diffie-Hellman Enhanced Cryptographic Provider, 1994.
[ref 10] "Passwords in Internet Explorer 7," http://www.nirsoft.net/articles/ie7_passwords.html (Accessed November 2006)