Logo

They Would do Better if They Worked Together

The Case of Interaction Problems Between Password Managers and Websites
						@INPROCEEDINGS{conf/oakland/huaman21,
	author = {N. Huaman and S. Amft and M. Oltrogge and Y. Acar and S. Fahl},
	booktitle = {2021 2021 IEEE Symposium on Security and Privacy (SP)},
	title = {They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites},
	year = {2021},
	volume = {},
	issn = {2375-1207},
	pages = {1626-1640},
	keywords = {web-security},
	doi = {10.1109/SP40001.2021.00094},
	url = {https://doi.ieeecomputersociety.org/10.1109/SP40001.2021.00094},
	publisher = {IEEE Computer Society},
	address = {Los Alamitos, CA, USA},
	month = {may}
}					
News: 04.06.2021 - Improved cross platform scaling and reduced external dependencies.
We have won a Student Best Paper Award at the 42nd IEEE Symposium on Security and Privacy!
Password Managers on the Web

Passwords are the common authentication mechanism of the web. Due to the high amount of accounts users maintain in the modern web, password fatigue has become a major problem. Password managers could solve this problem, as they are able to generate and maintain diverse and secure passwords for many accounts. However, password managers and their integration into the web has been difficult in the past, with complex detection mechanisms required to identify website logins.

In our work, we collected issues reported by real-world users, tested them against 15 password manager and propose solutions to the common problems we found.

Functionality of a password manager

What is a Password Manager
When using a password manager, the user has only one master password that they use to unlock the manager. It can then optionally support additional authentication like biometrics and 2nd factors. The manager on the other hand can generate secure passwords and store them for websites. This part of the functionality is already widely researched and can be optimized like any other UI experience. However, in an ideal world, the password manager can also transfer the password to a website and thus handle authentification without (much) user input. This part is currently not standardized. Password managers need to provide their own detection mechanisms and the dynamic and diversity of websites makes perfect detection hard to impossible.

Approach

To measure the impact of the missing standardization, we set out to identify common problems that occur when typical password managers interact with websites. Based on our findings, we present a few ways to better standardize authentication on the web and make detection for password managers easier and more stable.

Collecting Real-World Issues
First, we needed to identify real-world issues. We use a qualitative analysis approach to identify 39 interaction problems that we collect from 2,947 user reviews and 372 GitHub issues for 30 password managers. We then implement these 39 Interactions in Minimal Working Examples, which we provide to the public on this website via "Interaction Testing"

Study Overview Diagram
Our approach to evaluate password managers

We then continue to evaluate 15 password managers using these interactions.

Results

Our results illustrate that on one hand, password managers struggle to correctly implement authentication features such as Basic HTTP Authentication and modern standards such as the autocomplete-attribute (e.g., Interaction I-04) and on the other hand, websites fail to implement clean and well-structured authentication forms (e.g., Interaction N-01). In the case of websites, manipulation might even happen for the purpose of security (like in Interaction J-05), without actually providing any reasonable security improvement.

Minimal Working Example Screenshot New Minimal Working Example Screenshot New
Old (left) and new (right) layout for our usecases

For the purpose of this website and the replication package, we have revised our interactions with a cleaner and more convenient layout, more consistent coding and in some cases revised instructions. Our recordings use the initial layout and therefore might look slightly different.

Replication Package

Feel free to use the material below for replication and extension purposes.

FileDescriptionCopyrightLast Update
Source CodeThe source code for the 39 interactions on this page.GPL V3.0 or LaterSee git log
CodingThe issues we deemed relevant and our coding. CC BY-NC-SA24.05.2021
VideosRecordings of our testing. CC BY-NC-SA25.05.2021