Abstract:Password management has long been a persistently challenging task. This led to the introduction of password management software, which has been around for at least 25 years in various forms, including desktop and browser-based applications. This work assesses the ability of two dozen password managers, 12 desktop applications, and 12 browser-plugins, to effectively protect the confidentiality of secret credentials in six representative scenarios. Our analysis focuses on the period during which a Password Manager (PM) resides in the RAM. Despite the sensitive nature of these applications, our results show that across all scenarios, only three desktop PM applications and two browser plugins do not store plaintext passwords in the system memory. Oddly enough, at the time of writing, only two vendors recognized the exploit as a vulnerability, reserving CVE-2023-23349, while the rest chose to disregard or underrate the issue.

What problem does this paper attempt to address?

### What problems does this paper attempt to solve? This paper aims to evaluate and expose the security issue of password managers (PMs) leaking plain - text credentials into system memory during runtime. Specifically, the researchers evaluated the ability of 24 password managers (12 desktop applications and 12 browser plugins) to protect the confidentiality of sensitive credentials in six representative scenarios. #### Main problems: 1. **Security of password managers**: Although password managers are widely used to protect user credentials, can these tools actually effectively prevent the leakage of sensitive information? In particular, are there vulnerabilities when they reside in RAM? 2. **Data leakage risks in practical applications**: The study found that in all test scenarios, only a few desktop PM applications and browser plugins did not store plain - text passwords in system memory. This indicates that most password managers have potential data leakage risks in actual use. 3. **Manufacturers' awareness and response to vulnerabilities**: Alarmingly, after the researchers informed the relevant manufacturers, only two manufacturers acknowledged this vulnerability and reserved CVE - 2023 - 23349, while other manufacturers chose to ignore or underestimate the problem. #### Research background: - **Long - standing challenges**: Password management has been an ongoing challenge in the field of information security, especially in the face of major data leakage events caused by weak or insecure passwords. - **User behavior and security**: Research shows that when choosing and using password managers, users tend to focus more on convenience than security. Therefore, the researchers hope to raise the awareness of users and manufacturers about the security of password managers through this evaluation. #### Research methods: - **Experimental setup**: The researchers installed and tested 12 desktop applications and 12 browser plugins in a virtual machine environment, simulating six different usage scenarios. - **Result analysis**: By analyzing the memory dump files (.DMP) generated in each scenario, the researchers checked whether they contained plain - text credentials and counted the frequency and pattern of leakage. #### Main contributions: 1. **Identifying vulnerabilities**: Determined which modern password managers allow the extraction of plain - text credentials from RAM and provided methods to exploit these vulnerabilities. 2. **Attack surface analysis**: Studied the frequency of occurrence of repeated patterns in the leaked information to assess the size of the attack surface. 3. **Manufacturer compliance**: Examined whether PM manufacturers follow the OWASP security development guidelines in handling the exposure of private information. 4. **Responsible disclosure**: After discovering the problem, the researchers informed the relevant manufacturers and briefly discussed the interaction process with them. In conclusion, this paper reveals the deficiencies of current password managers in protecting user credentials and calls on manufacturers to take measures to improve security to reduce potential data leakage risks.

Keep your memory dump shut: Unveiling data leaks in password managers

That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Thirteen Password Managers

Exploiting Leakage in Password Managers via Injection Attacks

Studying the Impact of Managers on Password Strength and Reuse

Why Older Adults (Don't) Use Password Managers

Automated Password Extraction Attack on Modern Password Managers

Passwords Are Meant to Be Secret: A Practical Secure Password Entry Channel for Web Browsers

MFDPG: Multi-Factor Authenticated Password Management With Zero Stored Secrets

Keep Passwords Away from Memory: Password Caching and Verification Using TPM

Update-tolerant and Revocable Password Backup (Extended Version)

A Spark is Enough in a Straw World: a Study of Websites Password Management in the Wild

Fluid Passwords - Mitigating the effects of password leaks at the user level

How memory anxiety can influence password security behavior

PassApp: My App is My Password!

Passwords and Perceptions.

Password Expiration Strategy: A Perspective of Ecological Memory

PassViz: A Visualisation System for Analysing Leaked Passwords

The Emperor's New Autofill Framework: A Security Analysis of Autofill on iOS and Android

Generating and Managing Strong Passwords using Hotel Mnemonic

A Study for an Ideal Password Management System

Connecting the Dots: Privacy Leakage via Write-Access Patterns to the Main Memory