Researchers give a red light to Web-based password managers

If you’re like me, you have at least a dozen online passwords to keep track of.

For work alone there are five I need almost daily. IT security pros following best practices insist employees use different ones for the best protection. But how much can a person remember?

Some enterprises use an IT-managed password management solution, but deploying it across several hundred users could be expensive.

One solution is a Web-based password manager, offered by a number of sites like LastPass, My1login, RoboForm, PasswordBox and NeedMyPassword.

However, Ars Technica has got hold of a research paper to be presented at an upcoming conference that says four out of five solutions tested had severe vulnerabilities where an attacker could learn a user’s credentials.

Problem ranged from logic and authorization mistakes to misunderstandings of the Web security model.

And remember, if an attacker gains access it means theft of all of that user’s passwords.

“Our study suggests that it remains to be a challenge for the password manages to be secure,” say the four authors, researchers from the University of California at Berkeley.

Here’s a link to the paper.

Some IT pros might groan at the idea of a browser-based system being secure (although some use JavaScript bookmarklets and not browser extensions), but as the paper points out they provide some protection against phishing attacks, and cloud-based synchronization across devices promises tremendous security and usability with low deployability costs.

Unfortunately, Web vulnerabilities (such as sharing authentication tokens across applications) have to be understood and addressed by the password manager creators. Then there are booklet, authorization and user interface vulnerabilities to be dealt with.

In one way or another, the authors say, developers of the five solutions studied haven’t.

One can’t help but agree that their paper is, as they say, a wake-up call to such services. Their developers need to take a systematic approach to dealing with the vulnerabilities of each solution.

Until then it looks like IT pros can’t recommend them to staff.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web