Browsers fail password-management security tests

By Matthew Broersma, ZDNet UK
Wednesday, December 17, 2008 07:12 PM

Google's Chrome browser and Apple's Safari have received poor marks in a new set of tests evaluating the security of password-management features in five popular Web browsers.

Chapin Information Services (CIS), which published its test results last week, said Chrome 1.0's password manager failed all but two of 21 tests--a score matched by Apple's Safari 3.2. Microsoft's Internet Explorer 7 scored slightly better, passing five of the tests, while Opera 9.62 and Firefox 3.0.4 both passed seven of the tests.

"Safari and Chrome are essentially tied for the worst password manager built into a major Web browser," CIS said in a statement.

Of the tests failed by Chrome's password manager, three failures were highlighted by CIS as particularly risky, as they mean the browser could allow a malicious Website to steal passwords stored in the password manager.

CIS said that, firstly, Chrome failed to check the path to which passwords are sent; secondly, failed to check the domain from which passwords are requested; and, thirdly, did not perform well in handling invisible form elements. Chrome was the only tested browser to fail all three of these tests, CIS said.

None of the browsers passed the first test, which covered checking the path when passwords are retrieved. Only Opera and Firefox passed the second test, to do with preventing passwords from being delivered to a domain different from the one the password was delivered to when it was saved.

The third test related to whether the browser prevents passwords from being delivered to a form that the user can't see--for example, from being used to fill out a login form on a Web page that has its display property set to "none". Chrome and Firefox both failed this test, according to CIS.

Opera's password manager came closest to getting around the three tests, as it has the ability to deactivate invisible form elements, and options that partly addressed the other two issues, CIS said.

Safari addressed the problem of invisible forms, but passed only one other test: that of requiring user interaction to save a password.

0

0 votes

Save to My Library

Talkback 0 comments

There are currently no comments for this post.

Reply to story

Related Whitepapers

Featured Whitepapers

Tech Jobs Now!

TechGuides

Specials
News and Interviews
Whiteboard

UOB banks on economic downturn
Singapore bank's IT chief Susan Hwee explains how financial crisis offers new opportunities to reengineer
Play video
Domino's Pizza keeps customers eating
CEO Don Meij discusses strategy to grow customer base
Play video

Salesforce CEO chatters about new social media platform
Facebook-type app hits the enterprise
Play video
Salesforce demos Service Cloud 2
New Web-based tools for customer service
Play video

Cost Effective, Secure and HA Server Infrastructure for SMBs
Alan Wan from Dell illustrates how small and medium businesses can build a high availability IT infrastructure without requiring heavy investments on skills and resources.
Play video
Enterprise 2.0
Vince Casarez, vice president of product management at Oracle, explains how Web 2.0 technologies, such as tags, wikis, and mash-ups, can be applied within an organization.
Play video