Passwords Are Meant to Be Secret: A Practical Secure Password Entry Channel for Web Browsers
Anuj Gautam, Tarun Kumar Yadav, Kent Seamons, Scott Ruoti
TL;DR
The paper tackles the problem of password exfiltration during autofill by password managers and proposes a practical defense that preserves usability without requiring user behavior changes. It develops a threat model, surveys existing browser-based risks, and analyzes five designs for securing password entry, ultimately selecting a browser-based nonce-injection approach (Design #5) as the most secure and deployable option. A proof-of-concept implementation in Firefox and BitWarden demonstrates that the approach mitigates DOM- and extension-based attacks on the vast majority of sites (≈97% on the Alexa Top 1000) while maintaining compatibility on others. The work also discusses deployment considerations, potential extensions to other authentication mechanisms, and avenues for future browser-level support, underscoring the practical impact of integrating secure credential entry into mainstream browsers.
Abstract
Password-based authentication faces various security and usability issues. Password managers help alleviate some of these issues by enabling users to manage their passwords effectively. However, malicious client-side scripts and browser extensions can steal passwords after they have been autofilled by the manager into the web page. In this paper, we explore what role the password manager can take in preventing the theft of autofilled credentials without requiring a change to user behavior. To this end, we identify a threat model for password exfiltration and then use this threat model to explore the design space for secure password entry implemented using a password manager. We identify five potential designs that address this issue, each with varying security and deployability tradeoffs. Our analysis shows the design that best balances security and usability is for the manager to autofill a fake password and then rely on the browser to replace the fake password with the actual password immediately before the web request is handed over to the operating system to be transmitted over the network. This removes the ability for malicious client-side scripts or browser extensions to access and exfiltrate the real password. We implement our design in the Firefox browser and conduct experiments, which show that it successfully thwarts malicious scripts and extensions on 97\% of the Alexa top 1000 websites, while also maintaining the capability to revert to default behavior on the remaining websites, avoiding functionality regressions. Most importantly, this design is transparent to users, requiring no change to user behavior.