Skip to main content
SpringerLink
Log in
Book cover

International Conference on Financial Cryptography and Data Security

FC 2013: Financial Cryptography and Data Security pp 144–161Cite as

Hey, You, Get Off of My Clipboard

On How Usability Trumps Security in Android Password Managers

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7859))

Abstract

Password managers aim to help users manage their ever increasing number of passwords for online authentication. Since users only have to memorise one master secret to unlock an encrypted password database or key chain storing all their (hopefully) different and strong passwords, password managers are intended to increase username/password security. With mobile Internet usage on the rise, password managers have found their way onto smartphones and tablets. In this paper, we analyse the security of password managers on Android devices. While encryption mechanisms are used to protect credentials, we will show that a usability feature of the investigated mobile password managers puts the users’ usernames and passwords at risk. We demonstrate the consequences of our findings by analysing 21 popular free and paid password managers for Android. We then make recommendations how to overcome the current problems and provide an implementation of a secure and usable mobile password manager.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Computers & Security 14(3), 233–249 (1995)

    Article  Google Scholar 

  2. Bonneau, J.: The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 538–552 (2012)

    Google Scholar 

  3. Dell’Amico, M., Michiardi, P., Roudier, Y.: Password Strength: An Empirical Analysis. In: 2010 Proceedings IEEE INFOCOM, pp. 1–9 (2010)

    Google Scholar 

  4. Egners, A., Marschollek, B., Meyer, U.: Messing with Android’s Permission Model. In: IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom 2012) (May 2012)

    Google Scholar 

  5. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android ssl (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 50–61. ACM, New York (2012)

    Chapter  Google Scholar 

  6. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 3:1–3:14. ACM, New York (2012)

    Google Scholar 

  7. Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666 (2007)

    Google Scholar 

  8. Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006, pp. 44–55. ACM, New York (2006)

    Chapter  Google Scholar 

  9. Kaliski, B.: PKCS #5: Password-Based cryptography specification version 2.0. RFC 2898, Internet Engineering Task Force (September 2000)

    Google Scholar 

  10. Malone, D., Maher, K.: Investigating the distribution of password choices. In: Proceedings of the 21st international Conference on World Wide Web, WWW 2012, pp. 301–310. ACM, New York (2012)

    Chapter  Google Scholar 

  11. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th Conference on USENIX Security Symposium, SSYM 2005, vol. 14, p. 2. USENIX Association, Berkeley (2005)

    Google Scholar 

  12. Shay, R., Kelley, P.G., Komanduri, S., Mazurek, M.L., Ur, B., Vidas, T., Bauer, L., Christin, N., Cranor, L.F.: Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 7:1–7:20. ACM, New York (2012)

    Google Scholar 

  13. Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS 2010, pp. 2:1–2:20. ACM, New York (2010)

    Google Scholar 

  14. Ur, B., Kelley, P.G., Komanduri, S., Lee, J., Maass, M., Mazurek, M.L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F.: How does your password measure up? The effect of strength meters on password creation. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 5. USENIX Association, Berkeley (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Distributed Computing & Security Group, Leibniz University of Hannover, Hannover, Germany

    Sascha Fahl, Marian Harbach, Marten Oltrogge, Thomas Muders & Matthew Smith

Authors
  1. Sascha Fahl
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marian Harbach
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marten Oltrogge
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Thomas Muders
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Matthew Smith
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Technische Universität Darmstadt, Germany

    Ahmad-Reza Sadeghi

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Fahl, S., Harbach, M., Oltrogge, M., Muders, T., Smith, M. (2013). Hey, You, Get Off of My Clipboard. In: Sadeghi, AR. (eds) Financial Cryptography and Data Security. FC 2013. Lecture Notes in Computer Science, vol 7859. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39884-1_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-39884-1_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-39883-4

  • Online ISBN: 978-3-642-39884-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation