Skip to main content

Busting Password Managers: Encrypting Passwords on the Client

November 13, 2014

This is a continuation of our series on Busting Password Managers. Check out the first post here.

Hypothesis:

If passwords are encrypted (e.g. AES) on the client in JavaScript, then browsers will not save passwords.

The Technique:

Normally, it is ill advised to implement encryption or other security controls in JavaScript since the source code is completely readable by every client. However, in this case, it’s not so much about keeping users secure as it is about outsmarting the password manager in their browser. We once again built a proof of concept based on the default Visual Studio 2013 ASP.NET MVC C# project. The source code for this test can be downloaded from https://github.com/pvwowkfn/AutoCompleteBlog/tree/AesPassword.

The first step is to add Google’s CryptoJS library to our project. We chose to download the minified JS file into our project rather than reference the version on Google’s servers. Second, we added our own JS file that we called EncryptPassword.js.

Then we referenced these JS files in the Login, Register, _ChangePasswordPartial and _SetPasswordPartial views, connecting each form submit event to our custom EncryptPasswords() JS function.

Next, we added our own AesHelper class with some static methods to abstract that logic away from the controllers.

And finally, in the AccountController.cs controller methods, we linked in the decryption of the passwords out of the models passed into them.

While this technique does not prevent a browser’s password manager from caching a password, it does prevent it from caching a plaintext password. If the keys were randomly generated to be unique for each page request (similar to a nonce), then any cached passwords would be of very little value. In this example, our user “mick” has the encrypted version of his password cached in Chrome, as represented by the yellow username and password text fields. But simply submitting would result in a failed (re-encrypted) login attempt.

Internet Explorer version 11 and Firefox did not even ask to remember the password. The other browsers offered to remember the passwords, but they could only cache the encrypted version, which would be unusable in a replay attack as long as the encryption is implemented properly.

Successfully works on:

Yes

Somewhat *

Yes

Somewhat *

Somewhat *

 

* Browser caches the unusably encrypted password.

 

Previous Articles

Related Blogs

September 23, 2014

Busting Password Managers

As you may have noticed, web browser password managers have begun to take over. Until recently, a developer could simply add the "AutoComplete=off" at...

See Details

October 02, 2014

Busting Password Managers: AJAX Logins

Hypothesis: If the username and password are submitted using AJAX, then browsers will not save passwords. The Technique: Our theory is that browsers o...

See Details

November 19, 2014

Busting Password Managers: Detecting AutoComplete

This password manager detection technique employs JavaScript and JQuery to determine if the keyboard was used to enter the password. If the user did n...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

May 23, 2016

Next Generation Identity and Access Management (Next Gen IAM)

Having spent the last 17 years in the identity and access management (IAM) space, I know two things are certain: Evolution is inevitable, and change i...

See Details

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

May 09, 2018

Application Security

Learn how Optiv can help protect your most critical enterprise applications from both internal and external threats.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.