BNET UK
silicon.com
ZDNet UK

Home
News
Blogs
Reviews
Videos
Jobs
Resources
Community

Leader
Comment
White Papers
Downloads
Special Reports

Hardware
Software
Communications
Internet
Security
IT Management
Emerging Tech
Leader

Group Blogs
News Blog
Post Room
Rupert's Diary

Hardware Reviews
Software Reviews
Editors' Choice
Buyer's Guides
Tech Guides
Competitions

Dialogue Box
Security threats
Server platforms
Mobile devices
Application development
Full video index

Articles
White Papers
Downloads
Companies
Broadband Speed Test

People
Competitions
Post Room
FAQ

You are here: ZDNet UK > News > Security

Security management Toolkit

Browsers fail password-management security tests

Tags:
Form,
Passwords,
Password,
Elements

Matthew Broersma ZDNet.co.uk

Published: 16 Dec 2008 17:20 GMT

Google's Chrome browser and Apple's Safari have received poor marks in a new set of tests evaluating the security of password-management features in five popular web browsers.

Chapin Information Services (CIS), which published its test results on Friday, said Chrome 1.0's password manager failed all but two of 21 tests — a score matched by Apple's Safari 3.2. Microsoft's Internet Explorer 7 scored slightly better, passing five of the tests, while Opera 9.62 and Firefox 3.0.4 both passed seven of the tests.

"Safari and Chrome are essentially tied for the worst password manager built into a major web browser," CIS said in a statement.

Of the tests failed by Chrome's password manager, three failures were highlighted by CIS as particularly risky, as they mean the browser could allow a malicious website to steal passwords stored in the password manager.

CIS said that, firstly, Chrome failed to check the path to which passwords are sent; secondly, failed to check the domain from which passwords are requested; and, thirdly, did not perform well in handling invisible form elements. Chrome was the only tested browser to fail all three of these tests, CIS said.

Read this

Ten tweaks to love (and hate) in IE8

None of the browsers passed the first test, which covered checking the path when passwords are retrieved. Only Opera and Firefox passed the second test, to do with preventing passwords from being delivered to a domain different from the one the password was delivered to when it was saved.

The third test related to whether the browser prevents passwords from being delivered to a form that the user can't see — for example, from being used to fill out a login form on a web page that has its display property set to 'none'. Chrome and Firefox both failed this test, according to CIS.

Opera's password manager came closest to getting around the three tests, as it has the ability to deactivate invisible form elements, and options that partly addressed the other two issues, CIS said.

Safari addressed the problem of invisible forms, but passed only one other test: that of requiring user interaction to save a password.

Did you find this article useful?
10 out of 10 people found this useful

Share this article:
Digg
Slashdot
Del.ici.ous
Stumble
Reddit

Company/Topic Alerts

Create a new alert from the list below:

Apple
Password
Security
Safari
Opera

Google
Browser
Chrome
Internet Explorer
Firefox

Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video

Install Flash Player plugin

Find out more: Microsoft exec outlines...

All videos
Most popular videos
Latest videos

Featured Talkback

In association with Network Liberation Movement

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.