Test Finds Google Chrome, Apple Safari Weakest in Browser Password Management

A test of the security of password managers in Google Chrome, Microsoft Internet Explorer, Apple Safari, Opera and Mozilla Firefox finds all five browsers do a poor job of protecting user passwords. Opera and Firefox receive the best marks, but pass only seven of 21 tests performed by Chapin Information Services. Google Chrome and Safari pass only two tests.

A test by IT consulting company Chapin Information Services has turned attention toward what is perhaps an undervalued element of browser security-password management.

The company took a look at all the major browsers: Internet Explorer 7, Opera 9.62, Firefox 3.04, Safari 3.2 and Google Chrome. According to the study, each browser was susceptible to a number of vulnerabilities that could expose password information. Of the five, Opera Software's Opera and Mozilla Firefox fared the best-meaning they passed seven of the 21 tests. Internet Explorer passed five tests, while Google Chrome and Apple Safari passed only two.

Three issues were cited by CIS as being problems that, when combined, could allow cyber-thieves to steal passwords without a user's knowledge. The first two are whether the browsers check the destination where passwords are sent and the locations where they are requested.

According to CIS, none of the browsers' password managers checked the action path when passwords were retrieved or saved. In addition, only Opera and Firefox prevent the browsers' password manager from delivering a password to a domain other than the one to which the password was delivered when it was saved.

"Intuitively, this is something that should happen all the time," said Robert Chapin, president of CIS. "If I go to Google.com and I save a password there, and the next day I go to log in again, if Google is telling my browser to send my password to [the] Yahoo Web site, most of these browsers ... couldn't care less where that password is being sent to."

All this matters, Chapin said, because if there is a Web site that is either compromised or that intentionally allows users to inject their own HTML, users are vulnerable to having their information stolen. However, Ian Fette, a security project manager at Google, correctly pointed out that users in those scenarios would be vulnerable to a number of different attacks.