Browsers fail password-management security tests

Chrome and Safari fared worse than Opera, Firefox and IE in a set of tests evaluating the security of browsers' password-management features

Google's Chrome browser and Apple's Safari have received poor marks in a new set of tests evaluating the security of password-management features in five popular web browsers.

Chapin Information Services (CIS), which published its test results on Friday, said Chrome 1.0's password manager failed all but two of 21 tests — a score matched by Apple's Safari 3.2. Microsoft's Internet Explorer 7 scored slightly better, passing five of the tests, while Opera 9.62 and Firefox 3.0.4 both passed seven of the tests.

"Safari and Chrome are essentially tied for the worst password manager built into a major web browser," CIS said in a statement.

Of the tests failed by Chrome's password manager, three failures were highlighted by CIS as particularly risky, as they mean the browser could allow a malicious website to steal passwords stored in the password manager.

CIS said that, firstly, Chrome failed to check the path to which passwords are sent; secondly, failed to check the domain from which passwords are requested; and, thirdly, did not perform well in handling invisible form elements. Chrome was the only tested browser to fail all three of these tests, CIS said.

None of the browsers passed the first test, which covered checking the path when passwords are retrieved. Only Opera and Firefox passed the second test, to do with preventing passwords from being delivered to a domain different from the one the password was delivered to when it was saved.

The third test related to whether the browser prevents passwords from being delivered to a form that the user can't see — for example, from being used to fill out a login form on a web page that has its display property set to 'none'. Chrome and Firefox both failed this test, according to CIS.

Opera's password manager came closest to getting around the three tests, as it has the ability to deactivate invisible form elements, and options that partly addressed the other two issues, CIS said.

Safari addressed the problem of invisible forms, but passed only one other test: that of requiring user interaction to save a password.