Password field

Two researchers from the University of Virginia have developed a new password manager prototype that works quite differently from existing password manager clients.

The research team describes their password manager — which they named Horcrux — as "a password manager for paranoids," due to its security and privacy-focused features and a unique design used for handling user passwords, both while in transit and at rest.

There are two main differences between Horcrux and currently available password manager clients.

Horcrux inserts dummy credentials into your forms

The first is how Horcrux inserts user credentials inside web pages. Regular password managers do this by filling in the login form with the user's data.

Hannah Li and David Evans, the two researchers that created Horcrux, say this is a dangerous behavior because password managers insert user credentials inside a page's DOM, which exposes credentials to malicious JS scripts that can read those credentials while inside the forms, before submission.

The two say they fixed this attack surface in Horcrux by inserting dummy (fake) credentials inside login fields. When the user submits his form, the dummy credentials are still there, but Horcrux will intercept the form submit operation (HTTP POST request) and replace the dummy credentials with the user's real username and password combo.

Researchers admitted that this idea is not new, as other researchers proposed the same solution in the past, but that solution was not adopted by the developers of password managers due to usability and compatibility concerns.

This time around, the research team says they tested their technique to be sure it works without glitches and found that 98% of the Alexa Top 1 Million sites that feature login forms are compatible with their "dummy credentials swap."

Horcrux spreads credentials across multiple servers

The second feature that makes Horcrux stand out compared to other password manager clients is how it stores user credentials.

Compared to classic solutions, Horcrux doesn't trust one single password store but spreads user credentials across multiple servers. This means that if an attacker manages to gain access to one of the servers, he won't gain access to all of the user's passwords, limiting the damage of any security incident.

Furthermore, credentials stored across these multiple servers are secret-shared using a cuckoo hashing algorithm "in a way that ensures an attacker cannot determine if a guessed master pass-
word is correct," which greatly limits an attacker's ability to recover any password data, even if he manages to compromise one of the many password-storing servers.

The new Horcrux password manager is currently available only as a Firefox add-on that can be compiled from this open-source GitHub repo. The downside is that users have to host their own password-storing servers in order to use Horcrux, something that many users can't afford. Nonetheless, the license permits companies that run password managers to take their design or code and use it for their own professional solutions.

More details about the Horcrux design and implementation are available in the research team's paper, entitled "Horcrux: A Password Manager for Paranoids."