Persistence of Passwords in Bitwarden's Browser Extension: Unnecessary Retention and Solutions

Abstract

Password-based authentication is still the dominant form of authentication on the web, yet users do not adopt password managers for fear of them being insecure, unreliable and other reasons. In this project we modify a password manager to try to comply with certain data security properties as a way to increase adoption of this type of software that has been increasing in importance. Taking BitWarden’s Google Chrome extension as our chosen password manager, we define password manager states and data security properties regarding the master password that we would like to comply with, perform tests and analyse password retention problems in the application. While the BitWarden extension interacts with many layers, we decided to only change the application layer, as a way to understand how much can be done by the developers of these types of applications. We then introduce our modified extensions that try to solve the issues presented before and introduce a testing framework that is able to automatically interact with the extension through the graphical user interface to replicate the use case chosen. While our solution does not completely solve the issue, we were able to reduce the problem slightly.