Title: Security Analysis of Browser-based Password Managers and Browser Extensions Abstract: All the five most popular Web browsers have a built-in password manager feature. Meanwhile, third-party vendors have also provided many password manager browser extensions. We reveal the vulnerabilities of these existing browser-based password managers and analyze how attackers can exploit those vulnerabilities to crack users' saved passwords. Moreover, we propose a new browser-and-cloud-based password manager to achieve a high level of security with the desired confidentiality, integrity, and availability properties. In addition to password manager browser extensions, a large number of other types of browser extensions exist in browser vendors' online stores for millions of users to download and install. Many of those extensions process sensitive information from user inputs and webpages. We propose a new framework for automatic detection of information leakage vulnerabilities in those browser extensions. Our framework can be used by extension developers to easily locate and fix the vulnerabilities in their code, and by browser vendors to easily decide whether certain extensions can be hosted in their online stores. We present these latest research results in this talk.