PassSec+ - An add-on that protects your passwords, payment information and, ultimately your privacy

PassSecis an extension of the original PassSec add-on. The functionality of the Firefox-desktop add-on is split into two key functions, as explained in more detail below: 

  • Protection of passwords, bank details and other sensitive data
  • Changing cookie settings for more privacy 

The latest version of PassSec+ can be downloaded here. On this website you can find the FAQs. If you have problems or notice something unusual, please have a look at FAQs first. If you have any further questions, please contact Betty Ballin.

If you are interested in the source code or want to contribute to this add-on please visit our GitHub website.

Protection of passwords and payment data

Entering sensitive information, such as passwords and payment data is part of everyday life for all Internet users. When entering such information, first of all it is important that the website itself is secure and that data transmission is secured using HTTPS.

PassSec+ informs you if the appropriate input fields on a website are transmitted securely, via HTTPS. If this is the case, a green frame and a security indicator is displayed in the field. (see Figure 1 for a password field example).

Figure 1: Input field (in this case a password field) when the input is secure

The green frame is initially only shown by the add-on if the operator of the website possesses a so-called Extended Validation certificate.

For security reasons, PassSec+ randomly chooses one of the following symbols for you:

You can change the pre-selected icon at any time via the settings. If you visit a website and there is a green frame with a different symbol from the one assigned to you, you should not enter sensitive information such as passwords and payment data under any circumstances.

If PassSec+ detects that there are input fields on a web page and the information will indeed be transmitted via a secure connection but the website does not have a so-called Extended Validation Certificate, the frame will be displayed in orange (see Figure 2).

Figure 2: Input field (in this case the password field) on a HTTPS website that does not use a Extended Validation Certificate

If you activate an input field, the domain (e.g. of the server from which the website is loaded will be displayed next to the field (see Figure 3).

Figure 3: Warning in case of HTTPS without Extended Validation

After you have checked the domain (for example, that is correctly displayed instead of, confirm this by clicking the button: “I have checked the destination“. Afterwards the frame will be displayed in green. This should help you to guard against entering login information on websites such as instead In addition this should make clear which part of the address (also called URL) is the most important, e.g. the one, to which you should pay attention.

If the PassSec+ Add-On detects that a website asks for sensitive data and the data transmission is not secured (HTTPS), the add-on provides a red background and a warning icon (see Figure 4).

Figure 4: Password field with red frame and warning icon

If you activate the red input field to enter your password or payment information, a warning will appear (see Figure 5 and 6). The problem, and possible consequences, are detailed. In addition, alternative courses of action are suggested. This depends on whether the website can be accessed via a secure connection (HTTPS) or not. If a secure connection is available, the option ‘Safe Mode' will be provided as shown in the following figures.

Figure 5: Warning after clicking in a password field on an HTTP website that offers the safe mode.
Figure 6: Warning after clicking in a field of payment data on an HTTP website, which offers the safe mode.

If you select the recommended "Safe Mode" option, a short dialog appears. There you can see the domain (e.g. of the server from which the Web page is being loaded.

Figure 7: Confirmation that the address of the visited website is correct.

If you have checked the displayed domain (for example, that the page is from and not, confirm this by clicking the OK button'. The frame will subsequently be displayed in green. This process should deter you from entering your password or payment information on a phishing website.

If the website does not offer an alternative secure option, we recommend that you use a different password for this website or preferably a different service. Payment data should never be transmitted unsecured (see Figure 8).

Figure 8: Warning after clicking in a password field on an HTTP website that does not offers the safe mode.

If you select the ill-advised “add exception” option, a short dialog appears. You will see a reminder of the domain (e.g. of the server. Check the domain before entering sensitive data.

PassSec+ automatically checks every website that transmits information insecurely. A search engine (currently either Startpage  or Google) checks whether the website address is among the first hits returned by the search engine. If the request is corrected by the search engine (e.g. to a warning dialog will be displayed containing supporting information (see Figure 9). You should dismiss the current page and not enter any sensitive or personal data because this is likely to be a Phish website.

Figure 9: Warning if phishing attempt is suspected

If you want the add-on to examine more fields in terms of a secure connection, then you change this behavior in the settings and among the advanced options.

Cookie settings for more privacy

The second new feature in PassSec+ are the cookie preferences. Cookies are stored by website operators and have the ability to accumulate usage patterns comprehensively, possibly for advertising purposes. In addition, some companies can track the user across multiple websites and thus create a profile by using a variety of so-called third-party cookies.

To prevent this, cookie settings are controlled to verify and improve the user's settings. At installation the user receives a brief introduction to what cookies are and the available options to prevent such tracking. On the one hand third-party cookies can be disabled completely. On the other hand cookies can be deleted automatically when you exit the browser, so that profiling over several days is impossible. Both settings are set automatically if the user consents to this.


The add-on works when using the Firefox browser, min. version 23 on a Windows, Mac OS or Linux system and can be downloaded here. It does not work on an android system.

It was developed in the context of the InUse project which was funded by the Federal Ministry of Justice and Consumer Protection and the Bundesanstalt Food and Agriculture.

Besides of the InUse-team a number of students from the Technical University of Darmstadt were involved:  Kristoffer Braun, Kevin Kelpen, Joshua Ruf, Richard Stein, Hubert Strauß, Gildas Nya Tchabe und Simon Weiler.

The regular expressions have been partly taken from the source code of Google Chromium. We would like to acknowledge Karen Renaud for helping us with the English version.


Design and Field Evaluation of PassSec: Raising and Sustaining Web Surfer Risk Awareness
Melanie Volkamer, Karen Renaud, Kristoffer Braun, Gamze Canova, Benjamin Reinheimer
In: International Conference on Trust and Trustworthy Computing (TRUST), p. 104-121, August 2015

Capturing Attention for Warnings about Insecure Password Fields - Systematic Development of a Passive Security Intervention
Nina Kolb, Steffen Bartsch, Melanie Volkamer, Joachim Vogt
In: 16th International Conference on Human-Computer Interaction (HCII 2014), June 2014 


The FAQs (frequently asked questions) can be found here.

A A A | Drucken Print | Impressum Impressum | Sitemap Sitemap | Suche Search | Kontakt Contact | Website Analysis: More Information
zum Seitenanfangzum Seitenanfang