With Firefox 3.0.4 and Opera 9.62 leading the pack of losers, today’s top browsers all failed more than 66% of tests designed to evaluate password security.

The extensive battery tested more than 20 different vectors that could be exploited to steal passwords from users through direct or phishing attacks. Tests include the “method checked on retrieval” test which verifies the uniformity of HTTP password delivery, a test that only Chrome passed.

To pass this test, the PM must never deliver a password using an HTTP method other than the one by which the password was delivered when it was saved. For example, if a password is saved on a form that uses POST, and then automatically filled in another form that uses GET to deliver the password, then the PM has failed this test.

Other tests check how the password manager handles passwords for domains, specific form fields, addresses with certain matching elements, and more.