Chrome draws criticism for storing passwords unprotected

By on August 7, 2013, 8:55 AM

Something many people aren't aware of is the way web browsers store saved passwords locally, for the ease of signing in to accounts whenever you return to a webpage. While all browsers offer this functionality, Chrome has recently been criticized for storing passwords in plain text, which are easily accessible by local users.

Software developer Elliot Kember highlighted the "insane" security strategy of Chrome, showing that by heading to chrome://settings/passwords it's very easy to see passwords by simply clicking the "Show" button. There is no option to hide these behind a master password, so anyone with local access to your computer is a few clicks away from seeing all your stored website passwords.

The situation is very similar with Firefox, as you can head to the Saved Passwords section of the browser's options and see passwords with the same sort of effort. Firefox includes the option to set a master password, but it's disabled by default, so like with Chrome for the majority of users it's easy to find plain text passwords locally.

On the other hand, Internet Explorer stores passwords in the Web Credential Manager, which requires you to re-enter your user account details to gain access. This is like forced master password protection of your other account details, and could be seen as more secure. Safari on Mac OS X uses a similar system for protection.

Justin Schuh, head of security on the Chrome team, claims that the lack of password-protected stored passwords is by design. He says that when a malicious user accesses your account on your PC it's essentially game over, as they can use a number of methods to get whatever they want, including installing account-level monitoring software to circumvent master password protection. Chrome therefore doesn't support using a master password to hide stored passwords as they don't want to "provide users with a false sense of security".

Schuh does have a point about local account access, as it opens the door for any personal information to be gathered. However there are methods of preventing others from seeing your locally-stored passwords, and possibly the best way is to use a secure cloud password manager such as LastPass, which stores all your login credentials encrypted and protected by a master password. The program also offers additional security measures like one time passwords, a virtual keyboard to protect against keyloggers, and multifactor authentication, so even in the event of unwanted local access to your computer passwords should remain safe.

Other popular password managers include 1Password, Dashlane, KeePass and RoboForm. You can find a comprehensive list of cloud-based and local password managers in TechSpot's downloads section.




User Comments: 36

Got something to say? Post a comment
MrAnderson said:

Wow, I assumed that the passwords and other form autocomplete were being encrypted... but I never used them because I figured it would be simple implementation... I guess my caution was vindicated.

Guest said:

How the **** didn't I noticed this???????!!!!!

1 person liked this | Guest said:

I would like to remind you guys (the commenters) that client side protection is NOT the browser's task.

tookieboy tookieboy said:

This. Is. Old. News. Has been like this for ages.

Wow, I assumed that the passwords and other form autocomplete were being encrypted... but I never used them because I figured it would be simple implementation... I guess my caution was vindicated.

If you actually follow through the claim link, you will see how inadequate your reply is.

"So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account."

How the **** didn't I noticed this???????!!!!!

Because you don't configure your browser enough, period.

I would like to remind you guys (the commenters) that client side protection is NOT the browser's task.

+1 Completely agree with you, hence KeePass :)

2 people like this | Guest said:

Bigger question - why would you store password in the first place? Being lazy is not an excuse.

1 person liked this | CyniqueDuMonde CyniqueDuMonde said:

Justin Schuh's excuse that "this was planned" seems like a flimsy way to cover a screw-up. Hopefully they'll fix it as many users leave their machines logged-in while on coffee break. A malicious co-worker can nip into the cubicle and grab the entire treasure chest of passwords.

Yeah, we should all encrypt all of our accounts and we should always log out even when we leave our workstations to grab some papers off the department printer. But come on. A browser should not offer so save passwords unless the its developers are willing to put a modicum of effort into protecting them. Scary.

Guest said:

I'm surprised you could find your keyboard through all of that smug.

RH00D RH00D said:

I would like to remind you guys (the commenters) that client side protection is NOT the browser's task.

I didn't realize a browser was anything other than a client-side application. I also wasn't aware a client-side application should not be responsible for the security of it's built-in client-side functions and operations.

Guest said:

Why would you ever store passwords on your work computer?? Even if Chrome added another password anyone could still get any stored passwords from any browser. Chrome just doesn't bother with a faux layer of security.

1 person liked this | mario mario, Ex-TS Developer, said:

Justin Schuh, head of security on the Chrome team, claims that the lack of password-protected stored passwords is by design. He says that when a malicious user accesses your account on your PC it's essentially game over, as they can use a number of methods to get whatever they want, including installing account-level monitoring software to circumvent master password protection

Well Mr. Justin Schuh apparently is a very lonely man, because I would be more afraid of crazy girlfriends or jealous wifes than real hackers.

MilwaukeeMike said:

I would like to remind you guys (the commenters) that client side protection is NOT the browser's task.

'Not my job' isn't an excuse for incompetence. By showing all passwords someone could see quickly what common passwords that person uses and try them on other websites. Many people use the same few passwords for multiple sites. There's no reason the passwords couldn't be hidden.

1 person liked this |
Staff
Jos Jos said:

@mario exactly what I was thinking after reading Schuh's lame excuse. By the way, happy birthday man!

Guest said:

Firefox is the same

1 person liked this | Guest said:

It's obvious they aren't covering up a "screw up" or a "security flaw." it's true, once someone has local access to your PC without your permission there are much worse things they can do than look at passwords. it's by design. local access to your personal account on your computer is your own responsibility IMHO..

tipstir tipstir, TS Ambassador, said:

That's for posting this, I've cleaned all the old accounts..

gamoniac said:

What a lame excuse by Schuh. Just because someone can break into my house by kicking down the front door, it does not mean I should remove lock and make it easier for him/her.

Camikazi said:

What a lame excuse by Schuh. Just because someone can break into my house by kicking down the front door, it does not mean I should remove lock and make it easier for him/her.

I think this would be more like putting a lock on a glass cabinet in your house, once they are inside your house (locked or not) that lock on the glass cabinet does absolutely nothing to stop them. The lock and safe on your house door is what protects your cabinet from access.

Guest said:

If I need passwords from local comp I will use SIW - no place to hide

Kibaruk Kibaruk, TechSpot Paladin, said:

This is the only reason why I dont switch over to Chrome, Firefox built in password manager is awesome (You do have to set a master password firsts, obviously).

1 person liked this | JC713 JC713 said:

I love Chrome and have been using it since 2008, but this has to be fixed.

Guest said:

@RH00D:

If someone has physical access to your computer without any kind of protection, it is your fault, not the browser's.

Set up a software that is designed for this task, I am sure there are a few that ask for a confirming password before allowing access to the machine.

Guest said:

What about public computers like at the library?

1 person liked this |
Staff
Per Hansson Per Hansson, TS Server Guru, said:

@RH00D:

If someone has physical access to your computer without any kind of protection, it is your fault, not the browser's.

Set up a software that is designed for this task, I am sure there are a few that ask for a confirming password before allowing access to the machine.

Windows has had this feature for the last 20 years, you lock the computer before you leave it, takes 0.1 seconds.

Just press the Windows key + L

What about public computers like at the library?

If you save your passwords on a computer in a public library I think there are some bigger issues to solve, and none involves software fixes.

Guest said:

I never store password on Chrome, Roboform is my homie! :D

windmill007 said:

I'm glad I use Firefox and it has that

Master password. Since I enabled that I feel better. I also assumed Firefox hide the passwords till I heard you have to enable the master password. Feel sorry for chrome folks. I will be getting a lot of co workers passwords now. J/k

1 person liked this | xbosnax said:

This is why you get LastPass with two-way authentication. People who save their passwords and expect protection is like turning off all the lights and leaving your house for a month.

1 person liked this | Guest said:

To be clear, Chrome only caches passwords for sites if YOU LET IT. Encrypted or not, anyone who would browse to that site with your browser would be allowed in due to the cached password. So, to be clear, caching passwords using any browser is still NOT SECURE.

Locking out your computer isn't adequate whatsoever either; any half-baked IT person can grab your Windows, OS X or Linux passwords in minutes with readily available free software.

The bottom line is that you should use LastPass or any other similar quality service if you have a lot of passwords that you need convenient but secure access to.

Guest said:

Yes... smug levels are so high they're toxic. Look, security isn't about 'secure' and 'insecure', it's about more or less secure. It's true that with physical access to your computer a trained person can, with sufficient time, do anything they want. The key issues are the skill level of the intruder, and the time available. Most intruders wont be very skilled, and /or they wont have much time. Chrome's approach is just incredibly sloppy. With virtually no skill, and in no time, someone can grab a list of your passwords to take away and have fun with in their own time. The average user would expect that some kind of effort is made to protect their passwords, and they are entirely right to do so. They don't expect it to withstand an attack from the NSA, just make it harder for a jealous girlfriend / boyfriend to steal their Facebook password so they can go away and monitor all their private messages.... I get asked to do this for people a lot, by the way.

ypsylon said:

You have to be absolute **** to use Chrome and/or store passwords in browsers.

avoidz avoidz said:

Bigger question - why would you store password in the first place? Being lazy is not an excuse.

I think it's being called human.

St1ckM4n St1ckM4n said:

Looks like other Chromium-based browsers have it the same. My Opera 15 password manager looks exactly like the screenshot.

Guest said:

A head of security who says "it's by design" is not someone I'd like as head of security. This is ridiculous. It's true that if your account is compromised, you are in trouble, but security isn't always about always locking out the intruder with a single layer of security. Security comes in several layers. Even if the hacker manages to get into the account, you might be able to reduce the damage with further security measures. The fact that a head of security cannot understand this worries me.

As for storing passwords... actually, it's much safer than remembering your passwords because you can have a different password for every site and it can be as long and complex as possible - to the point where you can't remember it. By doing that, you are rendering it useless for hackers to try to crack your password. Otherwise, chances are you have easy to remember passwords - and only a few - to protect all your sites/accounts. Not safe.

Kibaruk Kibaruk, TechSpot Paladin, said:

To all the shmucks who say to lock windows and done... that's like putting a 2 cm. security lock on a fence.

Guest said:

Why all the sudden concern over this? Why is this so called news everywhere. The way the passwords are stored is NOTHING NEW. All of the sudden this is so called news everywhere you look on tech pages. If someone breaks into your home or office and steals your computer, or uses your computer, then change all your passwords. Options are many: don't save passwords, save to KeePass or use Internet LastPass, or password protect your computer ( yea, won't keep the pros out ). I use Firefox which has a Master Password -- so does Safari. Chrome is a good browser though - fast.

ViperSniper2 said:

Oh gee.... by golly wow holly smokums. My grandma and 3yro, who don't have any better memory than I do, might actually be able to remember the over 50 passwords and sites respectively and access my Techspot Password! .....I'm so afraid with passwords like $23VY6k9G$c!90OrK. that I can't remember myself. So that's why I use a Password Tool or on my HP Laptop Fingerprint Recognition! ;-P

So what's going to happen when Motorola comes out with NFC Tag Password Pills? o_O And in Linux I'm really messed up because this Chrome Password revelation can all be exposed simply by finding out my unique keyring access phrase when I log on. Oh My Word, the calamity of it all if somehow my grandma was peaking over my shoulder or maybe even used my Security Camera to crack that code!!!! ^_^ ........... I mean I just know she or my son are Secret Sleeper SPIES of some kind or worse Aliens or teh SKYNET!!!! ;-P

BTW.... Cold Hard Facts of the matter, if we have to worry about someone in our own house taking advantage of us by accessing our Techspot Account or any other online account, we all need to crawl in a hole and just die. This is beyond ludicrous and why UNIX is DEAD outside of business, super computers or government. Suddenly you'd be treating everyone you let in your door like a criminal. Which is totally absurd and is better suited for Drug Addicts Protecting their stash or imagining the Comet on the counter is a line of Meth!!! lol..... Sensationalistic Hater Journalism at it's Finest!!!

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.