Chrome draws criticism for storing passwords unprotected

By on August 7, 2013, 8:55 AM

Something many people aren't aware of is the way web browsers store saved passwords locally, for the ease of signing in to accounts whenever you return to a webpage. While all browsers offer this functionality, Chrome has recently been criticized for storing passwords in plain text, which are easily accessible by local users.

Software developer Elliot Kember highlighted the "insane" security strategy of Chrome, showing that by heading to chrome://settings/passwords it's very easy to see passwords by simply clicking the "Show" button. There is no option to hide these behind a master password, so anyone with local access to your computer is a few clicks away from seeing all your stored website passwords.

The situation is very similar with Firefox, as you can head to the Saved Passwords section of the browser's options and see passwords with the same sort of effort. Firefox includes the option to set a master password, but it's disabled by default, so like with Chrome for the majority of users it's easy to find plain text passwords locally.

On the other hand, Internet Explorer stores passwords in the Web Credential Manager, which requires you to re-enter your user account details to gain access. This is like forced master password protection of your other account details, and could be seen as more secure. Safari on Mac OS X uses a similar system for protection.

Justin Schuh, head of security on the Chrome team, claims that the lack of password-protected stored passwords is by design. He says that when a malicious user accesses your account on your PC it's essentially game over, as they can use a number of methods to get whatever they want, including installing account-level monitoring software to circumvent master password protection. Chrome therefore doesn't support using a master password to hide stored passwords as they don't want to "provide users with a false sense of security".

Schuh does have a point about local account access, as it opens the door for any personal information to be gathered. However there are methods of preventing others from seeing your locally-stored passwords, and possibly the best way is to use a secure cloud password manager such as LastPass, which stores all your login credentials encrypted and protected by a master password. The program also offers additional security measures like one time passwords, a virtual keyboard to protect against keyloggers, and multifactor authentication, so even in the event of unwanted local access to your computer passwords should remain safe.

Other popular password managers include 1Password, Dashlane, KeePass and RoboForm. You can find a comprehensive list of cloud-based and local password managers in TechSpot's downloads section.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.