Chrome draws criticism for storing passwords unprotected

Scorpus

Posts: 2,159   +239
Staff member

Something many people aren't aware of is the way web browsers store saved passwords locally, for the ease of signing in to accounts whenever you return to a webpage. While all browsers offer this functionality, Chrome has recently been criticized for storing passwords in plain text, which are easily accessible by local users.

Software developer Elliot Kember highlighted the "insane" security strategy of Chrome, showing that by heading to chrome://settings/passwords it's very easy to see passwords by simply clicking the "Show" button. There is no option to hide these behind a master password, so anyone with local access to your computer is a few clicks away from seeing all your stored website passwords.

The situation is very similar with Firefox, as you can head to the Saved Passwords section of the browser's options and see passwords with the same sort of effort. Firefox includes the option to set a master password, but it's disabled by default, so like with Chrome for the majority of users it's easy to find plain text passwords locally.

On the other hand, Internet Explorer stores passwords in the Web Credential Manager, which requires you to re-enter your user account details to gain access. This is like forced master password protection of your other account details, and could be seen as more secure. Safari on Mac OS X uses a similar system for protection.

Justin Schuh, head of security on the Chrome team, claims that the lack of password-protected stored passwords is by design. He says that when a malicious user accesses your account on your PC it's essentially game over, as they can use a number of methods to get whatever they want, including installing account-level monitoring software to circumvent master password protection. Chrome therefore doesn't support using a master password to hide stored passwords as they don't want to "provide users with a false sense of security".

Schuh does have a point about local account access, as it opens the door for any personal information to be gathered. However there are methods of preventing others from seeing your locally-stored passwords, and possibly the best way is to use a secure cloud password manager such as LastPass, which stores all your login credentials encrypted and protected by a master password. The program also offers additional security measures like one time passwords, a virtual keyboard to protect against keyloggers, and multifactor authentication, so even in the event of unwanted local access to your computer passwords should remain safe.

Other popular password managers include 1Password, Dashlane, KeePass and RoboForm. You can find a comprehensive list of cloud-based and local password managers in TechSpot's downloads section.

Permalink to story.

 
Wow, I assumed that the passwords and other form autocomplete were being encrypted... but I never used them because I figured it would be simple implementation... I guess my caution was vindicated.
 
I would like to remind you guys (the commenters) that client side protection is NOT the browser's task.
 
This. Is. Old. News. Has been like this for ages.

Wow, I assumed that the passwords and other form autocomplete were being encrypted... but I never used them because I figured it would be simple implementation... I guess my caution was vindicated.
If you actually follow through the claim link, you will see how inadequate your reply is.
"So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account."

How the **** didn't I noticed this???????!!!!!
Because you don't configure your browser enough, period.

I would like to remind you guys (the commenters) that client side protection is NOT the browser's task.
+1 Completely agree with you, hence KeePass :)
 
Justin Schuh's excuse that "this was planned" seems like a flimsy way to cover a screw-up. Hopefully they'll fix it as many users leave their machines logged-in while on coffee break. A malicious co-worker can nip into the cubicle and grab the entire treasure chest of passwords.

Yeah, we should all encrypt all of our accounts and we should always log out even when we leave our workstations to grab some papers off the department printer. But come on. A browser should not offer so save passwords unless the its developers are willing to put a modicum of effort into protecting them. Scary.
 
I'm surprised you could find your keyboard through all of that smug.
 
I would like to remind you guys (the commenters) that client side protection is NOT the browser's task.
I didn't realize a browser was anything other than a client-side application. I also wasn't aware a client-side application should not be responsible for the security of it's built-in client-side functions and operations.
 
Why would you ever store passwords on your work computer?? Even if Chrome added another password anyone could still get any stored passwords from any browser. Chrome just doesn't bother with a faux layer of security.
 
Justin Schuh, head of security on the Chrome team, claims that the lack of password-protected stored passwords is by design. He says that when a malicious user accesses your account on your PC it's essentially game over, as they can use a number of methods to get whatever they want, including installing account-level monitoring software to circumvent master password protection

Well Mr. Justin Schuh apparently is a very lonely man, because I would be more afraid of crazy girlfriends or jealous wifes than real hackers.
 
I would like to remind you guys (the commenters) that client side protection is NOT the browser's task.

'Not my job' isn't an excuse for incompetence. By showing all passwords someone could see quickly what common passwords that person uses and try them on other websites. Many people use the same few passwords for multiple sites. There's no reason the passwords couldn't be hidden.
 
mario exactly what I was thinking after reading Schuh's lame excuse. By the way, happy birthday man!
 
It's obvious they aren't covering up a "screw up" or a "security flaw." it's true, once someone has local access to your PC without your permission there are much worse things they can do than look at passwords. it's by design. local access to your personal account on your computer is your own responsibility IMHO..
 
What a lame excuse by Schuh. Just because someone can break into my house by kicking down the front door, it does not mean I should remove lock and make it easier for him/her.
 
What a lame excuse by Schuh. Just because someone can break into my house by kicking down the front door, it does not mean I should remove lock and make it easier for him/her.
I think this would be more like putting a lock on a glass cabinet in your house, once they are inside your house (locked or not) that lock on the glass cabinet does absolutely nothing to stop them. The lock and safe on your house door is what protects your cabinet from access.
 
If I need passwords from local comp I will use SIW - no place to hide
 
This is the only reason why I dont switch over to Chrome, Firefox built in password manager is awesome (You do have to set a master password firsts, obviously).
 
@RH00D:
If someone has physical access to your computer without any kind of protection, it is your fault, not the browser's.
Set up a software that is designed for this task, I am sure there are a few that ask for a confirming password before allowing access to the machine.
 
@RH00D:
If someone has physical access to your computer without any kind of protection, it is your fault, not the browser's.
Set up a software that is designed for this task, I am sure there are a few that ask for a confirming password before allowing access to the machine.
Windows has had this feature for the last 20 years, you lock the computer before you leave it, takes 0.1 seconds.
Just press the Windows key + L

What about public computers like at the library?
If you save your passwords on a computer in a public library I think there are some bigger issues to solve, and none involves software fixes.
 
Back