Chrome's Insane Password Security Strategy 482
jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."
This is also the case on Firefox (Score:5, Insightful)
Solution: If security is important to you, don't be lazy.
Re:This is also the case on Firefox (Score:5, Informative)
Firefox has the option to protect saved passwords with a master passwords and if you already unlocked the password store, in order to read password from the GUI, you need to unlock it again
Master Password (Thuderbird+Firefox) (Score:5, Insightful)
Firefox has the option to protect saved passwords with a master passwords and if you already unlocked the password store, in order to read password from the GUI, you need to unlock it again
Exactly. Mozilla's email client Thunderbird also uses a Master Password to unlock the view-ability of the stored passwords.
For those who insist on saying that chrome's security method is good enough consider this: How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine, just too much trouble for most to deal with. This means that both other family members as well as house guests can casually access all those passwords in no time.
Even if you do use different log-ins consider this type of common scenario: Your son or daughter has a "friend" over and they are cruising the web on her account doing whatever. Say that they are reading some news item or article together when the daughter gets up to go the bathroom. Do you think for one second that she is going to lock the computer and force her friend to wait to finish what she is doing? No. Her "friend" will then be able to casually and quickly access all those passwords and type them into her iphone for safe keeping before your daughter gets back. She now pwns your daughters facebook account, bank account, cellphone account and who knows what else.
How can anyone with a straight face say that is an acceptable security method? The fact that my open source email client has an easily useable default master password system proves that it is something that chrome could easily implement as well, hell, just copy the open-source code from thunderbird if you need to...
To be quite frank; when I think of Google or Microsoft "my security" is not something I honestly expect from them, and this newest revelation just further confirms that perception.
Re: (Score:3, Informative)
How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine,
More than you imagine, because teenagers insist upon it.
And in reality, its by far the easiest thing to set up, and the easiest thing to do.
Just select the Switch User button, and you are out of your account, ready for the next person to use it,
and its as secure as your computer's OS is (which might not be all that secure, but that's another issue).
Re: (Score:3, Informative)
Chrome's security tech lead gives a pretty good answer here: [ycombinator.com]
Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
People worried about the security of this are worried over the wrong things. Firefox's master password would do absolutely nothing to stop a dropped-in extension from monitoring webpages for when passwords are filled, grabbing the filled form-data, and storing it in the extensions own preferences; and that wouldnt even take a background process, admin privileges, or really anything more than the ability to drop a file in the firefox profile.
I wou
Re:Master Password (Thuderbird+Firefox) (Score:5, Insightful)
Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software
This assumes bad guy has access to an account with root/admin access. How about OS accounts that are locked down, for the exact reason of preventing these types of exploits? Obviously Chrome can run on a limited account.
It is irresponsible to rely on the underlying OS security (or insecurity) as a crutch. So what if someone has physical access? Just because they can type on a keyboard or insert a USB drive, doesn't mean they can run an exploit. What will they do, install a rootkit? What if they can't reboot the computer? What if they can't get past BIOS and full disk encryption?
Seriously... I'm getting mad just at the thought that the head of any computer security team can think in this way.
Re: (Score:3)
A limited account can still install extensions, userland rootkits (which do exist), background startup programs (which would have full access to the user's running program memory and files), and so on.
Seriously... I'm getting mad just at the thought that the head of any computer security team can think in this way.
Thats because like so many others you do not have a clear conception of what the actual threats are and the proper way of mitigating them.
This is really very simple: If the attacker has access to your session, you have lost. If an attacker has access to your machine and you have not used disk encryption, you
Re:Master Password (Thuderbird+Firefox) (Score:4, Informative)
Exactly. Mozilla's email client Thunderbird also uses a Master Password to unlock the view-ability of the stored passwords.
Chrome uses the same core OS key storage that Firefox/Thunderbird does, and encrypts with the same master password--if I save a password in Firefox, it's available in Chrome and vice-versa. Both use kwallet on KDE, gnome-keyring on Gnome platforms, keychain access on the Mac, etc.
You can lock access to view them however the OS does so (e.g. with gnome, either Applications->Settings->Passwords and Keys, and select "Lock passwords", or from the command line, and gnome automatically locks them when your screensaver locks; on KDE it's the "Wallet Manager", I forget which menu it's under; on the Mac it's Utilities->Keychain Access, and click the little lock at the top of the keychain to lock/unlock). All 3 of those systems default to using your login password and automatically unlocking the keychain when you log in, but you can set the password separately (and be prompted to unlock it when you go to use it) if you want.
The problem here is that Windows' password management doesn't offer a reasonable alternative, but that's not Chrome's fault.
For those who insist on saying that chrome's security method is good enough consider this: How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine, just too much trouble for most to deal with. This means that both other family members as well as house guests can casually access all those passwords in no time.
a) Lock your passwords when you turn over the computer
b) You don't actually need to log in and out all the time to use separate accounts on the communal machine. Mine is usually sitting there logged into a guest account that everyone can use, with a browser running as the guest. I'll also use if I'm just looking something up on IMDB or googling/wiki'ing a quick question or whatever. There's a button on the menubar to "Run browser as..." with options for me and each of my family members, which prompts for the user's password and then runs a browser as them--if I need to check email or pay a bill or something, that browser's got my info but it's not available from the guest account/browser.. That covers the vast majority of cases, you just need to remember to close your browser when you're done with it.
For more complicated stuff, I pop over to VT8, log in, do what I need to do, and pop back. If I'm in the middle of something and someone needs to use the machine briefly, I can lock my terminal and switch back to the guest terminal for a few minutes, then switch back and unlock my screen without really disrupting anything.
Re:This is also the case on Firefox (Score:5, Interesting)
I'm sorry, but there is a dedicated area for my stuff -- on Windows it's Documents and Settings, and on UNIX it's the home directory. The actual program may not be user specific, but all operating systems have a "home" area specific to users. There are no valid technical reasons why this can't be made secure, other than either having no interest in doing it, or pandering to users who just want convenience.
This is just a piss-poor implementation of security, and it's why I don't trust a browser to retain passwords for me, and never have. I rank it right up there with giving Facebook my password so they can log into my email and find friends -- not happening, because I don't trust them with my password.
If this guy is the head of 'security' for Chrome, he's either incompetent at that, or Google as a general rule have a shitty idea about what security should be and he's of the opinion this is "good enough".
But since Google mostly just wants to collect all of your data, it may not be of value to them to lock it down in any meaningful way.
Re: (Score:2)
Re: (Score:3)
You need the user's Windows account credentials to decrypt the passwords.
Have you ever seen a user using a Windows machine that isn't logged in? That means there is basically constant access to Chrome passwords. I'd prefer to have the option of a separate master password for my browser like Firefox does. It's not like it would even be that hard for Chrome to implement, so I'm not sure why there is such a struggle to add it. (Could be a hidden advanced feature even.) Are there scenarios where an attacker could get the master password? Yes, of course, but with the current system they are guaranteed access. Are there scenarios where they could not get the master password? Absolutely.
I'd prefer to minimize my security risk. I'm not proposing that you are forced into the same master password system, merely that I have the option to choose it. (Which I currently do by using Firefox.)
If you care so little about security that you don't secure your user account, I doubt you care enough about security to worry about your other credentials.
Stupid is as stupid does, as they say.
Re: (Score:3)
If you care so little about security that you don't secure your user account, I doubt you care enough about security to worry about your other credentials.
Stupid is as stupid does, as they say.
The problem with this is that it is very short-sighted. There is no 100% effective way to secure an account other than to not use it or to keep it disconnected from networks and away from other users. That may be an acceptable risk for you, but I prefer having another layer of protection.
Re: (Score:3)
I'm sorry, but there is a dedicated area for my stuff -- on Windows it's Documents and Settings, and on UNIX it's the home directory.
From the Chrome teams response for this issue, I believe that's what they're doing. If someone is logged into your OS session as you, they can see the passwords. Somebody logged into the same computer, but as a different user, can't see the passwords.
Re:This is also the case on Firefox (Score:4, Interesting)
Chrome stores everything in the cloud if you're logged into Google. That's what makes this even more dangerous than it's being reported.
If Chrome is signed into your Google account, and some malicious user gets hold of your Google username and password, then they can retrieve all of your stored passwords simply by installing chrome and logging in. That includes any password on your phone, other systems or otherwise.
This is why two step authentication, clearing out all stored password, and disabling password storing in sync settings are your friends.
Re: (Score:2)
Resetting passwords is a hugely complicated process on machines you have physical access to...
Re: (Score:2)
Re: (Score:2)
Sure there is. It's hard. Or perhaps it's better to say, it has enough moving parts that it gets screwed up pretty frequently. For example, it's secure until your boss sends you AnnualReport.docx, which happens to contain a virus (and actually wasn't sent by your boss).
Re:This is also the case on Firefox (Score:5, Informative)
I just checked and Chrome keeps my passwords in a file under "C:\Users\\AppData\Local\Google\Chrome\User Data\Default". This directory is permission locked to me only. Even other admins can't access it unless they add permissions manually.
As far as I can tell Chrome does use filesystem level security to protect individual user's passwords.
Re: (Score:2)
So someone with admin wouldn't be able to reset your password? or change ownership of the file?
Re: (Score:3)
Other admins can access it if they change the permissions on the directory, naturally. If you don't trust the other admins on your system you are boned anyway.
Re: (Score:2)
I'm sorry, but there is a dedicated area for my stuff -- on Windows it's Documents and Settings, and on UNIX it's the home directory. The actual program may not be user specific, but all operating systems have a "home" area specific to users. There are no valid technical reasons why this can't be made secure, other than either having no interest in doing it, or pandering to users who just want convenience.
This is just a piss-poor implementation of security, and it's why I don't trust a browser to retain passwords for me, and never have. I rank it right up there with giving Facebook my password so they can log into my email and find friends -- not happening, because I don't trust them with my password.
If this guy is the head of 'security' for Chrome, he's either incompetent at that, or Google as a general rule have a shitty idea about what security should be and he's of the opinion this is "good enough".
But since Google mostly just wants to collect all of your data, it may not be of value to them to lock it down in any meaningful way.
Google's response to everything is "no, we're doing it the best way." I find it best just to avoid talking to Googlers about their jobs.
Re:This is also the case on Firefox (Score:5, Informative)
So set a Master Password: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins [mozilla.org]
More here: http://kb.mozillazine.org/Master_password [mozillazine.org]
Almost no users actually use this: http://monica-at-mozilla.blogspot.com/2013/02/cant-live-with-them-cant-live-without.html [blogspot.com]
"....can be solved somewhat with master password, but only 1 out of 12K users had master password enabled"
Re: (Score:3)
Almost no users actually use this:
Of course not. Anyone security minded won't let Firefox save the passwords in the first place.
Re: (Score:2)
With Firefox, there's the option of adding a master password.
It's still substandard - Firefox bleeds login information across sites (e.g. It places 3+ potential usernames, some of which are unique to a specific site), gives sudden "enter master password" prompt when not focusing on a password field, etc.
Re: (Score:2)
Re:This is also the case on Firefox (Score:4, Informative)
From TFA:
The simple fact is that you need to lock your user account if you want to protect your information. If you don't do that, nothing else really matters because it's all just theater and won't actually stop anyone willing to invest minimal effort.
And there it is. The bottom line. Kember demands that Chrome engage in security theater and the Chrome authors said no. As they should.
Re: (Score:3)
Re: (Score:2)
I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.
Solution: If security is important to you, don't be lazy.
But browsers ARE as user specific as any other part of the modern computer.
With just about every Operating System having the ability to have multiple accounts logged in and to switch accounts easily, browsers, and everything else each user does can be compartmentalized easily.
And that is probably the best way to handle it in general where what is needed is snoop protection from co-users.
If you recommend typing in passwords to every websites you have to go with an notebook full of passwords, a single common
No, Firefox is much more secure (Score:2)
can peek all the passwords in clear text very easily with a couple of mouse clicks
it takes at least 3 clicks with Firefox.
Re:This is also the case on Firefox (Score:5, Insightful)
Every one can type their own password.
But what about typing hundreds of passwords?
Once you have more than a few, you resort to a crutch of some sort.
Re: (Score:3)
I wouldn't call this [keepass.info] a crutch...
Re: (Score:2)
It's definitely better than keeping all passwords written down on paper, if used with a strong master password. No, it's not perfect, but it's pretty much as good as most people can get - memorizing dozens of totally different strong passwords is not really very feasible.
Re: (Score:3)
True, but it's a lot of trouble to copy an paste each password. I know this, because In fact I use one of these on all my devices.
If it these password vaults could detect you are in a password field and feed the password to it that would be sweet. Only one password to remember.
Otoh, only one password to steal.
Re:This is also the case on Firefox (Score:5, Informative)
If only such a thing existed...
Oh, wait. It does.
http://lastpass.com/ [lastpass.com]
Re:This is also the case on Firefox (Score:4, Insightful)
I also wouldn't need LastPass if I didn't need a cross-browser, cross-device password management tool, which Chrome is not, regardless of the trust level I assign it.
So, in fact, even if I did trust Chrome, I would still need it.
Re: (Score:3, Informative)
LastPass does exactly this.
Re: (Score:3)
I'm not sure I want any plugins into the browser.
First, browser plugins have a pretty shaky security reputation.
Second, I'm not always on a browser that accepts plugins. I use several browsers.
Third browsers change too fast, and plugins don't keep up.
It should probably be done at the OS level, hooking the keyboard for password injection. But that
still leaves you with the problem of knowing what web page you are no, so you are back to
some sort of browser plug in.
It really cries out for a industry wide agree
A helpful crutch (Score:3, Interesting)
But what about typing hundreds of passwords?
Once you have more than a few, you resort to a crutch of some sort.
Here's a crutch. Just paste it to something like safepassword.sh in /usr/local/bin or similar:
#!/bin/bash
# script: safepassword
# this script depends on sha512sum
if [ "$2" = "" ]
then
echo "usage: safepassword constant_key password_purpose"
echo " where constant_key is a string of printable non-whitespace characters,"
echo " and password_purpose is a memorable string related to the purpose of"
echo " the password, e.g. a website address. Since the script removes any"
echo "
Re:A helpful crutch (Score:4, Interesting)
The script is indented, but stupid slashcode ignores characters
While stupid slashcode ignores pretty much any 21st century concept, it does support an <ecode> tag, which turns each pair of leading spaces into a level of indention. Bizarre, but workable.
It also supports the <tt> tag, which turns each single leading space into a level of indention. Less bizarre, more workable.
thing
thing indented
thing indented more
another thing
done indenting
Re:A helpful crutch (Score:5, Insightful)
Don't do this. It basically puts your passwords (their building blocks, really) in clear text in your command history. It's not any greater security than Chrome has when someone has physical access, and it is significantly less convenient.
Re:A helpful crutch (Score:5, Insightful)
This thread is a goldmine of security theatre. Any hiring personnel could probably also use this to weed out folks who dont actually understand security.
Re: (Score:3)
Re: (Score:3)
Firefox is the same (Score:3, Informative)
Re:Firefox is the same (Score:4, Informative)
../../Set Masterpassword
face it : chrome sucks at security, but that's no big surprise.
Re: (Score:3)
Actually, is this any different for ANY browser?
If the password is available (without being prompted for any master password), then it's accesible one way or another. Period.
Re:Firefox is the same (Score:5, Insightful)
You can secure this in Firefox, there is no option to do so in Chrome.
Re: (Score:3)
Security is a theater most of the time. Nothing prevents you from robbing a bank and taking down the guards except, morals aside, the fear of losing your freedom or getting shot.
Passwords by itself are a laughable protection we use nowadays, especially if you use short strings. It just happens to be the most convenient option we have so far. A lot of banks have switched to having code cards and passwords for more security, or even sending codes to your cell phone. A simple keylogger can take away all the pr
Moronic. (Score:3, Insightful)
If your browser can read the passwords and use them on the web, so can a local user. No surprise. Unless you set a master password (firefox offers this, not sure about chrome), there's no way to fix this. It's just how computers work.
Re: (Score:2)
Lol this is like Google's AC army all over the comments section now. Computers don't work that way. But to make it simple for you, a password can be encrypted with a public key, and then decrypted with Chrome's private key. It is not advanced technology and please, go tell your coworkers at Google to get their act together.
Re:Moronic. (Score:5, Insightful)
But to make it simple for you, a password can be encrypted with a public key, and then decrypted with Chrome's private key.
How do you intend to keep a local user from being able to extract the private key that Chrome is using? (Note that in your scenario, asymmetric key encryption is kind of pointless in the first place.)
See: why DRM doesn't work either.
Re: (Score:2)
Which means Chrome's private key needs to be stored in Chrome itself (unless you want to start shipping everything off to Google for server-side processing), and so can be plucked out of the binary for decryption purposes.
Re: (Score:3)
Re: (Score:3)
If your browser can read the passwords and use them on the web, so can a local user. No surprise. Unless you set a master password (firefox offers this, not sure about chrome), there's no way to fix this. It's just how computers work.
Not on OS X/Safari. All my saved passwords are locked by a master password. A user without that master password can see that the entries exist, but they can't decode the passwords without first entering the master password. And, where things get really different, they are sandboxed, so only the original application that entered the password can read it without user intervention.
This is nothing new (Score:3, Insightful)
Saved passwords have always been stored in a way that they can be recovered easily.
By definition, saving passwords will always be insecure, unless the program has a way to encrypt them using another key provided by the user.
They MUST be recoverable to be of use, because the plain text password must be available to the program for transmission to the web page.
Re: (Score:2)
There is a software called Keepass and it tackles that issue in a really good way. It might not be perfect but if you find somebody that can crack a Keepass database that uses Twofish or AES, they totally deserve to have your passwords.
I don't see what the fuss is about. (Score:2, Informative)
This functionality has been both in Chrome and Firefox for years now, so I don't see why people make a fuss about it only now..
Either you don't give other people access to your user account, or you use a 3rd party password-protected keystore like Keepass, Lastpass, 1Password, with a separate (or even 2-factor) authentication.
Re: (Score:2)
He missed something (Score:5, Interesting)
How about the fact that Chrome can import passwords stored in Safari to begin with?
So Safari has some security issues as well. Where is the "master key" to export passwords?
I guess the underlying message is that if you leave a computer unattended the information is accessible to anyone. E-mail, passwords, documents, MP3s, etc.
This is a convenience feature and 99% rather have the convenience of a cached web passwords on their personal computer then worrying about something walking by.
Re: (Score:2)
Safari uses the keyring, an OS level service to access passwords. So all you need to provide is your system password when an app wants to access the keyring and that's it.
..okay? And? (Score:2, Insightful)
If Chrome is going to enter your password for you, it has to know your password. This simple requirement ultimately means that any attempt to obfuscate the stored password is going to be trivial to overcome by anyone who has physical access to the box, unless you're flat out encrypting them with another password that the user would have to enter to decrypt them, and at that point, we've pretty handily defeated the purpose of storing passwords (because let's face it, it's not like you're going to want to do
Re: (Score:3)
It would be less trivial if one had something like the Android model where each application (with some exceptions) stores (some of) its data as a separate user, and without root privileges, one can't access the data for the application except by the methods provided by the application.
Re: (Score:2)
Re: (Score:2)
Very very different things.
Re: (Score:2)
And where do you keep the private key? Inside the distributed Chrome binary? That's locally accessible.
Re: (Score:3)
There are things like private/public key encryption you know.
Apparently you need to think about this a bit more. How exactly is Chrome supposed to decrypt a password without storing the secret that allow it to do so on the same machine/account? Even if the password is encrypted with an asymmetric key, the corresponding key must be stored where Chrome can access it to de-crypt the password(s).
Re: (Score:2)
There are things like private/public key encryption you know.
Yes, and if you understood how public key encryption works, you'd realize its existence is not relevant to the discussion at hand. It has no useful function here. (Note: your "master password" is not a private key of this sort -- no hand entered password ever could be... unless you're Lt. Cmdr. Data.)
Master password? (Score:2)
If there is no master password, then no matter how the data is stored, it's as safe as plain text anyway. Even with master password, dictionary attacks will get you quite often.
And you can transfer/import/export the data encrypted with master password between different installations without decrypting it.
--Coder
Why is this making news? (Score:4, Funny)
Re: (Score:3)
If it's sitting there in plain text for anybody to get, what's to prevent a malicious web-page from asking for it?
Or are we meant to believe they made it trivial to access from the machine, but have put in super-duper security around accessing it from with the browser? Because I'm not buying that.
Re: (Score:2)
Right, and exploits have never allowed people to access local files they're not supposed to. Nosiree, it's iron clad and has a perfect track record.
Well, you can choose to believe that -- me I'll treat browsers like an untrusted entity in which stuff like that can bleed out in ways nobody planned for. We already know that cross-site cookies can be a
Re: (Score:2)
It's sitting there in plain text for anybody with _physical access_ to the machine to get. So no, any website can not access it, but anybody on the machine can.
That's assuming that there's no security holes in Chrome. But there could be a security hole which will then make it so that the computer can't distinguish between a user with physical access and a program running.
Seems silly.. (Score:3)
Why complain about this. If you're storing your passwords in your browser - im not sure how this qualifies as being significantly worse -- they can already just sit down at your browser and change your passwords - which is worse since it locks you out of your own account.
Just dont save passwords if you cant secure your workstation i think is common sense.
Re: (Score:2)
Is this part of Google/NSA collaboration? (Score:2)
Re: (Score:2)
It may not be that way by design, but it's certainly a possibility to be exploited.
Imagine if the government went to Google and said "you need to add secret code which uploads these user/passwords to us so we have them".
Google may not be directly part of a conspiracy like this, but I see no reason to keep acting like they couldn't be forced to or might not occasionally
Passwords have to be in the clear anyway (Score:5, Insightful)
Passwords have to be stored in a decryptable form, because the browser needs them decrypted to fill in the password fields or to respond to HTTP authentication responses. That means that any malware with access to the browser can get those passwords in decrypted form too. A master password doesn't help, the malware can just get the passwords after I've entered the master password to decrypt them for use (assuming it can't just get the master password when I enter it). The only thing encrypted password storage really protects against is someone with access to the physical storage media but not the running system, or essentially stolen mobile devices (phones or laptops). On those you probably shouldn't be storing passwords at all, because any reversible encryption is too easy to crack using off-line attacks with modern hardware.
It's similar to my objection to the old "don't write down your passwords" thing: the risk of a remote attack against easy-to-remember passwords is much higher than the risk of an attacker physically getting into the locked drawer of my desk in the locked area of the secured and patrolled building my office is in, and if the attacker has gotten into the locked drawer in my desk I've got much bigger security worries and the attacker has much juicier targets he can go after.
Incorrect title (Score:2, Insightful)
Title should read: "Elliott Kember's Insane Password Security Strategy"
Seriously, why are you storing passwords, at all? Unless you're storing them on in an encrypted space of some kind that requires two-factor authentication you shouldn't be storing passwords at all (and even then I really question your sanity).
Hmm, doesn't show them for me (Score:2)
Similar argument about Maemo's messaging (Score:2)
Maemo's messaging app stores passwords in a plaintext file, some users found it and wanted it obfuscated to at least make them non-trivial to retrieve. The Maemo devs argued that obfuscation would be better at lulling users into a false sense of security about what is stored than thwarting those who want to access it maliciously.
It's only for blogs (Score:2)
Start locking your computer when you walk away from it.
Google's rationalizatoin is ridiculous (Score:2)
Next "Insane Password Security" issue here: (Score:2)
... will be that the user can tamper with the SSL root certificates (or just add her own) and trick Chrome into giving up the password to a locally-hosted web server presenting an apparently-valid cert for the target domain.
In order to remedy this, Chrome must adopt the policy of asking the server to pinky-swear that they are really the named entity.
Just use LastPass (Score:2)
Done.
All Browser do this (Score:2)
first off the main first issue is obviously a problem with Safari.
But in general, that is how all browsers do it. how is this news?
Interestingly... (Score:2)
... Chrome is able to use the KDE password wallet if present, which is protected under a master password. (I assume it can use the GNOME equivalent too). If so, Chrome won't save anything itself, so on that count at least, you're safe.
That said, I would recommend using a service like LastPass anyway, so the problem is taken entirely out of the hands of the browsers.
Earth to browser vendors (Score:2)
Yea I get the basic argument browser needs to be able to decrypt passwords somehow when needed this means either a password encrypting password thing or punting responsibility down the stack.
In many operating systems there are secure ways of doing precisely this. Use underlying operating systems keychain where available such as windows credential store (Sorry XP users). The credential store is at least protected by the users security context and syskey if non-default setting is used. On shared computers
The plaintext passwords isn't the issue (Score:3)
Sure, it's shocking for someone who thought their passwords were safe in Chrome to realize that they're visible with four clicks. But the real issue is that Chrome passwords aren't really stored safely. If you get a virus on your system, it has full access to the passwords.
Honest question: why doesn't Chrome implement something similar to KeePass or LastPass? Is there some technical reason? Is it astoundingly difficult? Does it not actually provide additional security against malware?
Re: (Score:2)
Pretty easy these days, you can setup a master password on the page where you access the plain text passwords.Most people don't do this though, and do use the remember my login feature. Really it should be one of the first things it gets you to do when you setup the browser.
Re: (Score:2, Insightful)
Maybe you didn't read the article and what is being discussed. The reason Google is being singled out is because one guy discovered an issue with Chrome and then Google's top chief for Chrome security had a crappy response.
So next time, at least try to post with a proper Slashdot account or something, at least that way we can check if you are just a zealot for a given company or making a legit complain.
Re:Why is Google being singled out? (Score:4, Insightful)
Maybe you didn't read the article and what is being discussed. The reason Google is being singled out is because one guy discovered an issue with Chrome and then Google's top chief for Chrome security had a crappy response.
No he had exactly the right response, but there's a lot of morons (at proven by the threads on this story) who think they understand security and don't.
Re: (Score:2)
yeah i use it for sites i don't care about loosing the password to like my account needed to comment on popular science or gawker sites don't really care if they are compromised. slashdots password is not saved and neither is my email accounts' password. a large problem is that every site under the sun wants you to register a account just to make one comment so peoples mind become inundated trying to remember dozens of passwords they rarely ever use.
Re: (Score:2)
And your super secure scheme is WHAT?
list of passwords under the lamp?
Single common password
Single common password with a site specific appendage?
Log into every site via the oh-so-secure Facebook authentication proxy?
Log into only Slashdot and always post as AC?
Re:Firefox has done this for years (Score:5, Informative)
I don't think people realize that
Re:Firefox has done this for years (Score:4, Interesting)
Fantastic. I don't think that you realize that the issue people are concerned about is that Chrome will easily display these password in plain text to any user who happens to sit down at an unlocked computer.
Now to some of the silly supporters of this bizarre behavior:
If I have access to an unlocked user account, I can already: install keyloggers, corupt data, pwn their machine, rape their dog, etc...
Yes, yes you could. But just as there are different levels of security, there are different levels of "hackers". Not everyone out there is a l33t haxor who can own your PC with nothing more than a paper clip, a rubber band and an old FM radio. Security is also intended to stop "casual hackers". A "friend" who is just borrowing your browser for a few minutes. A neighbor who just dropped by and needs to check their email quickly. Your soon to be ex-spouse who wants to check up on what sites you've been visiting...etc. Having a UAC prompt / sudo prompt would at least stop these casual users from finding all your passwords in plain text.
If the browser stores the password, someone could just log onto the site and change it
Yes, but unless they: (1) validated the password change in email, (2) deleted the email notifying the user of password change, (3) changed the browser to have the new password stored, the user would likely notice the change pretty quick. I know I'd notice password changes of this type when my (a) phone, (b) laptop, (c) other PC all stopped being able to access the site that was changed.
People shouldn't store their passwords in the browser....they should use: [insert favorite password storage site here]
Agreed. But in this case, Google should just remove the feature and redirect the user to one of those sites.
The way they have it implemented is:
(a) stupid
(b) insecure
and
(c) dishonest as their messages imply that passwords are stored securely.
And their idiotic defense of this behavior makes me wonder if Google even bothers hiring security-aware people at all. It concerns me enough that even though I don't store passwords in any browser, I'm uninstalling Chrome when I get home. If they are this lax about basic password security, I am very worried about what other stupid security policies they have in Chrome.
Re: (Score:2)
Then just log out for Pete sake?
How hard is that?
Re: (Score:2)
Then just log out for Pete sake?
How hard is that?
Doesn't every OS since Windows XP auto-lock around the 15 minute mark as soon as the screensaver kicks in?
The real issue is that laymen who live alone sometimes force windows to have password-less accounts on the first-use setup. If so, locking or logging out has no net effect on their security.
Re: (Score:2)
Re: (Score:2)
Then go out for a celebratory beer.
And forget to logout of the account in your rush out the door.
Same problem.
Re: (Score:2)
Easier fix.. don't click the "Save my password" button... yeah it's hard to remember them all, but you know what, saving your password anywhere is a major security problem. This is no different than having your password on a post-it note stuck under the keyboard...
and in a shared computer situation... you're just asking for trouble saving your password...
It's a lazy solution to a problem that nobody has really come up with a good fix for, remembering passwords to various sites. heck for infrequently used