Chrome's Insane Password Security Strategy 482
jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."
This is also the case on Firefox (Score:5, Insightful)
Solution: If security is important to you, don't be lazy.
Moronic. (Score:3, Insightful)
If your browser can read the passwords and use them on the web, so can a local user. No surprise. Unless you set a master password (firefox offers this, not sure about chrome), there's no way to fix this. It's just how computers work.
This is nothing new (Score:3, Insightful)
Saved passwords have always been stored in a way that they can be recovered easily.
By definition, saving passwords will always be insecure, unless the program has a way to encrypt them using another key provided by the user.
They MUST be recoverable to be of use, because the plain text password must be available to the program for transmission to the web page.
..okay? And? (Score:2, Insightful)
If Chrome is going to enter your password for you, it has to know your password. This simple requirement ultimately means that any attempt to obfuscate the stored password is going to be trivial to overcome by anyone who has physical access to the box, unless you're flat out encrypting them with another password that the user would have to enter to decrypt them, and at that point, we've pretty handily defeated the purpose of storing passwords (because let's face it, it's not like you're going to want to do this EVERY time you need to autofill a password, so we're just going to do it once and then leave the db unlocked), so you may as well just remember your passwords and enter them manually in the first place.
Re:Why is Google being singled out? (Score:2, Insightful)
Maybe you didn't read the article and what is being discussed. The reason Google is being singled out is because one guy discovered an issue with Chrome and then Google's top chief for Chrome security had a crappy response.
So next time, at least try to post with a proper Slashdot account or something, at least that way we can check if you are just a zealot for a given company or making a legit complain.
Passwords have to be in the clear anyway (Score:5, Insightful)
Passwords have to be stored in a decryptable form, because the browser needs them decrypted to fill in the password fields or to respond to HTTP authentication responses. That means that any malware with access to the browser can get those passwords in decrypted form too. A master password doesn't help, the malware can just get the passwords after I've entered the master password to decrypt them for use (assuming it can't just get the master password when I enter it). The only thing encrypted password storage really protects against is someone with access to the physical storage media but not the running system, or essentially stolen mobile devices (phones or laptops). On those you probably shouldn't be storing passwords at all, because any reversible encryption is too easy to crack using off-line attacks with modern hardware.
It's similar to my objection to the old "don't write down your passwords" thing: the risk of a remote attack against easy-to-remember passwords is much higher than the risk of an attacker physically getting into the locked drawer of my desk in the locked area of the secured and patrolled building my office is in, and if the attacker has gotten into the locked drawer in my desk I've got much bigger security worries and the attacker has much juicier targets he can go after.
Re:Firefox is the same (Score:5, Insightful)
You can secure this in Firefox, there is no option to do so in Chrome.
Incorrect title (Score:2, Insightful)
Title should read: "Elliott Kember's Insane Password Security Strategy"
Seriously, why are you storing passwords, at all? Unless you're storing them on in an encrypted space of some kind that requires two-factor authentication you shouldn't be storing passwords at all (and even then I really question your sanity).
Re:This is also the case on Firefox (Score:5, Insightful)
Every one can type their own password.
But what about typing hundreds of passwords?
Once you have more than a few, you resort to a crutch of some sort.
Re:Moronic. (Score:5, Insightful)
But to make it simple for you, a password can be encrypted with a public key, and then decrypted with Chrome's private key.
How do you intend to keep a local user from being able to extract the private key that Chrome is using? (Note that in your scenario, asymmetric key encryption is kind of pointless in the first place.)
See: why DRM doesn't work either.
Master Password (Thuderbird+Firefox) (Score:5, Insightful)
Firefox has the option to protect saved passwords with a master passwords and if you already unlocked the password store, in order to read password from the GUI, you need to unlock it again
Exactly. Mozilla's email client Thunderbird also uses a Master Password to unlock the view-ability of the stored passwords.
For those who insist on saying that chrome's security method is good enough consider this: How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine, just too much trouble for most to deal with. This means that both other family members as well as house guests can casually access all those passwords in no time.
Even if you do use different log-ins consider this type of common scenario: Your son or daughter has a "friend" over and they are cruising the web on her account doing whatever. Say that they are reading some news item or article together when the daughter gets up to go the bathroom. Do you think for one second that she is going to lock the computer and force her friend to wait to finish what she is doing? No. Her "friend" will then be able to casually and quickly access all those passwords and type them into her iphone for safe keeping before your daughter gets back. She now pwns your daughters facebook account, bank account, cellphone account and who knows what else.
How can anyone with a straight face say that is an acceptable security method? The fact that my open source email client has an easily useable default master password system proves that it is something that chrome could easily implement as well, hell, just copy the open-source code from thunderbird if you need to...
To be quite frank; when I think of Google or Microsoft "my security" is not something I honestly expect from them, and this newest revelation just further confirms that perception.
Re:Why is Google being singled out? (Score:4, Insightful)
Maybe you didn't read the article and what is being discussed. The reason Google is being singled out is because one guy discovered an issue with Chrome and then Google's top chief for Chrome security had a crappy response.
No he had exactly the right response, but there's a lot of morons (at proven by the threads on this story) who think they understand security and don't.
Re:A helpful crutch (Score:5, Insightful)
Don't do this. It basically puts your passwords (their building blocks, really) in clear text in your command history. It's not any greater security than Chrome has when someone has physical access, and it is significantly less convenient.
Re:A helpful crutch (Score:5, Insightful)
This thread is a goldmine of security theatre. Any hiring personnel could probably also use this to weed out folks who dont actually understand security.
Re:This is also the case on Firefox (Score:2, Insightful)
It will stop anyone who happens to be on my machine from casually getting them.
Security theatre. Such an individual would take 5 seconds to google "how to dump chrome passwords", and would realize theres about 800 ways to do so. In a few seconds, he could browse to amazon.com, for example, and use the HTML inspector to change the password field to be cleartext. Bam, theres your password.
Or he could install an extension which has almost certainly already been created which pulls the password store into the extension storage as soon as the store is unlocked, and then uploads it to a website.
So yes, you would prevent completely incompetent people from gaining access to your passwords, but that is NOT how you design security. You design based on the principle that people will always attack the weakest link, not the strongest, and in this case the correct choice is to let the OS handle keystore security.
Re:This is also the case on Firefox (Score:4, Insightful)
I also wouldn't need LastPass if I didn't need a cross-browser, cross-device password management tool, which Chrome is not, regardless of the trust level I assign it.
So, in fact, even if I did trust Chrome, I would still need it.
Re:Master Password (Thuderbird+Firefox) (Score:5, Insightful)
Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software
This assumes bad guy has access to an account with root/admin access. How about OS accounts that are locked down, for the exact reason of preventing these types of exploits? Obviously Chrome can run on a limited account.
It is irresponsible to rely on the underlying OS security (or insecurity) as a crutch. So what if someone has physical access? Just because they can type on a keyboard or insert a USB drive, doesn't mean they can run an exploit. What will they do, install a rootkit? What if they can't reboot the computer? What if they can't get past BIOS and full disk encryption?
Seriously... I'm getting mad just at the thought that the head of any computer security team can think in this way.