Chrome's Insane Password Security Strategy

jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."

He missed something

[Lieutenant_Dan]

How about the fact that Chrome can import passwords stored in Safari to begin with?

So Safari has some security issues as well. Where is the "master key" to export passwords?

I guess the underlying message is that if you leave a computer unattended the information is accessible to anyone. E-mail, passwords, documents, MP3s, etc.

This is a convenience feature and 99% rather have the convenience of a cached web passwords on their personal computer then worrying about something walking by.

Re:This is also the case on Firefox

[gstoddart]

I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.

I'm sorry, but there is a dedicated area for my stuff -- on Windows it's Documents and Settings, and on UNIX it's the home directory. The actual program may not be user specific, but all operating systems have a "home" area specific to users. There are no valid technical reasons why this can't be made secure, other than either having no interest in doing it, or pandering to users who just want convenience.

This is just a piss-poor implementation of security, and it's why I don't trust a browser to retain passwords for me, and never have. I rank it right up there with giving Facebook my password so they can log into my email and find friends -- not happening, because I don't trust them with my password.

If this guy is the head of 'security' for Chrome, he's either incompetent at that, or Google as a general rule have a shitty idea about what security should be and he's of the opinion this is "good enough".

But since Google mostly just wants to collect all of your data, it may not be of value to them to lock it down in any meaningful way.

A helpful crutch

[AliasMarlowe]

But what about typing hundreds of passwords?
Once you have more than a few, you resort to a crutch of some sort.

Here's a crutch. Just paste it to something like safepassword.sh in /usr/local/bin or similar:

#!/bin/bash
# script: safepassword
# this script depends on sha512sum
if [ "$2" = "" ]
then
echo "usage: safepassword constant_key password_purpose"
echo " where constant_key is a string of printable non-whitespace characters,"
echo " and password_purpose is a memorable string related to the purpose of"
echo " the password, e.g. a website address. Since the script removes any"
echo " characters outside 0-9 a-z A-Z it is possible that the password will"
echo " be too short in some cases."
else
echo -n "%1-%2" | sha512sum | xxd -r -p | tr -cd [:print:] | sed -e "s/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]//g" | sed -e "s/ //g"
echo
fi

The script is indented, but stupid slashcode ignores   characters.

Re:This is also the case on Firefox

[Deathlizard]

Chrome stores everything in the cloud if you're logged into Google. That's what makes this even more dangerous than it's being reported.

If Chrome is signed into your Google account, and some malicious user gets hold of your Google username and password, then they can retrieve all of your stored passwords simply by installing chrome and logging in. That includes any password on your phone, other systems or otherwise.

This is why two step authentication, clearing out all stored password, and disabling password storing in sync settings are your friends.

Re:A helpful crutch

[lgw]

The script is indented, but stupid slashcode ignores characters

While stupid slashcode ignores pretty much any 21st century concept, it does support an <ecode> tag, which turns each pair of leading spaces into a level of indention. Bizarre, but workable.

thing
  thing indented
    thing indented more
  another thing
done indenting

It also supports the <tt> tag, which turns each single leading space into a level of indention. Less bizarre, more workable.

thing
  thing indented
    thing indented more
  another thing
done indenting

Re:Firefox has done this for years

[Zalbik]

I don't think people realize that
        The passwords are encrypted on disk.
        The key for the encryption )on Windows at least) is the user's account... so Chrome can transparently decrypt them as long as you're logged in, for user convenience, though in this case it gives the appearance of not being encrypted.
        Chrome MUST be able to store the passwords in a decryptable form so it can USE them, like you asked it to!

Fantastic. I don't think that you realize that the issue people are concerned about is that Chrome will easily display these password in plain text to any user who happens to sit down at an unlocked computer.

Now to some of the silly supporters of this bizarre behavior:
If I have access to an unlocked user account, I can already: install keyloggers, corupt data, pwn their machine, rape their dog, etc...
Yes, yes you could. But just as there are different levels of security, there are different levels of "hackers". Not everyone out there is a l33t haxor who can own your PC with nothing more than a paper clip, a rubber band and an old FM radio. Security is also intended to stop "casual hackers". A "friend" who is just borrowing your browser for a few minutes. A neighbor who just dropped by and needs to check their email quickly. Your soon to be ex-spouse who wants to check up on what sites you've been visiting...etc. Having a UAC prompt / sudo prompt would at least stop these casual users from finding all your passwords in plain text.

If the browser stores the password, someone could just log onto the site and change it
Yes, but unless they: (1) validated the password change in email, (2) deleted the email notifying the user of password change, (3) changed the browser to have the new password stored, the user would likely notice the change pretty quick. I know I'd notice password changes of this type when my (a) phone, (b) laptop, (c) other PC all stopped being able to access the site that was changed.

People shouldn't store their passwords in the browser....they should use: [insert favorite password storage site here]
Agreed. But in this case, Google should just remove the feature and redirect the user to one of those sites.

The way they have it implemented is:
(a) stupid
(b) insecure
and
(c) dishonest as their messages imply that passwords are stored securely.

And their idiotic defense of this behavior makes me wonder if Google even bothers hiring security-aware people at all. It concerns me enough that even though I don't store passwords in any browser, I'm uninstalling Chrome when I get home. If they are this lax about basic password security, I am very worried about what other stupid security policies they have in Chrome.