Follow Slashdot stories on Twitter


Forgot your password?
Chrome Security

Chrome's Insane Password Security Strategy 482

Posted by Unknown Lamer
from the passwords-for-password-locker dept.
jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."
This discussion has been archived. No new comments can be posted.

Chrome's Insane Password Security Strategy

Comments Filter:
  • Firefox is the same (Score:3, Informative)

    by rHBa (976986) on Wednesday August 07, 2013 @12:34PM (#44498671)
    Firefox menu -> Preferences -> Security -> Saved Passwords -> Show Passwords
  • by haploc (57693) on Wednesday August 07, 2013 @12:37PM (#44498719) Homepage

    This functionality has been both in Chrome and Firefox for years now, so I don't see why people make a fuss about it only now..

    Either you don't give other people access to your user account, or you use a 3rd party password-protected keystore like Keepass, Lastpass, 1Password, with a separate (or even 2-factor) authentication.

  • by robmv (855035) on Wednesday August 07, 2013 @12:40PM (#44498763)

    Firefox has the option to protect saved passwords with a master passwords and if you already unlocked the password store, in order to read password from the GUI, you need to unlock it again

  • by Anonymous Coward on Wednesday August 07, 2013 @12:42PM (#44498797)

    ../../Set Masterpassword

    face it : chrome sucks at security, but that's no big surprise.

  • by gQuigs (913879) on Wednesday August 07, 2013 @12:44PM (#44498829) Homepage

    So set a Master Password: []
    More here: []

    Almost no users actually use this: []
    "....can be solved somewhat with master password, but only 1 out of 12K users had master password enabled"

  • by Spazmania (174582) on Wednesday August 07, 2013 @12:57PM (#44499033) Homepage

    From TFA:

    The simple fact is that you need to lock your user account if you want to protect your information. If you don't do that, nothing else really matters because it's all just theater and won't actually stop anyone willing to invest minimal effort.

    And there it is. The bottom line. Kember demands that Chrome engage in security theater and the Chrome authors said no. As they should.

  • by The MAZZTer (911996) <megazzt@gmail . c om> on Wednesday August 07, 2013 @01:00PM (#44499103) Homepage

    I don't think people realize that

    1. The passwords are encrypted on disk.
    2. The key for the encryption )on Windows at least) is the user's account... so Chrome can transparently decrypt them as long as you're logged in, for user convenience, though in this case it gives the appearance of not being encrypted.
    3. Chrome MUST be able to store the passwords in a decryptable form so it can USE them, like you asked it to!
  • by AmiMoJo (196126) * <mojo AT world3 DOT net> on Wednesday August 07, 2013 @01:09PM (#44499237) Homepage

    I just checked and Chrome keeps my passwords in a file under "C:\Users\\AppData\Local\Google\Chrome\User Data\Default". This directory is permission locked to me only. Even other admins can't access it unless they add permissions manually.

    As far as I can tell Chrome does use filesystem level security to protect individual user's passwords.

  • by bmk67 (971394) on Wednesday August 07, 2013 @01:34PM (#44499669)

    If only such a thing existed...

    Oh, wait. It does. []

  • by AliasBackslash (2719011) on Wednesday August 07, 2013 @01:38PM (#44499759)

    LastPass does exactly this.

  • by icebike (68054) on Wednesday August 07, 2013 @02:09PM (#44500201)

    How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine,

    More than you imagine, because teenagers insist upon it.

    And in reality, its by far the easiest thing to set up, and the easiest thing to do.

    Just select the Switch User button, and you are out of your account, ready for the next person to use it,
    and its as secure as your computer's OS is (which might not be all that secure, but that's another issue).

  • by LordLimecat (1103839) on Wednesday August 07, 2013 @03:08PM (#44501085)

    Chrome's security tech lead gives a pretty good answer here: []

    Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

    People worried about the security of this are worried over the wrong things. Firefox's master password would do absolutely nothing to stop a dropped-in extension from monitoring webpages for when passwords are filled, grabbing the filled form-data, and storing it in the extensions own preferences; and that wouldnt even take a background process, admin privileges, or really anything more than the ability to drop a file in the firefox profile.

    I would be willing to place a large bet that in any scenario that would allow me to recover Chrome or Safari passwords, I would also be able to recover firefox passwords that are locked with a master password, within a reasonable amount of time. As has been said many many times, anything that tries to protect against a malicious user with access to your user session is pure security theatre.

  • by pthisis (27352) on Wednesday August 07, 2013 @03:22PM (#44501309) Homepage Journal

    Exactly. Mozilla's email client Thunderbird also uses a Master Password to unlock the view-ability of the stored passwords.

    Chrome uses the same core OS key storage that Firefox/Thunderbird does, and encrypts with the same master password--if I save a password in Firefox, it's available in Chrome and vice-versa. Both use kwallet on KDE, gnome-keyring on Gnome platforms, keychain access on the Mac, etc.

    You can lock access to view them however the OS does so (e.g. with gnome, either Applications->Settings->Passwords and Keys, and select "Lock passwords", or from the command line, and gnome automatically locks them when your screensaver locks; on KDE it's the "Wallet Manager", I forget which menu it's under; on the Mac it's Utilities->Keychain Access, and click the little lock at the top of the keychain to lock/unlock). All 3 of those systems default to using your login password and automatically unlocking the keychain when you log in, but you can set the password separately (and be prompted to unlock it when you go to use it) if you want.

    The problem here is that Windows' password management doesn't offer a reasonable alternative, but that's not Chrome's fault.

    For those who insist on saying that chrome's security method is good enough consider this: How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine, just too much trouble for most to deal with. This means that both other family members as well as house guests can casually access all those passwords in no time.

    a) Lock your passwords when you turn over the computer

    b) You don't actually need to log in and out all the time to use separate accounts on the communal machine. Mine is usually sitting there logged into a guest account that everyone can use, with a browser running as the guest. I'll also use if I'm just looking something up on IMDB or googling/wiki'ing a quick question or whatever. There's a button on the menubar to "Run browser as..." with options for me and each of my family members, which prompts for the user's password and then runs a browser as them--if I need to check email or pay a bill or something, that browser's got my info but it's not available from the guest account/browser.. That covers the vast majority of cases, you just need to remember to close your browser when you're done with it.

    For more complicated stuff, I pop over to VT8, log in, do what I need to do, and pop back. If I'm in the middle of something and someone needs to use the machine briefly, I can lock my terminal and switch back to the guest terminal for a few minutes, then switch back and unlock my screen without really disrupting anything.

A rolling disk gathers no MOS.