Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome's Insane Password Security Strategy

Posted by Unknown on from the passwords-for-password-locker dept.

jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."

6 of 482 comments (clear)

  1. Re:This is also the case on Firefox by robmv · · Score: 5, Informative

    Firefox has the option to protect saved passwords with a master passwords and if you already unlocked the password store, in order to read password from the GUI, you need to unlock it again

  2. Re:Firefox is the same by Anonymous Coward · · Score: 4, Informative

    ../../Set Masterpassword

    face it : chrome sucks at security, but that's no big surprise.

  3. Re:This is also the case on Firefox by gQuigs · · Score: 5, Informative

    So set a Master Password: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins
    More here: http://kb.mozillazine.org/Master_password

    Almost no users actually use this: http://monica-at-mozilla.blogspot.com/2013/02/cant-live-with-them-cant-live-without.html
    "....can be solved somewhat with master password, but only 1 out of 12K users had master password enabled"

  4. Re:Firefox has done this for years by The+MAZZTer · · Score: 5, Informative

    I don't think people realize that

    1. The passwords are encrypted on disk.
    2. The key for the encryption )on Windows at least) is the user's account... so Chrome can transparently decrypt them as long as you're logged in, for user convenience, though in this case it gives the appearance of not being encrypted.
    3. Chrome MUST be able to store the passwords in a decryptable form so it can USE them, like you asked it to!
  5. Re:This is also the case on Firefox by AmiMoJo · · Score: 4, Informative

    I just checked and Chrome keeps my passwords in a file under "C:\Users\\AppData\Local\Google\Chrome\User Data\Default". This directory is permission locked to me only. Even other admins can't access it unless they add permissions manually.

    As far as I can tell Chrome does use filesystem level security to protect individual user's passwords.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  6. Re:This is also the case on Firefox by bmk67 · · Score: 5, Informative

    If only such a thing existed...

    Oh, wait. It does.

    http://lastpass.com/