Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome's Insane Password Security Strategy

Posted by Unknown on from the passwords-for-password-locker dept.

jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."

2 of 482 comments (clear)

  1. He missed something by Lieutenant_Dan · · Score: 5, Interesting

    How about the fact that Chrome can import passwords stored in Safari to begin with?

    So Safari has some security issues as well. Where is the "master key" to export passwords?

    I guess the underlying message is that if you leave a computer unattended the information is accessible to anyone. E-mail, passwords, documents, MP3s, etc.

    This is a convenience feature and 99% rather have the convenience of a cached web passwords on their personal computer then worrying about something walking by.

    --
    Wearing pants should always be optional.
  2. Re:This is also the case on Firefox by gstoddart · · Score: 5, Interesting

    I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.

    I'm sorry, but there is a dedicated area for my stuff -- on Windows it's Documents and Settings, and on UNIX it's the home directory. The actual program may not be user specific, but all operating systems have a "home" area specific to users. There are no valid technical reasons why this can't be made secure, other than either having no interest in doing it, or pandering to users who just want convenience.

    This is just a piss-poor implementation of security, and it's why I don't trust a browser to retain passwords for me, and never have. I rank it right up there with giving Facebook my password so they can log into my email and find friends -- not happening, because I don't trust them with my password.

    If this guy is the head of 'security' for Chrome, he's either incompetent at that, or Google as a general rule have a shitty idea about what security should be and he's of the opinion this is "good enough".

    But since Google mostly just wants to collect all of your data, it may not be of value to them to lock it down in any meaningful way.

    --
    Lost at C:>. Found at C.