Slashdot Mirror
Chrome's Insane Password Security Strategy
jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."
I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.
Solution: If security is important to you, don't be lazy.
We should learn what we need to know about issues, before we decide what we need to feel about them.
If you save your passwords in Firefox, you can obtain them, in plain text, by going to preferences, security, and saved passwords. Similar functionality is available in Internet Explorer. Safari is the only browser, that I know of, that asks for an account password before revealing the contents of the key chain password manager, but, with a little javascript, this security check can be easily bypassed.
The solution is to never hand anyone access to your operating system user account. Understanding and using OS user accounts and browser profiles, which Google Chrome includes an option for, would solve this “problem.”
On a side note, if other browsers are barely more secure or just as "bad" as Chrome, why is Chrome being singled out? When did it become fashionable by some in the tech community to attack Google?
Firefox menu -> Preferences -> Security -> Saved Passwords -> Show Passwords
I have taken advantage of it to post on friend's Facebook pages. Why the sudden interest in this ability on Chrome?
If your browser can read the passwords and use them on the web, so can a local user. No surprise. Unless you set a master password (firefox offers this, not sure about chrome), there's no way to fix this. It's just how computers work.
Saved passwords have always been stored in a way that they can be recovered easily.
By definition, saving passwords will always be insecure, unless the program has a way to encrypt them using another key provided by the user.
They MUST be recoverable to be of use, because the plain text password must be available to the program for transmission to the web page.
This functionality has been both in Chrome and Firefox for years now, so I don't see why people make a fuss about it only now..
Either you don't give other people access to your user account, or you use a 3rd party password-protected keystore like Keepass, Lastpass, 1Password, with a separate (or even 2-factor) authentication.
How about the fact that Chrome can import passwords stored in Safari to begin with?
So Safari has some security issues as well. Where is the "master key" to export passwords?
I guess the underlying message is that if you leave a computer unattended the information is accessible to anyone. E-mail, passwords, documents, MP3s, etc.
This is a convenience feature and 99% rather have the convenience of a cached web passwords on their personal computer then worrying about something walking by.
Wearing pants should always be optional.
If Chrome is going to enter your password for you, it has to know your password. This simple requirement ultimately means that any attempt to obfuscate the stored password is going to be trivial to overcome by anyone who has physical access to the box, unless you're flat out encrypting them with another password that the user would have to enter to decrypt them, and at that point, we've pretty handily defeated the purpose of storing passwords (because let's face it, it's not like you're going to want to do this EVERY time you need to autofill a password, so we're just going to do it once and then leave the db unlocked), so you may as well just remember your passwords and enter them manually in the first place.
If someone has physical access to my (unlocked) account I'm doomed anyway - he/she could install all sorts of backdoors or keyloggers trivially.
Pretty easy these days, you can setup a master password on the page where you access the plain text passwords.Most people don't do this though, and do use the remember my login feature. Really it should be one of the first things it gets you to do when you setup the browser.
The main argument seems to be that if a malicious user is able to access the unlocked operating system then, one way or another, they're going to be able to retrieve the stored passwords. While this may be true, that doesn't mean it should be made so easy that my grandmother could stumble across my entire list of saved passwords by accident.
I don't use Chrome much, but is there a master password that you can set?
If there is no master password, then no matter how the data is stored, it's as safe as plain text anyway. Even with master password, dictionary attacks will get you quite often.
And you can transfer/import/export the data encrypted with master password between different installations without decrypting it.
--Coder
I've seen this on several sites, is this news to anyone?? Did you miss it many years ago when this was added? You know what, when someone is physically on my machine while its logged in, they can also send emails from my account!! Its just right there ready to go! We need to do something about this!
If it really bothers you, encrypt your browser's settings files with your operating system's filesystem encryption feature.
Anybody notice Justin's LinkedIn profile? See any interesting prior employers? You guessed it.
look down on web developers.
Why complain about this. If you're storing your passwords in your browser - im not sure how this qualifies as being significantly worse -- they can already just sit down at your browser and change your passwords - which is worse since it locks you out of your own account.
Just dont save passwords if you cant secure your workstation i think is common sense.
I was crazy back when being crazy really meant something. (Charles Manson)
With the recent leaks about how Google cooperates with government surveilence; I almost wonder if blatent weaknesses like this are by design. Sad when what should be outlandish conspiracy theories sound tame compared to what it's revealed they're alerady doing.
Passwords have to be stored in a decryptable form, because the browser needs them decrypted to fill in the password fields or to respond to HTTP authentication responses. That means that any malware with access to the browser can get those passwords in decrypted form too. A master password doesn't help, the malware can just get the passwords after I've entered the master password to decrypt them for use (assuming it can't just get the master password when I enter it). The only thing encrypted password storage really protects against is someone with access to the physical storage media but not the running system, or essentially stolen mobile devices (phones or laptops). On those you probably shouldn't be storing passwords at all, because any reversible encryption is too easy to crack using off-line attacks with modern hardware.
It's similar to my objection to the old "don't write down your passwords" thing: the risk of a remote attack against easy-to-remember passwords is much higher than the risk of an attacker physically getting into the locked drawer of my desk in the locked area of the secured and patrolled building my office is in, and if the attacker has gotten into the locked drawer in my desk I've got much bigger security worries and the attacker has much juicier targets he can go after.
Title should read: "Elliott Kember's Insane Password Security Strategy"
Seriously, why are you storing passwords, at all? Unless you're storing them on in an encrypted space of some kind that requires two-factor authentication you shouldn't be storing passwords at all (and even then I really question your sanity).
Maybe it's that I've never imported passwords from another browser, going to chrome://settings/passwords as suggested doesn't show any plain text passwords for me. It only shows a few sites anyways on this machines. I'm fairly sure Chrome on my Linux box at home is using a different method since Chrome prompts for my password file password just for opening up the browser because I have the password file password different from my login password.
New Dev Team: "The password for automatically accessing the remote server is in plain text!!! We need to encrypt it to make things more secure!!!!"
Old Dev Team: "But it is only root readable. And where will the keys for this encrypted password be stored?"
New Dev Team: "We'll put them somewhere only root can get to."
Old Dev Team: "How does an extra layer of work for us make things more secure?"
New Dev Team: "It's encrypted!"
Old Dev Team: "You suck."
Maemo's messaging app stores passwords in a plaintext file, some users found it and wanted it obfuscated to at least make them non-trivial to retrieve. The Maemo devs argued that obfuscation would be better at lulling users into a false sense of security about what is stored than thwarting those who want to access it maliciously.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Start locking your computer when you walk away from it.
No, I will not work for your startup
It would be less trivial if one had something like the Android model where each application (with some exceptions) stores (some of) its data as a separate user, and without root privileges, one can't access the data for the application except by the methods provided by the application.
yeah i use it for sites i don't care about loosing the password to like my account needed to comment on popular science or gawker sites don't really care if they are compromised. slashdots password is not saved and neither is my email accounts' password. a large problem is that every site under the sun wants you to register a account just to make one comment so peoples mind become inundated trying to remember dozens of passwords they rarely ever use.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Google's rationalization that the system is already insecure if someone else has physical access to it is absurd. That's like saying it's ok for a bank to leave everyone's money on the counter overnight because if someone breaks in then that same person can easily break into the vault, which is obviously not the case. Computer systems should have multiple levels of protection as well.
... will be that the user can tamper with the SSL root certificates (or just add her own) and trick Chrome into giving up the password to a locally-hosted web server presenting an apparently-valid cert for the target domain.
In order to remedy this, Chrome must adopt the policy of asking the server to pinky-swear that they are really the named entity.
Actually, the passwords ARE encrypted with another master password, so you already have your best-security scenario. You just never have to enter it (at least on Windows) because Windows uses your session logon information to decrypt the passwords. Not logged on? Your passwords are secured. Yay!
And where do you keep the private key? Inside the distributed Chrome binary? That's locally accessible.
I'm out of my mind right now, but feel free to leave a message.....
Done.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
There are things like private/public key encryption you know.
Apparently you need to think about this a bit more. How exactly is Chrome supposed to decrypt a password without storing the secret that allow it to do so on the same machine/account? Even if the password is encrypted with an asymmetric key, the corresponding key must be stored where Chrome can access it to de-crypt the password(s).
-- Humans, because the hardware IS the software.
And your super secure scheme is WHAT?
list of passwords under the lamp?
Single common password
Single common password with a site specific appendage?
Log into every site via the oh-so-secure Facebook authentication proxy?
Log into only Slashdot and always post as AC?
Sig Battery depleted. Reverting to safe mode.
Easier fix.. don't click the "Save my password" button... yeah it's hard to remember them all, but you know what, saving your password anywhere is a major security problem. This is no different than having your password on a post-it note stuck under the keyboard...
and in a shared computer situation... you're just asking for trouble saving your password...
It's a lazy solution to a problem that nobody has really come up with a good fix for, remembering passwords to various sites. heck for infrequently used sites, I tend to just click "I forgot my password" and get a new one emailed to me. for more frequently used sites, I have a mental package of 10 passwords that it could be. I know them all by heart, and I cycle through them. usually i'll remember which one is for which site.
But what about typing hundreds of passwords?
Once you have more than a few, you resort to a crutch of some sort.
Here's a crutch. Just paste it to something like safepassword.sh in /usr/local/bin or similar:
#!/bin/bash //g"
# script: safepassword
# this script depends on sha512sum
if [ "$2" = "" ]
then
echo "usage: safepassword constant_key password_purpose"
echo " where constant_key is a string of printable non-whitespace characters,"
echo " and password_purpose is a memorable string related to the purpose of"
echo " the password, e.g. a website address. Since the script removes any"
echo " characters outside 0-9 a-z A-Z it is possible that the password will"
echo " be too short in some cases."
else
echo -n "%1-%2" | sha512sum | xxd -r -p | tr -cd [:print:] | sed -e "s/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]//g" | sed -e "s/
echo
fi
The script is indented, but stupid slashcode ignores characters.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
first off the main first issue is obviously a problem with Safari.
But in general, that is how all browsers do it. how is this news?
Troll is not a replacement for I disagree.
... Chrome is able to use the KDE password wallet if present, which is protected under a master password. (I assume it can use the GNOME equivalent too). If so, Chrome won't save anything itself, so on that count at least, you're safe.
That said, I would recommend using a service like LastPass anyway, so the problem is taken entirely out of the hands of the browsers.
-- B.
This sig does in fact not have the property it claims not to have.
Yea I get the basic argument browser needs to be able to decrypt passwords somehow when needed this means either a password encrypting password thing or punting responsibility down the stack.
In many operating systems there are secure ways of doing precisely this. Use underlying operating systems keychain where available such as windows credential store (Sorry XP users). The credential store is at least protected by the users security context and syskey if non-default setting is used. On shared computers this will at the very least keep a users password stash safe from other users. It can also keep the users password stash safe in the event their computer is stolen.
It is easy to make argument in the real world doing x may practically offer little benefit but it is easy to be lazy. There is no harm in over delivering and under promising. Tell the user their stored passwords are insecure AND at least try to do the right thing anyway.
Sheesh. Auto-fill is NOT showing you the passwords. Granted with a little work, you could probably capture it as it is moved from browser store to web page password field but that's a serious level of escalation compared with Chrome just saying "here's the unencrypted passwords for all stored passwords". Firefox has the ability to lock down the display of unencrypted passwords with a master password. Chrome doesn't apparently.
Very very different things.
People in cars cause accidents....accidents in cars cause people
can peek all the passwords in clear text very easily with a couple of mouse clicks
it takes at least 3 clicks with Firefox.
I'm an American. I love this country and the freedoms that we used to have.
There are things like private/public key encryption you know.
Yes, and if you understood how public key encryption works, you'd realize its existence is not relevant to the discussion at hand. It has no useful function here. (Note: your "master password" is not a private key of this sort -- no hand entered password ever could be... unless you're Lt. Cmdr. Data.)
"Convictions are more dangerous enemies of truth than lies."
I am disappointed to see that this non-story has made the front page of Slashdot. I don't want to echo all the comments made here already, but I completely agree that: It has always been this way in Chrome Firefox does it too (with the option of Master Password to "protect" it) Firefox's protection is Security Theater The author comes across as fairly clueless The real place to secure this is at the user login, since it involves physical access. There are a million other nasty things someone can do if they are sitting in front of my PC unlocked. So I will parrot: why is this news?
Any one who can log in to your unix/linux account, (or any one who can read your ~/.ssh folder, if you are dumb enough to leave it group/world readable) can steal your ssh keys and pretend to be you and log in to all machines in the known hosts file.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
If the attacker has physical access to my machine in a logged-in state, tell me how any kind of master password or encryption scheme is going to keep him out of my data, including anything on my local hard drive, or any web-hosted services that have a cached credential? The barn door's already opened, fellas.
Besides which, any "solution" such as storing passwords offsite, encrypting, etc. will also require the user to take definitive action to open and close the password repo. The problem is our user can't/won't be bothered with taking action to secure his access, so that solution is no solution.
Google's right on this one.
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
Currently I am able to log in and out of gmail on a friend's laptop without any (reasonable) fear that my email will keep living on that machine (and is unencrypted). Obviously keyloggers etc could grab my password, but let's assume I'm not _that_ paranoid.
I do not have this option with the Chrome browser itself. At best, I can log into Chrome (and am encouraged to do so at first startup) and at the end of the session, I can delete the profile (rm -rf .config/google-chrome). This certainly deals with the problem, but is pretty clunky. The should be a login / logout feature to the browser, not just my email.
Compare this to Chrome OS. Here the functionality is built in; you don't have to delete your user account at the end of every session. Encrypted files are stored on the local drive which you can then access the next time you log in. It's quick and painless. This needs to be built into the standard Chrome browser.
Firefox has the option to protect saved passwords with a master passwords and if you already unlocked the password store, in order to read password from the GUI, you need to unlock it again
Exactly. Mozilla's email client Thunderbird also uses a Master Password to unlock the view-ability of the stored passwords.
For those who insist on saying that chrome's security method is good enough consider this: How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine, just too much trouble for most to deal with. This means that both other family members as well as house guests can casually access all those passwords in no time.
Even if you do use different log-ins consider this type of common scenario: Your son or daughter has a "friend" over and they are cruising the web on her account doing whatever. Say that they are reading some news item or article together when the daughter gets up to go the bathroom. Do you think for one second that she is going to lock the computer and force her friend to wait to finish what she is doing? No. Her "friend" will then be able to casually and quickly access all those passwords and type them into her iphone for safe keeping before your daughter gets back. She now pwns your daughters facebook account, bank account, cellphone account and who knows what else.
How can anyone with a straight face say that is an acceptable security method? The fact that my open source email client has an easily useable default master password system proves that it is something that chrome could easily implement as well, hell, just copy the open-source code from thunderbird if you need to...
To be quite frank; when I think of Google or Microsoft "my security" is not something I honestly expect from them, and this newest revelation just further confirms that perception.
http://i.imgur.com/pjBHjW0.png
Maybe they can't make it locked down tight enough for a hacker or someone who's determined to get at your passwords, but then they don't need to abandon that effort. They've basically said "We can't make it super secure so we're leaving the door wide open instead". You forget to lock your work machine when you go to the bathroom and the guy in the next cubicle can read all of your passwords in seconds, without any hacker knowledge or skill whatsoever.
How is this "you can get a cleartext password in a couple of clicks" is different from, say, kdewallet? With physical access to unlocked wallet you can also ask it to display the cleartext password. This actually helped me once when I forgot my sf password having relied on kdewallet for a while and then I had to retype it on another box.
VKh
You can access passwords in cleartext out of LastPass, as well.
And let's not forget, it is always about convenience over security at some point. Using the master password in Firefox is actually ok for basic stuff so the AC is just being a snob here.
Having said that, icebike you should check Keepass with Keefox. It is really good, and there are ways to make it work among multiple machines. Plus in my case I store the key file (which you need to decrypt the password db with your master password) on a flash drive that I carry with me. Best setup I have found so far.
It's a couple of mouse clicks, for each password, after doing this.
I actual used the "Show Passwords" feature quite frequently. Certain sites seem to like blocking auto-complete of username and password fields (mainly banks, I've found). These sites also tend to have the most archaic password policies, where my standard password (which I append with a site-specific suffix, as per recommended security practice) cannot be used because it contains non-alphanumeric characters.
So it's a password I cannot remember, and while Firefox remembers the password it is being blocked from filling it out for me. I used to go in, look up the password, and copy-paste it in. Now I've moved away from it (found a JS bookmarklet that forces autocomplete on), but I still remember exactly how to do it. And you know what? It has to be more secure than constantly resetting the password and getting it emailed to me.
You know what's worse? I actually tried to have three-tiered passwords. A simple one used for places where it can be compromised without impacting me, a more complex one for standard usage, and a fiendishly-complex one I was going to use for the most important things: root logins to servers and banking passwords. Sadly, my twenty-plus-character, mixed-case-with-numbers-and-symbols non-dictionary superpassword is rejected by every bank I've ever used, so all it's securing right now is direct root access to my BSD box.
I'm sorry but I fail to see how it is a sane design to have something that can be so easily abused. Storing passwords per se is the way to go these days with so many websites and things to remember. The last thing you want to do is use the same password for lots of things. After reading some of the comments I realized that one of the worst case scenarios is having a laptop stolen and then the thief also gains easy access to all your information, especially if your security relied on a Windows login password.
Others: you've modded this driven insightful? For shame.
AC: You should call LastPass and patiently explain to them why nobody will pay them money for their password manager, because this is exactly what it does. Well, 'exactly' with the exception that you can set it to remember your master password until you close the brower session and/or are idle for a specified time and/or (implicitly) log off. Sort of addresses that "EVERY time you need to autofill a password" thing.
After all if you memorize one password you may as well just memorize all of them and enter them manually in the first place... there's no convenience at in memorizing just a handfull.
You do realize that it is extremely easy to crack Windows user accounts passwords?
anyone with physical access can peek...
pretty much everything he wants/like.
'Nuff said...
No, actually, Obligatory XKCD Citation(TM)
Sure, it's shocking for someone who thought their passwords were safe in Chrome to realize that they're visible with four clicks. But the real issue is that Chrome passwords aren't really stored safely. If you get a virus on your system, it has full access to the passwords.
Honest question: why doesn't Chrome implement something similar to KeePass or LastPass? Is there some technical reason? Is it astoundingly difficult? Does it not actually provide additional security against malware?
You cannot protect any data even if you lock your OS account. It is very easy to change system passwords, and really ask yourself, if you had important information on a sheet of paper, would you just leave it on a drawer easily accesible by anyone when you are not there or would you just lock it with a key?
Is this true on Windows implementations of Safari as well? What OS service is used?
When I click Tools -> Options -> Security -> Saved Passwords -> Show Passwords -> Yes
All my saved passwords are displayed for all to see.
That's the default.
The master password is opt-in and never mentioned unless you poke around in the settings.
Where the hell is the fire? Browsers like Firefox have LONG stored passwords with a button to click to reveal said password. And they kept on making Twinkies the whole time. Holy creme-like filing
So along comes somebody who has apparently never seen this before and wow, they have stopped making Twinkies this is so serious! Except, well, it's not. And the Twinkies are back. More or less.
The fix for this is easy: don't store passwords in the browser. I know, DOH! And if you do, don't let other people use your browser. And if you do, then use a password manager, which aside from being cross-platform and mostly free, do a hella better job of inventing good passwords for you and keeping you from using the same passwords all over the internet, because remember, you don't have to worry about your OWN security. You also have to worry about the security of EVERY site where you use a password. If you use the same password and user combo everywhere, or even one that appears to be a pattern, then you are basically asking for trouble when some forum gets hacked and your password turns out to be pass+websitename=supersecretpass. Simple patterns for you to remember are also simple to reverse engineer. So don't do that. Quit whining and get a password manager. And use it right.
The burden is on YOU to wisely manage your passwords, the quality of said passwords, and who has access to them. Does not matter which browser or OS you use. Don't be a stump and try to pin responsibility anywhere other than between chair and keyboard.
Sig for hire.
Bu bu bu but! It's a BUTTON! You have to click it! It's in the EULA and also comes with the combo meal. Buttons must be clicked! Which rhymes with wicked.
Easier fix.. don't click the "Save my password" button...
Sig for hire.
Note: your "master password" is not a private key of this sort -- no hand entered password ever could be
What makes key stretching to generate keys from passphrases an invalid technique?
Generate the encryption key from a master password that the user reenters at the start of each browsing session, and never write that key to the file system.
Compromised user account has access to all user's data! Film at 11.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
The embedded flash plugin was a disaster. Pages still display incorrectly. Scripts still run incorrectly. It's still a privacy catastrophe. Then they store passwords in plaintext and stand by it? I swear, Microsoft's Windows 8 team designed Chrome as one giant troll or something,
Sorry, I agree with the OP. One "other way" to keep track of passwords is simply to memorize them. But, since memory is often a "use-it-or-lose-it" proposition, forcing yourself to use the password will help refresh your memory.
And there will be accounts which you will use rarely. E.g. when most of your finances are "automated" like they should be, logging on to banking website may be rare - say once a month. There could be some important email accounts which are used rarely.
A password used once, a month ago, is not very likely to be recalled easily.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
What happens when an Apple troll writes an effective piece of link bait, and a bunch of people who don’t know any better fall for it... The Chromium FAQ explains why local attacks aren't in Chrome’s threat model. Passwords can be accessed as easily in Firefox, and passwords in Internet Explorer and Safari can be hacked out in under a minute with a little JavaScript. Google's "go-to" argument is right. If you're worried about security, don't share your operating system user profile. Understanding and using OS user profiles would solve this “problem.”
Both FF and Chrome have decrypted access to your passwords. Just that FF doesn't for the first 3 seconds you start the program, before you punch in your Master password. I see why Google would simply let be visible, since it's there anyway, but I really do believe that Elliot's core statement is right: the people that hack into your computer or get around your security aren't the people who are going to be using your laptop or desktop. It's the soon to be ex-husband or your daughters friend or your son in a fit of anger after you cut off his cell phone. simply requiring your google account password to access that page would be more than enough to dissuade an entire sector of would-be opportunists. I don't lock my office, but I do close the door and Google doesn't see how there's a difference because in terms of security there isn't, but in terms of actual property loss over 15 years, there is a real world difference.
Problem solved. All arguments to the contrary will be filed in the circular filing cabinet.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.