Slashdot Mirror
Chrome's Insane Password Security Strategy
jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."
I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.
Solution: If security is important to you, don't be lazy.
We should learn what we need to know about issues, before we decide what we need to feel about them.
Firefox menu -> Preferences -> Security -> Saved Passwords -> Show Passwords
If your browser can read the passwords and use them on the web, so can a local user. No surprise. Unless you set a master password (firefox offers this, not sure about chrome), there's no way to fix this. It's just how computers work.
Saved passwords have always been stored in a way that they can be recovered easily.
By definition, saving passwords will always be insecure, unless the program has a way to encrypt them using another key provided by the user.
They MUST be recoverable to be of use, because the plain text password must be available to the program for transmission to the web page.
This functionality has been both in Chrome and Firefox for years now, so I don't see why people make a fuss about it only now..
Either you don't give other people access to your user account, or you use a 3rd party password-protected keystore like Keepass, Lastpass, 1Password, with a separate (or even 2-factor) authentication.
How about the fact that Chrome can import passwords stored in Safari to begin with?
So Safari has some security issues as well. Where is the "master key" to export passwords?
I guess the underlying message is that if you leave a computer unattended the information is accessible to anyone. E-mail, passwords, documents, MP3s, etc.
This is a convenience feature and 99% rather have the convenience of a cached web passwords on their personal computer then worrying about something walking by.
Wearing pants should always be optional.
If Chrome is going to enter your password for you, it has to know your password. This simple requirement ultimately means that any attempt to obfuscate the stored password is going to be trivial to overcome by anyone who has physical access to the box, unless you're flat out encrypting them with another password that the user would have to enter to decrypt them, and at that point, we've pretty handily defeated the purpose of storing passwords (because let's face it, it's not like you're going to want to do this EVERY time you need to autofill a password, so we're just going to do it once and then leave the db unlocked), so you may as well just remember your passwords and enter them manually in the first place.
Pretty easy these days, you can setup a master password on the page where you access the plain text passwords.Most people don't do this though, and do use the remember my login feature. Really it should be one of the first things it gets you to do when you setup the browser.
I've seen this on several sites, is this news to anyone?? Did you miss it many years ago when this was added? You know what, when someone is physically on my machine while its logged in, they can also send emails from my account!! Its just right there ready to go! We need to do something about this!
Why complain about this. If you're storing your passwords in your browser - im not sure how this qualifies as being significantly worse -- they can already just sit down at your browser and change your passwords - which is worse since it locks you out of your own account.
Just dont save passwords if you cant secure your workstation i think is common sense.
I was crazy back when being crazy really meant something. (Charles Manson)
Passwords have to be stored in a decryptable form, because the browser needs them decrypted to fill in the password fields or to respond to HTTP authentication responses. That means that any malware with access to the browser can get those passwords in decrypted form too. A master password doesn't help, the malware can just get the passwords after I've entered the master password to decrypt them for use (assuming it can't just get the master password when I enter it). The only thing encrypted password storage really protects against is someone with access to the physical storage media but not the running system, or essentially stolen mobile devices (phones or laptops). On those you probably shouldn't be storing passwords at all, because any reversible encryption is too easy to crack using off-line attacks with modern hardware.
It's similar to my objection to the old "don't write down your passwords" thing: the risk of a remote attack against easy-to-remember passwords is much higher than the risk of an attacker physically getting into the locked drawer of my desk in the locked area of the secured and patrolled building my office is in, and if the attacker has gotten into the locked drawer in my desk I've got much bigger security worries and the attacker has much juicier targets he can go after.
It would be less trivial if one had something like the Android model where each application (with some exceptions) stores (some of) its data as a separate user, and without root privileges, one can't access the data for the application except by the methods provided by the application.
I don't think people realize that
There are things like private/public key encryption you know.
Apparently you need to think about this a bit more. How exactly is Chrome supposed to decrypt a password without storing the secret that allow it to do so on the same machine/account? Even if the password is encrypted with an asymmetric key, the corresponding key must be stored where Chrome can access it to de-crypt the password(s).
-- Humans, because the hardware IS the software.
But what about typing hundreds of passwords?
Once you have more than a few, you resort to a crutch of some sort.
Here's a crutch. Just paste it to something like safepassword.sh in /usr/local/bin or similar:
#!/bin/bash //g"
# script: safepassword
# this script depends on sha512sum
if [ "$2" = "" ]
then
echo "usage: safepassword constant_key password_purpose"
echo " where constant_key is a string of printable non-whitespace characters,"
echo " and password_purpose is a memorable string related to the purpose of"
echo " the password, e.g. a website address. Since the script removes any"
echo " characters outside 0-9 a-z A-Z it is possible that the password will"
echo " be too short in some cases."
else
echo -n "%1-%2" | sha512sum | xxd -r -p | tr -cd [:print:] | sed -e "s/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]//g" | sed -e "s/
echo
fi
The script is indented, but stupid slashcode ignores characters.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
There are things like private/public key encryption you know.
Yes, and if you understood how public key encryption works, you'd realize its existence is not relevant to the discussion at hand. It has no useful function here. (Note: your "master password" is not a private key of this sort -- no hand entered password ever could be... unless you're Lt. Cmdr. Data.)
"Convictions are more dangerous enemies of truth than lies."
Firefox has the option to protect saved passwords with a master passwords and if you already unlocked the password store, in order to read password from the GUI, you need to unlock it again
Exactly. Mozilla's email client Thunderbird also uses a Master Password to unlock the view-ability of the stored passwords.
For those who insist on saying that chrome's security method is good enough consider this: How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine, just too much trouble for most to deal with. This means that both other family members as well as house guests can casually access all those passwords in no time.
Even if you do use different log-ins consider this type of common scenario: Your son or daughter has a "friend" over and they are cruising the web on her account doing whatever. Say that they are reading some news item or article together when the daughter gets up to go the bathroom. Do you think for one second that she is going to lock the computer and force her friend to wait to finish what she is doing? No. Her "friend" will then be able to casually and quickly access all those passwords and type them into her iphone for safe keeping before your daughter gets back. She now pwns your daughters facebook account, bank account, cellphone account and who knows what else.
How can anyone with a straight face say that is an acceptable security method? The fact that my open source email client has an easily useable default master password system proves that it is something that chrome could easily implement as well, hell, just copy the open-source code from thunderbird if you need to...
To be quite frank; when I think of Google or Microsoft "my security" is not something I honestly expect from them, and this newest revelation just further confirms that perception.
Maybe you didn't read the article and what is being discussed. The reason Google is being singled out is because one guy discovered an issue with Chrome and then Google's top chief for Chrome security had a crappy response.
No he had exactly the right response, but there's a lot of morons (at proven by the threads on this story) who think they understand security and don't.
Sure, it's shocking for someone who thought their passwords were safe in Chrome to realize that they're visible with four clicks. But the real issue is that Chrome passwords aren't really stored safely. If you get a virus on your system, it has full access to the passwords.
Honest question: why doesn't Chrome implement something similar to KeePass or LastPass? Is there some technical reason? Is it astoundingly difficult? Does it not actually provide additional security against malware?
Fantastic. I don't think that you realize that the issue people are concerned about is that Chrome will easily display these password in plain text to any user who happens to sit down at an unlocked computer.
Now to some of the silly supporters of this bizarre behavior:
If I have access to an unlocked user account, I can already: install keyloggers, corupt data, pwn their machine, rape their dog, etc...
Yes, yes you could. But just as there are different levels of security, there are different levels of "hackers". Not everyone out there is a l33t haxor who can own your PC with nothing more than a paper clip, a rubber band and an old FM radio. Security is also intended to stop "casual hackers". A "friend" who is just borrowing your browser for a few minutes. A neighbor who just dropped by and needs to check their email quickly. Your soon to be ex-spouse who wants to check up on what sites you've been visiting...etc. Having a UAC prompt / sudo prompt would at least stop these casual users from finding all your passwords in plain text.
If the browser stores the password, someone could just log onto the site and change it
Yes, but unless they: (1) validated the password change in email, (2) deleted the email notifying the user of password change, (3) changed the browser to have the new password stored, the user would likely notice the change pretty quick. I know I'd notice password changes of this type when my (a) phone, (b) laptop, (c) other PC all stopped being able to access the site that was changed.
People shouldn't store their passwords in the browser....they should use: [insert favorite password storage site here]
Agreed. But in this case, Google should just remove the feature and redirect the user to one of those sites.
The way they have it implemented is:
(a) stupid
(b) insecure
and
(c) dishonest as their messages imply that passwords are stored securely.
And their idiotic defense of this behavior makes me wonder if Google even bothers hiring security-aware people at all. It concerns me enough that even though I don't store passwords in any browser, I'm uninstalling Chrome when I get home. If they are this lax about basic password security, I am very worried about what other stupid security policies they have in Chrome.