Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome's Insane Password Security Strategy

Posted by Unknown on from the passwords-for-password-locker dept.

jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."

28 of 482 comments (clear)

  1. This is also the case on Firefox by briancox2 · · Score: 5, Insightful

    I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.

    Solution: If security is important to you, don't be lazy.

    --
    We should learn what we need to know about issues, before we decide what we need to feel about them.
    1. Re:This is also the case on Firefox by robmv · · Score: 5, Informative

      Firefox has the option to protect saved passwords with a master passwords and if you already unlocked the password store, in order to read password from the GUI, you need to unlock it again

    2. Re:This is also the case on Firefox by gstoddart · · Score: 5, Interesting

      I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.

      I'm sorry, but there is a dedicated area for my stuff -- on Windows it's Documents and Settings, and on UNIX it's the home directory. The actual program may not be user specific, but all operating systems have a "home" area specific to users. There are no valid technical reasons why this can't be made secure, other than either having no interest in doing it, or pandering to users who just want convenience.

      This is just a piss-poor implementation of security, and it's why I don't trust a browser to retain passwords for me, and never have. I rank it right up there with giving Facebook my password so they can log into my email and find friends -- not happening, because I don't trust them with my password.

      If this guy is the head of 'security' for Chrome, he's either incompetent at that, or Google as a general rule have a shitty idea about what security should be and he's of the opinion this is "good enough".

      But since Google mostly just wants to collect all of your data, it may not be of value to them to lock it down in any meaningful way.

      --
      Lost at C:>. Found at C.
    3. Re:This is also the case on Firefox by gQuigs · · Score: 5, Informative

      So set a Master Password: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins
      More here: http://kb.mozillazine.org/Master_password

      Almost no users actually use this: http://monica-at-mozilla.blogspot.com/2013/02/cant-live-with-them-cant-live-without.html
      "....can be solved somewhat with master password, but only 1 out of 12K users had master password enabled"

    4. Re:This is also the case on Firefox by Spazmania · · Score: 3, Informative

      From TFA:

      The simple fact is that you need to lock your user account if you want to protect your information. If you don't do that, nothing else really matters because it's all just theater and won't actually stop anyone willing to invest minimal effort.

      And there it is. The bottom line. Kember demands that Chrome engage in security theater and the Chrome authors said no. As they should.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    5. Re:This is also the case on Firefox by icebike · · Score: 4, Insightful

      Every one can type their own password.

      But what about typing hundreds of passwords?

      Once you have more than a few, you resort to a crutch of some sort.

      --
      Sig Battery depleted. Reverting to safe mode.
    6. Re:This is also the case on Firefox by AmiMoJo · · Score: 4, Informative

      I just checked and Chrome keeps my passwords in a file under "C:\Users\\AppData\Local\Google\Chrome\User Data\Default". This directory is permission locked to me only. Even other admins can't access it unless they add permissions manually.

      As far as I can tell Chrome does use filesystem level security to protect individual user's passwords.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:This is also the case on Firefox by Deathlizard · · Score: 3, Interesting

      Chrome stores everything in the cloud if you're logged into Google. That's what makes this even more dangerous than it's being reported.

      If Chrome is signed into your Google account, and some malicious user gets hold of your Google username and password, then they can retrieve all of your stored passwords simply by installing chrome and logging in. That includes any password on your phone, other systems or otherwise.

      This is why two step authentication, clearing out all stored password, and disabling password storing in sync settings are your friends.

      --
      In Soviet Russia, Trojan exploits YOU!
    8. Re:This is also the case on Firefox by bmk67 · · Score: 5, Informative

      If only such a thing existed...

      Oh, wait. It does.

      http://lastpass.com/

    9. Re:This is also the case on Firefox by AliasBackslash · · Score: 3, Informative

      LastPass does exactly this.

    10. Re:This is also the case on Firefox by bmk67 · · Score: 3, Insightful

      I also wouldn't need LastPass if I didn't need a cross-browser, cross-device password management tool, which Chrome is not, regardless of the trust level I assign it.

      So, in fact, even if I did trust Chrome, I would still need it.

  2. Moronic. by Anonymous Coward · · Score: 3, Insightful

    If your browser can read the passwords and use them on the web, so can a local user. No surprise. Unless you set a master password (firefox offers this, not sure about chrome), there's no way to fix this. It's just how computers work.

    1. Re:Moronic. by aardvarkjoe · · Score: 4, Insightful

      But to make it simple for you, a password can be encrypted with a public key, and then decrypted with Chrome's private key.

      How do you intend to keep a local user from being able to extract the private key that Chrome is using? (Note that in your scenario, asymmetric key encryption is kind of pointless in the first place.)

      See: why DRM doesn't work either.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  3. This is nothing new by Anonymous Coward · · Score: 3, Insightful

    Saved passwords have always been stored in a way that they can be recovered easily.

    By definition, saving passwords will always be insecure, unless the program has a way to encrypt them using another key provided by the user.

    They MUST be recoverable to be of use, because the plain text password must be available to the program for transmission to the web page.

  4. He missed something by Lieutenant_Dan · · Score: 5, Interesting

    How about the fact that Chrome can import passwords stored in Safari to begin with?

    So Safari has some security issues as well. Where is the "master key" to export passwords?

    I guess the underlying message is that if you leave a computer unattended the information is accessible to anyone. E-mail, passwords, documents, MP3s, etc.

    This is a convenience feature and 99% rather have the convenience of a cached web passwords on their personal computer then worrying about something walking by.

    --
    Wearing pants should always be optional.
  5. Why is this making news? by vawwyakr · · Score: 3, Funny

    I've seen this on several sites, is this news to anyone?? Did you miss it many years ago when this was added? You know what, when someone is physically on my machine while its logged in, they can also send emails from my account!! Its just right there ready to go! We need to do something about this!

  6. Re:Firefox is the same by Anonymous Coward · · Score: 4, Informative

    ../../Set Masterpassword

    face it : chrome sucks at security, but that's no big surprise.

  7. Passwords have to be in the clear anyway by Todd+Knarr · · Score: 4, Insightful

    Passwords have to be stored in a decryptable form, because the browser needs them decrypted to fill in the password fields or to respond to HTTP authentication responses. That means that any malware with access to the browser can get those passwords in decrypted form too. A master password doesn't help, the malware can just get the passwords after I've entered the master password to decrypt them for use (assuming it can't just get the master password when I enter it). The only thing encrypted password storage really protects against is someone with access to the physical storage media but not the running system, or essentially stolen mobile devices (phones or laptops). On those you probably shouldn't be storing passwords at all, because any reversible encryption is too easy to crack using off-line attacks with modern hardware.

    It's similar to my objection to the old "don't write down your passwords" thing: the risk of a remote attack against easy-to-remember passwords is much higher than the risk of an attacker physically getting into the locked drawer of my desk in the locked area of the secured and patrolled building my office is in, and if the attacker has gotten into the locked drawer in my desk I've got much bigger security worries and the attacker has much juicier targets he can go after.

  8. Re:Firefox is the same by Clsid · · Score: 5, Insightful

    You can secure this in Firefox, there is no option to do so in Chrome.

  9. Re:Firefox has done this for years by The+MAZZTer · · Score: 5, Informative

    I don't think people realize that

    1. The passwords are encrypted on disk.
    2. The key for the encryption )on Windows at least) is the user's account... so Chrome can transparently decrypt them as long as you're logged in, for user convenience, though in this case it gives the appearance of not being encrypted.
    3. Chrome MUST be able to store the passwords in a decryptable form so it can USE them, like you asked it to!
  10. Re:A helpful crutch by lgw · · Score: 3, Interesting

    The script is indented, but stupid slashcode ignores characters

    While stupid slashcode ignores pretty much any 21st century concept, it does support an <ecode> tag, which turns each pair of leading spaces into a level of indention. Bizarre, but workable.

    thing
      thing indented
        thing indented more
      another thing
    done indenting

    It also supports the <tt> tag, which turns each single leading space into a level of indention. Less bizarre, more workable.

    thing
      thing indented
        thing indented more
      another thing
    done indenting

    --
    Socialism: a lie told by totalitarians and believed by fools.
  11. Master Password (Thuderbird+Firefox) by 7bit · · Score: 5, Insightful

    Firefox has the option to protect saved passwords with a master passwords and if you already unlocked the password store, in order to read password from the GUI, you need to unlock it again

    Exactly. Mozilla's email client Thunderbird also uses a Master Password to unlock the view-ability of the stored passwords.

    For those who insist on saying that chrome's security method is good enough consider this: How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine, just too much trouble for most to deal with. This means that both other family members as well as house guests can casually access all those passwords in no time.

    Even if you do use different log-ins consider this type of common scenario: Your son or daughter has a "friend" over and they are cruising the web on her account doing whatever. Say that they are reading some news item or article together when the daughter gets up to go the bathroom. Do you think for one second that she is going to lock the computer and force her friend to wait to finish what she is doing? No. Her "friend" will then be able to casually and quickly access all those passwords and type them into her iphone for safe keeping before your daughter gets back. She now pwns your daughters facebook account, bank account, cellphone account and who knows what else.

    How can anyone with a straight face say that is an acceptable security method? The fact that my open source email client has an easily useable default master password system proves that it is something that chrome could easily implement as well, hell, just copy the open-source code from thunderbird if you need to...

    To be quite frank; when I think of Google or Microsoft "my security" is not something I honestly expect from them, and this newest revelation just further confirms that perception.

    1. Re:Master Password (Thuderbird+Firefox) by pthisis · · Score: 3, Informative

      Exactly. Mozilla's email client Thunderbird also uses a Master Password to unlock the view-ability of the stored passwords.

      Chrome uses the same core OS key storage that Firefox/Thunderbird does, and encrypts with the same master password--if I save a password in Firefox, it's available in Chrome and vice-versa. Both use kwallet on KDE, gnome-keyring on Gnome platforms, keychain access on the Mac, etc.

      You can lock access to view them however the OS does so (e.g. with gnome, either Applications->Settings->Passwords and Keys, and select "Lock passwords", or from the command line, and gnome automatically locks them when your screensaver locks; on KDE it's the "Wallet Manager", I forget which menu it's under; on the Mac it's Utilities->Keychain Access, and click the little lock at the top of the keychain to lock/unlock). All 3 of those systems default to using your login password and automatically unlocking the keychain when you log in, but you can set the password separately (and be prompted to unlock it when you go to use it) if you want.

      The problem here is that Windows' password management doesn't offer a reasonable alternative, but that's not Chrome's fault.

      For those who insist on saying that chrome's security method is good enough consider this: How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine, just too much trouble for most to deal with. This means that both other family members as well as house guests can casually access all those passwords in no time.

      a) Lock your passwords when you turn over the computer

      b) You don't actually need to log in and out all the time to use separate accounts on the communal machine. Mine is usually sitting there logged into a guest account that everyone can use, with a browser running as the guest. I'll also use if I'm just looking something up on IMDB or googling/wiki'ing a quick question or whatever. There's a button on the menubar to "Run browser as..." with options for me and each of my family members, which prompts for the user's password and then runs a browser as them--if I need to check email or pay a bill or something, that browser's got my info but it's not available from the guest account/browser.. That covers the vast majority of cases, you just need to remember to close your browser when you're done with it.

      For more complicated stuff, I pop over to VT8, log in, do what I need to do, and pop back. If I'm in the middle of something and someone needs to use the machine briefly, I can lock my terminal and switch back to the guest terminal for a few minutes, then switch back and unlock my screen without really disrupting anything.

      --
      rage, rage against the dying of the light
    2. Re:Master Password (Thuderbird+Firefox) by bondsbw · · Score: 4, Insightful

      Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software

      This assumes bad guy has access to an account with root/admin access. How about OS accounts that are locked down, for the exact reason of preventing these types of exploits? Obviously Chrome can run on a limited account.

      It is irresponsible to rely on the underlying OS security (or insecurity) as a crutch. So what if someone has physical access? Just because they can type on a keyboard or insert a USB drive, doesn't mean they can run an exploit. What will they do, install a rootkit? What if they can't reboot the computer? What if they can't get past BIOS and full disk encryption?

      Seriously... I'm getting mad just at the thought that the head of any computer security team can think in this way.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  12. Re:Why is Google being singled out? by tgd · · Score: 3, Insightful

    Maybe you didn't read the article and what is being discussed. The reason Google is being singled out is because one guy discovered an issue with Chrome and then Google's top chief for Chrome security had a crappy response.

    No he had exactly the right response, but there's a lot of morons (at proven by the threads on this story) who think they understand security and don't.

  13. Re:A helpful crutch by fizzup · · Score: 5, Insightful

    Don't do this. It basically puts your passwords (their building blocks, really) in clear text in your command history. It's not any greater security than Chrome has when someone has physical access, and it is significantly less convenient.

  14. Re:A helpful crutch by LordLimecat · · Score: 5, Insightful

    This thread is a goldmine of security theatre. Any hiring personnel could probably also use this to weed out folks who dont actually understand security.

  15. Re:Firefox has done this for years by Zalbik · · Score: 3, Interesting

    I don't think people realize that
            The passwords are encrypted on disk.
            The key for the encryption )on Windows at least) is the user's account... so Chrome can transparently decrypt them as long as you're logged in, for user convenience, though in this case it gives the appearance of not being encrypted.
            Chrome MUST be able to store the passwords in a decryptable form so it can USE them, like you asked it to!

    Fantastic. I don't think that you realize that the issue people are concerned about is that Chrome will easily display these password in plain text to any user who happens to sit down at an unlocked computer.

    Now to some of the silly supporters of this bizarre behavior:
    If I have access to an unlocked user account, I can already: install keyloggers, corupt data, pwn their machine, rape their dog, etc...
    Yes, yes you could. But just as there are different levels of security, there are different levels of "hackers". Not everyone out there is a l33t haxor who can own your PC with nothing more than a paper clip, a rubber band and an old FM radio. Security is also intended to stop "casual hackers". A "friend" who is just borrowing your browser for a few minutes. A neighbor who just dropped by and needs to check their email quickly. Your soon to be ex-spouse who wants to check up on what sites you've been visiting...etc. Having a UAC prompt / sudo prompt would at least stop these casual users from finding all your passwords in plain text.

    If the browser stores the password, someone could just log onto the site and change it
    Yes, but unless they: (1) validated the password change in email, (2) deleted the email notifying the user of password change, (3) changed the browser to have the new password stored, the user would likely notice the change pretty quick. I know I'd notice password changes of this type when my (a) phone, (b) laptop, (c) other PC all stopped being able to access the site that was changed.

    People shouldn't store their passwords in the browser....they should use: [insert favorite password storage site here]
    Agreed. But in this case, Google should just remove the feature and redirect the user to one of those sites.

    The way they have it implemented is:
    (a) stupid
    (b) insecure
    and
    (c) dishonest as their messages imply that passwords are stored securely.

    And their idiotic defense of this behavior makes me wonder if Google even bothers hiring security-aware people at all. It concerns me enough that even though I don't store passwords in any browser, I'm uninstalling Chrome when I get home. If they are this lax about basic password security, I am very worried about what other stupid security policies they have in Chrome.