The problem with your example is that you are thinking of one particular scenario. A workstation that can be locked. How many computers you have seen where people just have the machine login automatically? Also Chrome is used a lot, not only in work machines but also at home or places with not so saavy computer users. Now if somebody steals that equipment, or if they boot your computer with any Linux CD with chntpw you are going to be pretty screwed. As you say, I fail to see why "this concept so hard to fucking understand?"
I'm sorry but I fail to see how it is a sane design to have something that can be so easily abused. Storing passwords per se is the way to go these days with so many websites and things to remember. The last thing you want to do is use the same password for lots of things. After reading some of the comments I realized that one of the worst case scenarios is having a laptop stolen and then the thief also gains easy access to all your information, especially if your security relied on a Windows login password.
Getting a Slashdot account isn't that hard to begin with, and it helps so you won't get tagged along with other AC's that were saying some very strange things. In your case it was the there is no way to make this work comment, when in fact there are a variety of ways to make something like this works, from biometric devices to even using your cell phone. But I do agree that the master password is a very simple and effective way, just not the ONLY way.
I see your point and it is totally reasonable. Mine was more about having the equivalent of onion layers. You add more depending on the importance of the data, but even with some basic stuff I like to have the equivalent of the mall cop guarding it.
I don't know what Kool-Aid are you drinking or if Al-Qaeda got into you, but even with all its faults, the US still is a great country. Do travel to crappy places in the world to realize that the standard of living in the US is still way higher than in a lot of places. And last time I checked the US economy still leads the world by a very wide margin. And I wonder what makes you come to a US website if everything is so screwed up, LOL.
Right, because everybody agrees that storing plain text passwords is a good idea. If you don't see the value of using a master password per session I don't know what we are talking about here.
And let's not forget, it is always about convenience over security at some point. Using the master password in Firefox is actually ok for basic stuff so the AC is just being a snob here.
Having said that, icebike you should check Keepass with Keefox. It is really good, and there are ways to make it work among multiple machines. Plus in my case I store the key file (which you need to decrypt the password db with your master password) on a flash drive that I carry with me. Best setup I have found so far.
The software could generate the pairs for each user, but while it's not a perfect solution, I think it is way better than storing password in plain-text.
Locking the desktop is even less secure as having a master password in my opinion. Do you know how easy is to reset the local admin password on a Windows machine with one of those Linux boot CDs?
Well I never intended to propose the perfect solution with my comment but it sure as hell is better than what Chrome is doing right now. Your Slashdot id might be older but unless you are some sort of uberhacker we pretty much are from the same camp so I can tell you what I do regarding this issue and you can make your own conclusions.
I use Keepass and Keefox. I also use a key file which is stored on a pen drive. I made a point of always carrying that pen drive with me more for practical reasons than security, but in this case it adds an extra layer of protection if you will. The database itself is encrypted with AES and I store that in a Yandex.Disk so I can share it between multiple computers. As you know, Keepass has some extra protection against keyloggers, without mentioning that having a proper commercial antivirus updated should keep a lot of automated attack tools out of your system with little effort. So this way, I do have to use a master password but only once per session and it works so far and I can use passwords that are much harder to crack. I used to have KeePassX but I recommend you switch to Keepass instead and use Mono if you have to run on Macs (Keefox is also compatible in this regard) since KeePassX does not support the 2.0 KDB format and it does not integrate with the extremely cool Keefox. You could make this setup even better by adding the bluetooth plugin so you can store the key file on your cell phone, but some of the computers I have to use do not have bluetooth.
So having said that, even after all those measures, somebody comes to me and demands my passwords for whatever reason by asking nicely while carrying a gun, all of that would have been for nothing. But more to the point, I still believe that even if you can't have perfect security, that should not be an excuse to be so careless as to store plain text passwords. I hope we can at least agree on that.
Security is a theater most of the time. Nothing prevents you from robbing a bank and taking down the guards except, morals aside, the fear of losing your freedom or getting shot.
Passwords by itself are a laughable protection we use nowadays, especially if you use short strings. It just happens to be the most convenient option we have so far. A lot of banks have switched to having code cards and passwords for more security, or even sending codes to your cell phone. A simple keylogger can take away all the precautions you took to secure your passwords by remembering them. And to be honest, if you can remember your password, most likely you are using a bad password. You should really start using some sort of password manager with extremely long and complicated passwords. Keepass is very effective at this, especially when you pair it with add-ons like Keefox. These software have ways to even fool keyloggers like using secure desktops in Windows or doing some random stuff when they paste the password string on webforms. If you combine this stuff with plugins like Key xchanger, that lets access your key files on your cell phone via Bluetooth you can probably have the most secure setup available without too much hassle.
So that being said, I still believe even if Firefox's way isn't the most secure, at least it is way better than what Chrome is doing. Hell if it was Microsoft's IE doing it, we wouldn't be having this conversation I believe.
There is a software called Keepass and it tackles that issue in a really good way. It might not be perfect but if you find somebody that can crack a Keepass database that uses Twofish or AES, they totally deserve to have your passwords.
You can't, but I wouldn't expect a local user to have the time to install a hex editor and decompilers on a machine that I use to extract a private key from the executable. Even if somebody manages to create an automated tool for script kiddies it should be flagged by most up-to-date antivirus.
Of course there is no perfect secrecy but just the concept of making it harder, so again, no matter which approach they use, Chrome should not use plain text to store passwords.
If you use something like keepass you are protected against stuff like that. And let's not forget that if you have any sort of updated antivirus, it will at least prevent a lot of keyloggers that script kiddies use from being installed. In any case, that is not an excuse to have Chrome store plain text passwords. This was solved in Linux ages ago.
Safari uses the keyring, an OS level service to access passwords. So all you need to provide is your system password when an app wants to access the keyring and that's it.
Lol this is like Google's AC army all over the comments section now. Computers don't work that way. But to make it simple for you, a password can be encrypted with a public key, and then decrypted with Chrome's private key. It is not advanced technology and please, go tell your coworkers at Google to get their act together.
Maybe you didn't read the article and what is being discussed. The reason Google is being singled out is because one guy discovered an issue with Chrome and then Google's top chief for Chrome security had a crappy response.
So next time, at least try to post with a proper Slashdot account or something, at least that way we can check if you are just a zealot for a given company or making a legit complain.
Slashdot Mirror
You do realize that it is extremely easy to crack Windows user accounts passwords?
The problem with your example is that you are thinking of one particular scenario. A workstation that can be locked. How many computers you have seen where people just have the machine login automatically? Also Chrome is used a lot, not only in work machines but also at home or places with not so saavy computer users. Now if somebody steals that equipment, or if they boot your computer with any Linux CD with chntpw you are going to be pretty screwed. As you say, I fail to see why "this concept so hard to fucking understand?"
I'm sorry but I fail to see how it is a sane design to have something that can be so easily abused. Storing passwords per se is the way to go these days with so many websites and things to remember. The last thing you want to do is use the same password for lots of things. After reading some of the comments I realized that one of the worst case scenarios is having a laptop stolen and then the thief also gains easy access to all your information, especially if your security relied on a Windows login password.
Get Keefox for Keepass, you are going to like it a lot.
Getting a Slashdot account isn't that hard to begin with, and it helps so you won't get tagged along with other AC's that were saying some very strange things. In your case it was the there is no way to make this work comment, when in fact there are a variety of ways to make something like this works, from biometric devices to even using your cell phone. But I do agree that the master password is a very simple and effective way, just not the ONLY way.
I see your point and it is totally reasonable. Mine was more about having the equivalent of onion layers. You add more depending on the importance of the data, but even with some basic stuff I like to have the equivalent of the mall cop guarding it.
I don't know what Kool-Aid are you drinking or if Al-Qaeda got into you, but even with all its faults, the US still is a great country. Do travel to crappy places in the world to realize that the standard of living in the US is still way higher than in a lot of places. And last time I checked the US economy still leads the world by a very wide margin. And I wonder what makes you come to a US website if everything is so screwed up, LOL.
Right, because everybody agrees that storing plain text passwords is a good idea. If you don't see the value of using a master password per session I don't know what we are talking about here.
And let's not forget, it is always about convenience over security at some point. Using the master password in Firefox is actually ok for basic stuff so the AC is just being a snob here.
Having said that, icebike you should check Keepass with Keefox. It is really good, and there are ways to make it work among multiple machines. Plus in my case I store the key file (which you need to decrypt the password db with your master password) on a flash drive that I carry with me. Best setup I have found so far.
They need more than just your Keepass password, especially if you store your key file somewhere else or use bluetooth devices, etc.
Lol keychain, you are right.
The software could generate the pairs for each user, but while it's not a perfect solution, I think it is way better than storing password in plain-text.
Locking the desktop is even less secure as having a master password in my opinion. Do you know how easy is to reset the local admin password on a Windows machine with one of those Linux boot CDs?
Well I never intended to propose the perfect solution with my comment but it sure as hell is better than what Chrome is doing right now. Your Slashdot id might be older but unless you are some sort of uberhacker we pretty much are from the same camp so I can tell you what I do regarding this issue and you can make your own conclusions.
I use Keepass and Keefox. I also use a key file which is stored on a pen drive. I made a point of always carrying that pen drive with me more for practical reasons than security, but in this case it adds an extra layer of protection if you will. The database itself is encrypted with AES and I store that in a Yandex.Disk so I can share it between multiple computers. As you know, Keepass has some extra protection against keyloggers, without mentioning that having a proper commercial antivirus updated should keep a lot of automated attack tools out of your system with little effort. So this way, I do have to use a master password but only once per session and it works so far and I can use passwords that are much harder to crack. I used to have KeePassX but I recommend you switch to Keepass instead and use Mono if you have to run on Macs (Keefox is also compatible in this regard) since KeePassX does not support the 2.0 KDB format and it does not integrate with the extremely cool Keefox. You could make this setup even better by adding the bluetooth plugin so you can store the key file on your cell phone, but some of the computers I have to use do not have bluetooth.
So having said that, even after all those measures, somebody comes to me and demands my passwords for whatever reason by asking nicely while carrying a gun, all of that would have been for nothing. But more to the point, I still believe that even if you can't have perfect security, that should not be an excuse to be so careless as to store plain text passwords. I hope we can at least agree on that.
Security is a theater most of the time. Nothing prevents you from robbing a bank and taking down the guards except, morals aside, the fear of losing your freedom or getting shot.
Passwords by itself are a laughable protection we use nowadays, especially if you use short strings. It just happens to be the most convenient option we have so far. A lot of banks have switched to having code cards and passwords for more security, or even sending codes to your cell phone. A simple keylogger can take away all the precautions you took to secure your passwords by remembering them. And to be honest, if you can remember your password, most likely you are using a bad password. You should really start using some sort of password manager with extremely long and complicated passwords. Keepass is very effective at this, especially when you pair it with add-ons like Keefox. These software have ways to even fool keyloggers like using secure desktops in Windows or doing some random stuff when they paste the password string on webforms. If you combine this stuff with plugins like Key xchanger, that lets access your key files on your cell phone via Bluetooth you can probably have the most secure setup available without too much hassle.
So that being said, I still believe even if Firefox's way isn't the most secure, at least it is way better than what Chrome is doing. Hell if it was Microsoft's IE doing it, we wouldn't be having this conversation I believe.
There is a software called Keepass and it tackles that issue in a really good way. It might not be perfect but if you find somebody that can crack a Keepass database that uses Twofish or AES, they totally deserve to have your passwords.
You can't, but I wouldn't expect a local user to have the time to install a hex editor and decompilers on a machine that I use to extract a private key from the executable. Even if somebody manages to create an automated tool for script kiddies it should be flagged by most up-to-date antivirus.
Of course there is no perfect secrecy but just the concept of making it harder, so again, no matter which approach they use, Chrome should not use plain text to store passwords.
If you use something like keepass you are protected against stuff like that. And let's not forget that if you have any sort of updated antivirus, it will at least prevent a lot of keyloggers that script kiddies use from being installed. In any case, that is not an excuse to have Chrome store plain text passwords. This was solved in Linux ages ago.
There are things like private/public key encryption you know.
Safari uses the keyring, an OS level service to access passwords. So all you need to provide is your system password when an app wants to access the keyring and that's it.
Lol this is like Google's AC army all over the comments section now. Computers don't work that way. But to make it simple for you, a password can be encrypted with a public key, and then decrypted with Chrome's private key. It is not advanced technology and please, go tell your coworkers at Google to get their act together.
You can secure this in Firefox, there is no option to do so in Chrome.
Maybe you didn't read the article and what is being discussed. The reason Google is being singled out is because one guy discovered an issue with Chrome and then Google's top chief for Chrome security had a crappy response.
So next time, at least try to post with a proper Slashdot account or something, at least that way we can check if you are just a zealot for a given company or making a legit complain.
You might be right, but you can also leave it near the window and it would do the trick as well.
Better get this stuff, http://www.aliexpress.com/item/HOT-High-Capacity-23000mAh-Solar-Charger-Solar-Mobile-Power-Bank-Battery-Charger-for-iPhone-iPad-Tablet/928368152.html
It works for a lot more stuff and you can leave the cell out in the sun while you use your laptop in the shade.