Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chrome's Insane Password Security Strategy

Unknown Lamer posted about a year ago | from the passwords-for-password-locker dept.

Chrome 482

jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."

cancel ×

482 comments

Sorry! There are no comments related to the filter you selected.

This is also the case on Firefox (5, Insightful)

briancox2 (2417470) | about a year ago | (#44498655)

I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.

Solution: If security is important to you, don't be lazy.

Re:This is also the case on Firefox (5, Informative)

robmv (855035) | about a year ago | (#44498763)

Firefox has the option to protect saved passwords with a master passwords and if you already unlocked the password store, in order to read password from the GUI, you need to unlock it again

Re:This is also the case on Firefox (0)

i kan reed (749298) | about a year ago | (#44498775)

Well, I was going to ask about this, but thanks for the comment. I make a policy of always typing my passwords rather than letting software save it, so that I am forced to learn my own password, but even if I didn't, this would make me delete the data from my system entirely.

Re:This is also the case on Firefox (4, Insightful)

icebike (68054) | about a year ago | (#44499125)

Every one can type their own password.

But what about typing hundreds of passwords?

Once you have more than a few, you resort to a crutch of some sort.

Re:This is also the case on Firefox (2)

X0563511 (793323) | about a year ago | (#44499259)

I wouldn't call this [keepass.info] a crutch...

Re:This is also the case on Firefox (5, Interesting)

gstoddart (321705) | about a year ago | (#44498791)

I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.

I'm sorry, but there is a dedicated area for my stuff -- on Windows it's Documents and Settings, and on UNIX it's the home directory. The actual program may not be user specific, but all operating systems have a "home" area specific to users. There are no valid technical reasons why this can't be made secure, other than either having no interest in doing it, or pandering to users who just want convenience.

This is just a piss-poor implementation of security, and it's why I don't trust a browser to retain passwords for me, and never have. I rank it right up there with giving Facebook my password so they can log into my email and find friends -- not happening, because I don't trust them with my password.

If this guy is the head of 'security' for Chrome, he's either incompetent at that, or Google as a general rule have a shitty idea about what security should be and he's of the opinion this is "good enough".

But since Google mostly just wants to collect all of your data, it may not be of value to them to lock it down in any meaningful way.

Re:This is also the case on Firefox (1)

The MAZZTer (911996) | about a year ago | (#44499037)

You are aware Chrome's password stores are encrypted, right? This is a non-issue. You need the user's Windows account credentials to decrypt the passwords.

Re:This is also the case on Firefox (2)

jader3rd (2222716) | about a year ago | (#44499127)

I'm sorry, but there is a dedicated area for my stuff -- on Windows it's Documents and Settings, and on UNIX it's the home directory.

From the Chrome teams response for this issue, I believe that's what they're doing. If someone is logged into your OS session as you, they can see the passwords. Somebody logged into the same computer, but as a different user, can't see the passwords.

Re:This is also the case on Firefox (1)

Anonymous Coward | about a year ago | (#44499311)

And that is criminally stupid.

Re:This is also the case on Firefox (1)

SecurityGuy (217807) | about a year ago | (#44499129)

There are no valid technical reasons why this can't be made secure, other than either having no interest in doing it, or pandering to users who just want convenience.

Sure there is. It's hard. Or perhaps it's better to say, it has enough moving parts that it gets screwed up pretty frequently. For example, it's secure until your boss sends you AnnualReport.docx, which happens to contain a virus (and actually wasn't sent by your boss).

This is just a piss-poor implementation of security, and it's why I don't trust a browser to retain passwords for me, and never have.

I agree, I just extend that to pretty much all computer products. I hope that someday the plague of insecure software will end, but we're nowhere near that now.

Re:This is also the case on Firefox (0)

Anonymous Coward | about a year ago | (#44499153)

I'm sorry, but there is a dedicated area for my stuff -- on Windows it's Documents and Settings, and on UNIX it's the home directory.

That's for XP. For Windows 6.x the folder's name is "Users".

Re:This is also the case on Firefox (4, Informative)

AmiMoJo (196126) | about a year ago | (#44499237)

I just checked and Chrome keeps my passwords in a file under "C:\Users\\AppData\Local\Google\Chrome\User Data\Default". This directory is permission locked to me only. Even other admins can't access it unless they add permissions manually.

As far as I can tell Chrome does use filesystem level security to protect individual user's passwords.

Re:This is also the case on Firefox (5, Informative)

gQuigs (913879) | about a year ago | (#44498829)

So set a Master Password: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins [mozilla.org]
More here: http://kb.mozillazine.org/Master_password [mozillazine.org]

Almost no users actually use this: http://monica-at-mozilla.blogspot.com/2013/02/cant-live-with-them-cant-live-without.html [blogspot.com]
"....can be solved somewhat with master password, but only 1 out of 12K users had master password enabled"

Re:This is also the case on Firefox (1)

Sigma 7 (266129) | about a year ago | (#44498855)

With Firefox, there's the option of adding a master password.

It's still substandard - Firefox bleeds login information across sites (e.g. It places 3+ potential usernames, some of which are unique to a specific site), gives sudden "enter master password" prompt when not focusing on a password field, etc.

Re:This is also the case on Firefox (1)

Anonymous Coward | about a year ago | (#44498895)

Solution: If security is important to you, don't be lazy.

There is a dilemma in this. The conventional wisdom is that 'don't use any browser based password storage, as it is not secure.' This means that you need to either

1. memorize every password, or perhaps
2. use an alternative 'out-of-band' password management solution that is not dependent on the physical security of your system.

Re:This is also the case on Firefox (1)

gmuslera (3436) | about a year ago | (#44498921)

Firefox have also the possibiity of a master password to be able to access those stored passwords. Chrome just didn't saw that as something that would essentially make a difference in the long term. Another different topic is how they are stored here is a comparison between Firefox, Chrome and IE [blogspot.com] , where Chome seem to not be very secure in that area, Firefox with master password is the safest, and IE dropped badly the security there in the latest versions.

Re:This is also the case on Firefox (0)

Anonymous Coward | about a year ago | (#44499361)

But only 1 in 12K users ended up using the master password.

Re:This is also the case on Firefox (3, Informative)

Spazmania (174582) | about a year ago | (#44499033)

From TFA:

The simple fact is that you need to lock your user account if you want to protect your information. If you don't do that, nothing else really matters because it's all just theater and won't actually stop anyone willing to invest minimal effort.

And there it is. The bottom line. Kember demands that Chrome engage in security theater and the Chrome authors said no. As they should.

Re:This is also the case on Firefox (1)

icebike (68054) | about a year ago | (#44499067)

I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.

Solution: If security is important to you, don't be lazy.

But browsers ARE as user specific as any other part of the modern computer.

With just about every Operating System having the ability to have multiple accounts logged in and to switch accounts easily, browsers, and everything else each user does can be compartmentalized easily.

And that is probably the best way to handle it in general where what is needed is snoop protection from co-users.

If you recommend typing in passwords to every websites you have to go with an notebook full of passwords, a single common password, or a trivially guess able combination. Either that or trust third party authentication schemes which creep me out in this day and age.

So I agree with not being lazy, but I recommend the exercise of locking the account as you walk away.

Use a bluetooth proximity lock if you think you might get super lazy. Of course if you are in the habit of walking away and leaving your phone on your desk, there is no hope for you anyway.

Why is Google being singled out? (1)

Anonymous Coward | about a year ago | (#44498657)

If you save your passwords in Firefox, you can obtain them, in plain text, by going to preferences, security, and saved passwords. Similar functionality is available in Internet Explorer. Safari is the only browser, that I know of, that asks for an account password before revealing the contents of the key chain password manager, but, with a little javascript, this security check can be easily bypassed.

The solution is to never hand anyone access to your operating system user account. Understanding and using OS user accounts and browser profiles, which Google Chrome includes an option for, would solve this “problem.”

On a side note, if other browsers are barely more secure or just as "bad" as Chrome, why is Chrome being singled out? When did it become fashionable by some in the tech community to attack Google?

Re:Why is Google being singled out? (1, Insightful)

Clsid (564627) | about a year ago | (#44498913)

Maybe you didn't read the article and what is being discussed. The reason Google is being singled out is because one guy discovered an issue with Chrome and then Google's top chief for Chrome security had a crappy response.

So next time, at least try to post with a proper Slashdot account or something, at least that way we can check if you are just a zealot for a given company or making a legit complain.

Firefox is the same (2, Informative)

rHBa (976986) | about a year ago | (#44498671)

Firefox menu -> Preferences -> Security -> Saved Passwords -> Show Passwords

Re:Firefox is the same (4, Informative)

Anonymous Coward | about a year ago | (#44498797)

../../Set Masterpassword

face it : chrome sucks at security, but that's no big surprise.

Re:Firefox is the same (2)

hobarrera (2008506) | about a year ago | (#44498835)

Actually, is this any different for ANY browser?
If the password is available (without being prompted for any master password), then it's accesible one way or another. Period.

Re:Firefox is the same (1)

Anonymous Coward | about a year ago | (#44498901)

Safari stores them in the system keychain encrypted/unlocked with your login password (or another password if you want)

Re:Firefox is the same (5, Insightful)

Clsid (564627) | about a year ago | (#44498929)

You can secure this in Firefox, there is no option to do so in Chrome.

Re:Firefox is the same (0, Flamebait)

osu-neko (2604) | about a year ago | (#44499319)

You can secure this in Firefox, there is no option to do so in Chrome.

You mean Firefox engages in a bit of security theater that Chrome does not. As a result, people who don't know any better are mislead into believing the falsehood that "you can secure this in Firefox", whereas people in Chrome can see the truth of the matter.

Firefox has done this for years (1)

Anonymous Coward | about a year ago | (#44498675)

I have taken advantage of it to post on friend's Facebook pages. Why the sudden interest in this ability on Chrome?

Re:Firefox has done this for years (5, Informative)

The MAZZTer (911996) | about a year ago | (#44499103)

I don't think people realize that

  1. The passwords are encrypted on disk.
  2. The key for the encryption )on Windows at least) is the user's account... so Chrome can transparently decrypt them as long as you're logged in, for user convenience, though in this case it gives the appearance of not being encrypted.
  3. Chrome MUST be able to store the passwords in a decryptable form so it can USE them, like you asked it to!

Arrogance (0)

Anonymous Coward | about a year ago | (#44498683)

And he expected anything different? This is just Google's typical arrogance and exactly how they responded to the Gmail UI changes that no one asked for and all the stupid shit they change or disallow in Chrome.

Moronic. (3, Insightful)

Anonymous Coward | about a year ago | (#44498687)

If your browser can read the passwords and use them on the web, so can a local user. No surprise. Unless you set a master password (firefox offers this, not sure about chrome), there's no way to fix this. It's just how computers work.

Re:Moronic. (0)

Anonymous Coward | about a year ago | (#44498753)

The comments are telling. Pretty much all the complaints are from clueless noobs.

Re:Moronic. (1)

Clsid (564627) | about a year ago | (#44499005)

Lol this is like Google's AC army all over the comments section now. Computers don't work that way. But to make it simple for you, a password can be encrypted with a public key, and then decrypted with Chrome's private key. It is not advanced technology and please, go tell your coworkers at Google to get their act together.

Re:Moronic. (4, Insightful)

aardvarkjoe (156801) | about a year ago | (#44499133)

But to make it simple for you, a password can be encrypted with a public key, and then decrypted with Chrome's private key.

How do you intend to keep a local user from being able to extract the private key that Chrome is using? (Note that in your scenario, asymmetric key encryption is kind of pointless in the first place.)

See: why DRM doesn't work either.

Re:Moronic. (0)

Anonymous Coward | about a year ago | (#44499151)

And this private key would be stored where, exactly?

Re:Moronic. (1)

Anonymous Coward | about a year ago | (#44499183)

Lol this is like Google's AC army all over the comments section now. Computers don't work that way. But to make it simple for you, a password can be encrypted with a public key, and then decrypted with Chrome's private key. It is not advanced technology and please, go tell your coworkers at Google to get their act together.

That'd be simple but accomplish nothing. The private key would be installed on everybody's computer, thus rendering it not private.

Re:Moronic. (1)

Dynedain (141758) | about a year ago | (#44499229)

Which means Chrome's private key needs to be stored in Chrome itself (unless you want to start shipping everything off to Google for server-side processing), and so can be plucked out of the binary for decryption purposes.

Re:Moronic. (0)

Anonymous Coward | about a year ago | (#44499349)

Lol this is like Google's AC army all over the comments section now. Computers don't work that way. But to make it simple for you, a password can be encrypted with a public key, and then decrypted with Chrome's private key. It is not advanced technology and please, go tell your coworkers at Google to get their act together.

lol. Your public/private key idea is moronic. Unless you plan to have your encrypted password sent off to google's server to be decrypted remotely, that plan couldn't even begin to work. The private key would have to be stored in the browser's executable or config file. How long do you think it would take hackers to figure out how to extract that?

Re:Moronic. (2)

The MAZZTer (911996) | about a year ago | (#44499113)

I believe Chrome uses OS passwords stores on Mac and Linux which both support a master password. Not 100% sure. The Windows mechanism used uses your Windows login information so no master password is needed, it's very convenient and just as secure (unless you leave your computer logged on... but then all the files you encrypted in the exact same way with Microsoft's file encryption will be readable as well).

This is nothing new (3, Insightful)

Anonymous Coward | about a year ago | (#44498693)

Saved passwords have always been stored in a way that they can be recovered easily.

By definition, saving passwords will always be insecure, unless the program has a way to encrypt them using another key provided by the user.

They MUST be recoverable to be of use, because the plain text password must be available to the program for transmission to the web page.

Same thing in Firefox (0)

Anonymous Coward | about a year ago | (#44498699)

A plain text listing of all the passwords saved is also easily accessible in Firefox. I believe there is a way to put a master password on it, however from what I remember (admitidly from a couple years ago), it was kind of a hassle

Re:Same thing in Firefox (2)

liamevo (1358257) | about a year ago | (#44498757)

Pretty easy these days, you can setup a master password on the page where you access the plain text passwords.Most people don't do this though, and do use the remember my login feature. Really it should be one of the first things it gets you to do when you setup the browser.

I don't see what the fuss is about. (2, Informative)

haploc (57693) | about a year ago | (#44498719)

This functionality has been both in Chrome and Firefox for years now, so I don't see why people make a fuss about it only now..

Either you don't give other people access to your user account, or you use a 3rd party password-protected keystore like Keepass, Lastpass, 1Password, with a separate (or even 2-factor) authentication.

Re:I don't see what the fuss is about. (1)

dirtypoole (2609871) | about a year ago | (#44499305)

Either you don't give other people access to your user account, or you use a 3rd party password-protected keystore like Keepass, Lastpass, 1Password, with a separate (or even 2-factor) authentication.

exactly!

Firefox shows it's passwords too (0)

Anonymous Coward | about a year ago | (#44498729)

In Firefox just check Settings > Security > Saved passwords > Show passwords. To protect them a master password must be used.

He missed something (5, Interesting)

Lieutenant_Dan (583843) | about a year ago | (#44498737)

How about the fact that Chrome can import passwords stored in Safari to begin with?

So Safari has some security issues as well. Where is the "master key" to export passwords?

I guess the underlying message is that if you leave a computer unattended the information is accessible to anyone. E-mail, passwords, documents, MP3s, etc.

This is a convenience feature and 99% rather have the convenience of a cached web passwords on their personal computer then worrying about something walking by.

Re:He missed something (1)

Anonymous Coward | about a year ago | (#44498915)

Safari passwords are stored in the users keychain [wikipedia.org] and the master password is usually,but doesn't have to be, the users login password.

Re:He missed something (1)

Lieutenant_Dan (583843) | about a year ago | (#44499013)

Thanks; that's good info.

So the underlying convenience is at fault.

Re:He missed something (1)

Clsid (564627) | about a year ago | (#44499039)

Safari uses the keyring, an OS level service to access passwords. So all you need to provide is your system password when an app wants to access the keyring and that's it.

Re:He missed something (0)

Anonymous Coward | about a year ago | (#44499069)

Your master key is your login password by default. Thats what the allow popup is authorizing. You can easily decouple this in OSX, its just not default.

..okay? And? (2, Insightful)

Anonymous Coward | about a year ago | (#44498741)

If Chrome is going to enter your password for you, it has to know your password. This simple requirement ultimately means that any attempt to obfuscate the stored password is going to be trivial to overcome by anyone who has physical access to the box, unless you're flat out encrypting them with another password that the user would have to enter to decrypt them, and at that point, we've pretty handily defeated the purpose of storing passwords (because let's face it, it's not like you're going to want to do this EVERY time you need to autofill a password, so we're just going to do it once and then leave the db unlocked), so you may as well just remember your passwords and enter them manually in the first place.

Re:..okay? And? (0)

Clsid (564627) | about a year ago | (#44499049)

There are things like private/public key encryption you know.

Re:..okay? And? (1)

Dynedain (141758) | about a year ago | (#44499239)

And where do you keep the private key? Inside the distributed Chrome binary? That's locally accessible.

Re:..okay? And? (2)

cmat (152027) | about a year ago | (#44499287)

There are things like private/public key encryption you know.

Apparently you need to think about this a bit more. How exactly is Chrome supposed to decrypt a password without storing the secret that allow it to do so on the same machine/account? Even if the password is encrypted with an asymmetric key, the corresponding key must be stored where Chrome can access it to de-crypt the password(s).

Re:..okay? And? (2)

pruss (246395) | about a year ago | (#44499059)

It would be less trivial if one had something like the Android model where each application (with some exceptions) stores (some of) its data as a separate user, and without root privileges, one can't access the data for the application except by the methods provided by the application.

Re:..okay? And? (1)

The MAZZTer (911996) | about a year ago | (#44499141)

Actually, the passwords ARE encrypted with another master password, so you already have your best-security scenario. You just never have to enter it (at least on Windows) because Windows uses your session logon information to decrypt the passwords. Not logged on? Your passwords are secured. Yay!

Doomed anyway? (1)

Anonymous Coward | about a year ago | (#44498755)

If someone has physical access to my (unlocked) account I'm doomed anyway - he/she could install all sorts of backdoors or keyloggers trivially.

Re:Doomed anyway? (0)

Clsid (564627) | about a year ago | (#44499099)

If you use something like keepass you are protected against stuff like that. And let's not forget that if you have any sort of updated antivirus, it will at least prevent a lot of keyloggers that script kiddies use from being installed. In any case, that is not an excuse to have Chrome store plain text passwords. This was solved in Linux ages ago.

Should I stop locking my doors too? (1)

Anonymous Coward | about a year ago | (#44498765)

The main argument seems to be that if a malicious user is able to access the unlocked operating system then, one way or another, they're going to be able to retrieve the stored passwords. While this may be true, that doesn't mean it should be made so easy that my grandmother could stumble across my entire list of saved passwords by accident.

Re:Should I stop locking my doors too? (1)

icebike (68054) | about a year ago | (#44499191)

Then just log out for Pete sake?
How hard is that?

People actually do that? (0)

Anonymous Coward | about a year ago | (#44498777)

You mean there are people who actually use the "save password" feature in their browsers? Wow. Just Wow. I was under the impression that feature was more of a joke for noobs.

Re:People actually do that? (0)

Anonymous Coward | about a year ago | (#44498971)

Your neckbeard must be very intimidating.

Re:People actually do that? (1)

lister king of smeg (2481612) | about a year ago | (#44499065)

yeah i use it for sites i don't care about loosing the password to like my account needed to comment on popular science or gawker sites don't really care if they are compromised. slashdots password is not saved and neither is my email accounts' password. a large problem is that every site under the sun wants you to register a account just to make one comment so peoples mind become inundated trying to remember dozens of passwords they rarely ever use.

Re:People actually do that? (1)

icebike (68054) | about a year ago | (#44499291)

And your super secure scheme is WHAT?

list of passwords under the lamp?
Single common password
Single common password with a site specific appendage?
Log into every site via the oh-so-secure Facebook authentication proxy?

Log into only Slashdot and always post as AC?

Master password? (1)

coder111 (912060) | about a year ago | (#44498781)

I don't use Chrome much, but is there a master password that you can set?
If there is no master password, then no matter how the data is stored, it's as safe as plain text anyway. Even with master password, dictionary attacks will get you quite often.
And you can transfer/import/export the data encrypted with master password between different installations without decrypting it.

--Coder

Why is this making news? (3, Funny)

vawwyakr (1992390) | about a year ago | (#44498785)

I've seen this on several sites, is this news to anyone?? Did you miss it many years ago when this was added? You know what, when someone is physically on my machine while its logged in, they can also send emails from my account!! Its just right there ready to go! We need to do something about this!

Re:Why is this making news? (2)

gstoddart (321705) | about a year ago | (#44498851)

You know what, when someone is physically on my machine while its logged in, they can also send emails from my account!!

If it's sitting there in plain text for anybody to get, what's to prevent a malicious web-page from asking for it?

Or are we meant to believe they made it trivial to access from the machine, but have put in super-duper security around accessing it from with the browser? Because I'm not buying that.

Re:Why is this making news? (0)

Anonymous Coward | about a year ago | (#44498973)

It's sitting there in plain text for anybody with _physical access_ to the machine to get. So no, any website can not access it, but anybody on the machine can.

Re:Why is this making news? (1)

gstoddart (321705) | about a year ago | (#44499123)

It's sitting there in plain text for anybody with _physical access_ to the machine to get

Right, and exploits have never allowed people to access local files they're not supposed to. Nosiree, it's iron clad and has a perfect track record.

So no, any website can not access it, but anybody on the machine can.

Well, you can choose to believe that -- me I'll treat browsers like an untrusted entity in which stuff like that can bleed out in ways nobody planned for. We already know that cross-site cookies can be a problem.

Knowing that all those tasty passwords are sitting in a known place and unencrypted makes it a really nice target. So I'll just not put those passwords there to begin with, and cut out a possible threat. How you handle that, well, that's your problem.

Re:Why is this making news? (1)

jader3rd (2222716) | about a year ago | (#44499163)

It's sitting there in plain text for anybody with _physical access_ to the machine to get. So no, any website can not access it, but anybody on the machine can.

That's assuming that there's no security holes in Chrome. But there could be a security hole which will then make it so that the computer can't distinguish between a user with physical access and a program running.

Re:Why is this making news? (0)

Anonymous Coward | about a year ago | (#44499307)

I think a lot of people would be satisfied if it would simply be encrypted with your google account password. or passphrase that you use for synchronization. Also, that UI should ask for said password or passphrase to show these passwords.

All browsers store their passwords in plaintext (1)

Anonymous Coward | about a year ago | (#44498787)

If it really bothers you, encrypt your browser's settings files with your operating system's filesystem encryption feature.

Re:All browsers store their passwords in plaintext (1)

icebike (68054) | about a year ago | (#44499335)

Then go out for a celebratory beer.
And forget to logout of the account in your rush out the door.

Same problem.

They can't get through... (0)

Anonymous Coward | about a year ago | (#44498821)

... because my windows 7 has password!!

8)

Hmmm... (1)

Anonymous Coward | about a year ago | (#44498833)

Anybody notice Justin's LinkedIn profile? See any interesting prior employers? You guessed it.

And this is why real IT professionals... (1)

chemosh6969 (632048) | about a year ago | (#44498853)

look down on web developers.

Re:And this is why real IT professionals... (0)

Anonymous Coward | about a year ago | (#44499171)

Browser vendors are not web developers.

Seems silly.. (2)

segfault_0 (181690) | about a year ago | (#44498881)

Why complain about this. If you're storing your passwords in your browser - im not sure how this qualifies as being significantly worse -- they can already just sit down at your browser and change your passwords - which is worse since it locks you out of your own account.

Just dont save passwords if you cant secure your workstation i think is common sense.

Re:Seems silly.. (1)

The MAZZTer (911996) | about a year ago | (#44499165)

Anyone can secure a workstation. It's easy, there's really no excuse. Press Win+L. Really. Do it now if you haven't done it before and prepare to be amazed at technology.

This is also the case for Ubuntu (0)

Anonymous Coward | about a year ago | (#44498891)

Unless you put a master password on the keyring, anyone can view your saved passwords in cleartext with little trouble.

Is this part of Google/NSA collaboration? (1)

ron_ivi (607351) | about a year ago | (#44498917)

With the recent leaks about how Google cooperates with government surveilence; I almost wonder if blatent weaknesses like this are by design. Sad when what should be outlandish conspiracy theories sound tame compared to what it's revealed they're alerady doing.

Re:Is this part of Google/NSA collaboration? (1)

gstoddart (321705) | about a year ago | (#44499217)

With the recent leaks about how Google cooperates with government surveilence; I almost wonder if blatent weaknesses like this are by design

It may not be that way by design, but it's certainly a possibility to be exploited.

Imagine if the government went to Google and said "you need to add secret code which uploads these user/passwords to us so we have them".

Google may not be directly part of a conspiracy like this, but I see no reason to keep acting like they couldn't be forced to or might not occasionally have one of their 'lapses' like when they collected all of people's wi-fi information -- sometimes hubris is as dangerous as malicious intent.

If you don't entrust them with the information, they can't become the source of someone else getting their hands on it.

Passwords have to be in the clear anyway (4, Insightful)

Todd Knarr (15451) | about a year ago | (#44498919)

Passwords have to be stored in a decryptable form, because the browser needs them decrypted to fill in the password fields or to respond to HTTP authentication responses. That means that any malware with access to the browser can get those passwords in decrypted form too. A master password doesn't help, the malware can just get the passwords after I've entered the master password to decrypt them for use (assuming it can't just get the master password when I enter it). The only thing encrypted password storage really protects against is someone with access to the physical storage media but not the running system, or essentially stolen mobile devices (phones or laptops). On those you probably shouldn't be storing passwords at all, because any reversible encryption is too easy to crack using off-line attacks with modern hardware.

It's similar to my objection to the old "don't write down your passwords" thing: the risk of a remote attack against easy-to-remember passwords is much higher than the risk of an attacker physically getting into the locked drawer of my desk in the locked area of the secured and patrolled building my office is in, and if the attacker has gotten into the locked drawer in my desk I've got much bigger security worries and the attacker has much juicier targets he can go after.

Re:Passwords have to be in the clear anyway (0)

Anonymous Coward | about a year ago | (#44499281)

You (and most of the other comments so far) are completely missing the point of the original complaint. This isn't about malware or hackers, it's about letting a friend or stranger use your device for a moment to lookup a meeting room number, a store location, call someone because they locked themselves out, etc... By having all stored passwords easily readable after a couple quick clicks, the friend/stranger can easily view the passwords without the user knowing and attack/blackmail/prank/whatever the user later at any time in the future on multiple accounts.

If there was a master password option, then the friend wouldn't be able to view the passwords.
If the passwords weren't visible, then it would take the friend too long to visit every auto-login site and reset it's password. The user would notice the friend trying to log into all of his/her sites and would notice when their current password suddenly stopped working (unless they have their password store automatically synced across all devices and browsers. Then you'd never know if someone changed your password and compromised your actions as the compromised passwords will be synced with everything without you knowing).

This has nothing to do with hacking or malware. It's a complaint about a common, real world usage security risk that is easily preventable through a minor software change. As a college student, I see people sharing devices and/or quickly letting other people use their computer accounts to print a page every day.

Incorrect title (1, Insightful)

LordKaT (619540) | about a year ago | (#44498939)

Title should read: "Elliott Kember's Insane Password Security Strategy"

Seriously, why are you storing passwords, at all? Unless you're storing them on in an encrypted space of some kind that requires two-factor authentication you shouldn't be storing passwords at all (and even then I really question your sanity).

Hmm, doesn't show them for me (1)

medv4380 (1604309) | about a year ago | (#44498955)

Maybe it's that I've never imported passwords from another browser, going to chrome://settings/passwords as suggested doesn't show any plain text passwords for me. It only shows a few sites anyways on this machines. I'm fairly sure Chrome on my Linux box at home is using a different method since Chrome prompts for my password file password just for opening up the browser because I have the password file password different from my login password.

trollkOre (-1)

Anonymous Coward | about a year ago | (#44498989)

then disappeared 7olatile world of lat:er seen in

Reminds me of this conversation.. (1)

Anonymous Coward | about a year ago | (#44498997)

New Dev Team: "The password for automatically accessing the remote server is in plain text!!! We need to encrypt it to make things more secure!!!!"
Old Dev Team: "But it is only root readable. And where will the keys for this encrypted password be stored?"
New Dev Team: "We'll put them somewhere only root can get to."
Old Dev Team: "How does an extra layer of work for us make things more secure?"
New Dev Team: "It's encrypted!"
Old Dev Team: "You suck."

Physical access... (0)

Anonymous Coward | about a year ago | (#44499001)

"For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks."

Good thing I restrict physical access to my machines and devices with passwords...problem solved for me.

Kember is wrong (0)

Anonymous Coward | about a year ago | (#44499003)

It's not a vault you put passwords in but can't get them out of. And PWs have to be accessible as plaintext to send them to sites. There doesn't have to be a UI to view them, but hiding plaintext from the UI isn't a security measure since you could always write a tool to dig into Chrome's files, which would lead to Slashdot carping about how it's security by obscurity or Google locking up your data.

As others mention, encouraging folks to use a master pass or something could be nice, as could a LastPass-style thing inside Chrome. More two-factor auth could be even better. But having plaintext accessible is a sane design, like the Chrome guy says.

about:settings/passwords (0)

Anonymous Coward | about a year ago | (#44499009)

Couple of mouse clicks? Open a new tab and type about:settings/passwords (and then somehow press the return key). Look everyone!

Similar argument about Maemo's messaging (1)

GameboyRMH (1153867) | about a year ago | (#44499055)

Maemo's messaging app stores passwords in a plaintext file, some users found it and wanted it obfuscated to at least make them non-trivial to retrieve. The Maemo devs argued that obfuscation would be better at lulling users into a false sense of security about what is stored than thwarting those who want to access it maliciously.

It's only for blogs (1)

GWBasic (900357) | about a year ago | (#44499057)

And this is why storing passwords should only be used for things like blogs. It shouldn't be used for things like banking.

Start locking your computer when you walk away from it.

Google's rationalizatoin is ridiculous (1)

JoeyRox (2711699) | about a year ago | (#44499131)

Google's rationalization that the system is already insecure if someone else has physical access to it is absurd. That's like saying it's ok for a bank to leave everyone's money on the counter overnight because if someone breaks in then that same person can easily break into the vault, which is obviously not the case. Computer systems should have multiple levels of protection as well.

Next "Insane Password Security" issue here: (1)

Wrath0fb0b (302444) | about a year ago | (#44499139)

... will be that the user can tamper with the SSL root certificates (or just add her own) and trick Chrome into giving up the password to a locally-hosted web server presenting an apparently-valid cert for the target domain.

In order to remedy this, Chrome must adopt the policy of asking the server to pinky-swear that they are really the named entity.

Seems like an easy fix (0)

Anonymous Coward | about a year ago | (#44499193)

Seems like an easy fix: give the user an option to log into their Google Account when they start Chrome combined with the option not to store any passwords or bookmarks locally. Google is pushing the whole cloud-syncing of user data in a big way anyway, it doesn't seem like Google would lose much ditching the local storage for users who care about this.

Re:Seems like an easy fix (1)

fullmetal55 (698310) | about a year ago | (#44499341)

Easier fix.. don't click the "Save my password" button... yeah it's hard to remember them all, but you know what, saving your password anywhere is a major security problem. This is no different than having your password on a post-it note stuck under the keyboard...

and in a shared computer situation... you're just asking for trouble saving your password...

It's a lazy solution to a problem that nobody has really come up with a good fix for, remembering passwords to various sites. heck for infrequently used sites, I tend to just click "I forgot my password" and get a new one emailed to me. for more frequently used sites, I have a mental package of 10 passwords that it could be. I know them all by heart, and I cycle through them. usually i'll remember which one is for which site.

My browser (Chrome) (0)

Anonymous Coward | about a year ago | (#44499273)

Chrome stores it's data in user space which is encrypted at the file-system level by my operating system, Windows. I don't use Apple products so I'm not seeing a problem for myself, just Apple users(?).

Just use LastPass (1)

Virtucon (127420) | about a year ago | (#44499279)

Done.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>