Google Chrome security flaw offers unrestricted password access
theguardian.comThis is embarrassing. What The Guardian (and, earlier, HN) is describing simply isn't a security flaw; rather, HN appears to have had a mild temper tantrum over the lack of a cosmetic "security" feature that, had Chrome implemented it, could have just as easily led to another temper tantrum over how easy it is to bypass.
I am unsure why Chrome does not ask for the master password when the user attempts to reveal the plaintext for a password. Safari does this and it works.
This is a big deal because it makes reading passwords easy to do in seconds, and easy to do inconspicuously.
If you were to modify the DOM to unmask passwords it would take longer, and it's not something you can do while a co-worker or friend lends you their laptop for a minute. This flaw presents additional opportunity to anyone who wants to read another person's passwords.
It is not merely "cosmetic." It actually presents a real problem for anyone who does not logout of their account every time someone else uses their computer. Sure, this is probably best practice — but it is also insulting, inconvenient and an unrealistic expectation.
If I have unrestricted access to your machine, your passwords are compromised. Fine. But this is not a common or realistic scenario. It is far more likely I am using your machine with you, and then you walk out for 20 seconds to get a glass of water.
It does not work. It is a cosmetic security feature. If you don't log out, the next unauthorized user owns your account. You obviously know that. You're talking about a security feature based entirely off the incompetence of attackers. Why not also recommend that Chrome "Base64 encrypt" passwords? That will stop approximately the same set of attackers as the lack of a master password feature will.
It does work.
Security is about far more than preventing determined, malicious attackers. It is also about being able to use your computer in a work or family environment with a reasonable expectation that your privacy will be maintained without explicit effort on your part.
You call them "attackers" but that is not who we are discussing. We are talking about people being able to casually browse your saved passwords, perhaps without even the intent to attack (maybe they just want to see what your passwords are).
Nor is this about the "incompetence of attackers." As soon as you add an extra step — such as requiring a master password to show a particular instance of a saved password — you increase the breach of trust required for a friend to violate your privacy. And it's not simply whether you trust someone or you don't, there are levels of trust between friends.
I have some friends that I would trust not to attempt to defeat my security, but I would not trust them not to casually browse my passwords. In this instance I would be safe with Safari but not with Chrome. See the difference? Chrome could easily implement Safari's solution for this and be better for it. Why defend the inferior design?
I'm sorry, but I feel like I've had this pointless, silly debate my whole career, starting with comp.security.unix, continuing through my brief time working with OpenBSD and 90's Bugtraq, and through about a decade of helping startups with software security, and I've lost a lot of my patience for it.
Security is measured in dollars; it is about the cost you confront your adversary with. Chrome has sunk many millions of dollars into blunting attacks that cost 6, 7, sometimes 8 figures. You're up in arms about a security measure that would add pennies (if that) of attacker cost. Justin and his team (rightly) observe that in return for the pennies of extra effort the feature you're demanding would add, they also incur a real risk that users will feel safer leaving their accounts unlocked. As you've already acknowledged repeatedly, if they do that, it costs pennies to get all their passwords.
There are all sorts of stupid extra steps you can add to make things harder for computer-illiterate attackers to compromise your accounts. Like I said, you could also Base64-encrypt the passwords. Or ROT14 them. Or Base64 and ROT14 them. How about you turn that into a round function and write the Base64+ROT14 Feistel network? That'll surely dissuade someone, somewhere from capturing passwords.
You will no doubt be able to come up with a 4 paragraph response to this comment. In ~20 years, I've never been able to deliver a killing blow in this stupid debate.
What are considered stupid extra steps by some, others may consider to be deciding factors for using a product or not. The user experience in this case requires a fix regardless of what you may consider a penny solution value. Ownership of the UE often means choosing penny solutions along the way.
You have completely missed the point. This issue does not relate malicious attacks. It is about the intent required for a friend or co-worker to breach your trust.
Chrome lowers the barrier and makes access casual where other systems require a stronger level of intent. That's the problem. I have no idea why you are defending this behaviour.
So again: they should display an FBI warning, just like they do on DVD movies.
Securing the password page is not remotely similar to an FBI warning on a DVD.
One requires a bit of manual effort and thought to get over for the casual user, the other becomes ignored by the casual user.
Because no matter what, you can just go to the website and be logged in automatically. Once you let someone else use your computer you are no longer secure. This is why if you have multiple people using the same computer, you set it up to have multiple users. Once they are using YOUR instance of chrome it doesn't matter, they have everything.
There's a significant difference in the intent required between browsing someone's password settings and actually attacking their computer. This is important.
I'm not discussing malicious attackers, I'm not even discussing someone who is out to get your password. Chrome makes it possible, in seconds, for someone to reveal your passwords as a crime of opportunity.
It is far more likely I am using your machine with you, and then you walk out for 20 seconds to get a glass of water.
You are presuming a specific environment and an attack specific to that environment.
At first glance, it may look like adding the extra complexity of a password through the obvious user-interface path improves security. But that assumes there are no costs. In this case the cost is a false sense of security - such that all other attack vectors are still just as open and now the user is less aware of them.
The user would be better off having the 'vulnerability' rubbed in their face so that they would learn to take measures like locking the screen whenever they walk away. That way when someone gets physical access for 5 minutes instead of 20 seconds, the passwords are still just as safe.
If Chrome was concerned about your sense of security it would inform you that all your saved passwords are clearly readable in plaintext at chrome://settings/passwords. It would do this each time it saved a password. It does not do this because you would be less likely to trust Chrome with your passwords if it did that.
So Chrome wants you to feel secure and give you convenience. Either it makes some attempt to prevent casual password access or it informs you that your passwords are casually available. It can't have it both ways.
I agree that the user would be better off having the vulnerability rubbed in their face but Chrome does not do that.
Edit: You also need to take into account intent and the emotion of the user accessing the passwords. The system currently implemented in Chrome makes it easy to peek at someone's passwords without malicious intent. If you simply had to overcome some hurdles it would make most people stop and think about what they are doing because it is a breach of trust. We're not talking about stopping determined attackers.
Edit 2: Also, I presume that specific environment because it is the environment I work and live in every day. We bring our personal laptops to work, we debug code on each others' machines, and we occasionally step out of the room. Sometimes at home I take a friend's laptop to look something up, sometimes I lend mine. I think these are common scenarios for computer users (though admittedly I have no evidence for this).
It would do this each time it saved a password.
And that's the logic behind Clippy. "It looks like you're saving a password? Did you know that if you to chome://indecipherable/arcane/nonsnese/ all your passwords are visible? Click [OK] to agree"
What do you think about the recent EU/UK cookie law? You're basically suggesting that for password.
I've talked to my less-technical relatives who use browsers, and they've all known that saving passwords means that someone who gets access to their computer means they get access to their accounts and/or passwords.
Not everything is black magic and dark arts.
I showed two developer friends at work today the ease at which I could recover their Chrome passwords. They were both surprised that they were clearly visible on the settings page.
Both have since stopped storing passwords in Chrome.
Both developers expected their Keychain password to be needed before unmasking their stored passwords. It shocked them that this was not the case.
A better fix for this would be to require the Keychain password before showing all passwords. There is no harm in doing this.
When you save your passwords in Chrome, it tells you that it's saving your passwords. If you don't think that that implies that the passwords will be retrievable at a later date, I don't think you understand what the word "save" means.
Safari also tells me it is saving my passwords. Yet to explicitly unmask my passwords from the settings screen at a later date it requires my Keychain password.
They both use the word "save" to denote this functionality.
I don't think you understand why this difference in behaviour is important.
So do you expect the browser to prompt you for the master password each time it is about to autofill credentials on a web page?
No, and that is because there is a significant difference between a user unmasking the password through DOM manipulation and browsing a settings page. Please realise that the former behaviour requires more malicious intent.
I expect some level of security to stop people browsing my passwords casually, which Chrome allows in its current design.
I am not talking about fending off determined attackers, I am talking about levels of trust that you place in friends and coworkers. Chrome lowers the barrier-to-access by design.
The simple fact is: there are people I would trust using my computer who would never actively try to circumvent my security to read my passwords, but I would not trust them not to take a peek at my Chrome settings page passwords.
If Chrome was concerned about your sense of security it would inform you that all your saved passwords are clearly readable in plaintext
I completely agree with that, I think that would be a much more useful fix.
To rmc:
> And that's the logic behind Clippy.
No, it absolutely is not. Chrome already asks and informs you that it is saving your password. It asks each time it saves a password. It already does this. It would simply be an additional line of information in a step that you already have to confirm by clicking "Ok".
Every additional "line of information" in a pop-up notice reduces the probability that any of it will be read.
Right. So the better option is to secure passwords slightly by default. I suggested the additional information for those that feel that securing passwords is "lulling users into a false sense of security".
Either you make some attempt to secure the passwords, or you let your users know that they are readable in plaintext. Don't do neither, like Chrome is doing.
javascript:var a=document.querySelectorAll("input[type='password']");for(var i=a.length-1;i>=0;i--){a[i].type="text"}void 0You will have to do that for each site you want passwords for, after they have been autofilled (whereas Chrome gives you a convenient list of all saved passwords). It is also a far more technical method than most people are comfortable with. Slower and more difficult, thus less likely to happen casually.
There is also a significant difference in feeling between the two methods. Your suggestion requires far more intent than visiting the settings page. This is important.
We are not talking about defending yourself from a malicious attacker, we are talking about the moments when you pass your computer to a friend so they can look something up. They can now look up your passwords conveniently and without feeling too bad about it.
Exactly. Comparing that javascript with the Chrome situation is just ridiculous. It seems people here are too narrow-minded to understand that even my mother could get a list of all the passwords stored in a computer in 10 seconds.
"Even my mother"? So what? Both Firefox and Chrome are, when left on an unlocked user account, completely exposed to the scariest classes of attackers. But Firefox has taken a cosmetic step to minimize its exposure to the least scary class of attackers. Why bother?
Because the 'least scary class of attackers' represent the vast majority of potential attackers. This feature makes it trivial for a user error (not locking your desktop) to leave your passwords immediately visible to anyone that walks by.
Yes, this is cosmetic and anyone with sufficient technical knowledge can still get the passwords without the chrome:settings page, but this feature widens the pool of capable attackers to absolutely everyone.
If you leave your machine unlocked, you have made it trivial for someone to steal your secrets no matter what Chrome does.
Degree of difficulty matters. The technical ability of the attacker matters.
With this feature, it's trivial for absolutely anyone to steal my secrets in seconds.
Without this feature, the time-to-compromise goes up, as does the technical knowledge required. The degree-of-difficulty (which, yes, is still low), goes up.
It is cosmetic, but INTERFACE MATTERS. If you don't want people doing something, don't have a feature that makes it trivially easy.
Hell, if chrome devs really aren't going to do anything at all about this, then a better solution here would be to bring the button to the FRONT of the interface. 'View All Passwords', right beside the 'back' button, navigates you to a raw txt file of websites and passwords. Then, at least, there would be no excuse, no naive assumption that chrome is doing SOMETHING to protect your passwords.
Yes, degree of difficulty matters. We don't disagree on that. It's the fundamental rule of security.
What we disagree on is the specific degree in this case. You think it's significant. I know it's not. Chrome's security design is denominated in thousands of dollars. This is a penny feature, and one with potential liabilities; it could cost more than it benefits.
With the feature, I can explain to my mom, my girlfriend, my sister how to steal passwords from any chrome browser. In a way that they will remember and be able to repeat tomorrow.
Without it, I can't.
That matters.
I am not interested in security features that work only against my mom, and you shouldn't be interested in them either.
So, but, really: I am interested, as are a lot of other people. Hence the gnashing of teeth.
I'm not thrilled by the security community's black-and-white stance that if it can't stop a defcon attendee, then it's not real security and it's not worth doing.
If my mom can be stopped, and it's simple to stop her, then I really don't get the resistance. 'False sense of security'? Yeah, that ship has already sailed. That's why the Guardian is writing articles like this - people are surprised to learn HOW trivial it is to steal passwords in chrome.
You make it sound like that stance is elitist, but it's the opposite: it's our knowledge of how easy it is to get the level of "Defcon Attendee" that motivates us not to implement cosmetic security features.
But it's not. Not THAT easy. I'm a developer, with a fair bit of experience, and I'm nowhere near the average defcon attendee. (Unless I'm badly overestimating their abilities).
My mom? She asked a shop owner, two days ago, 'do you have a, uh, online thing? You know, with the pictures?'
And yet, "Mom, experiment: type 'chrome://settings/passwords' in my browser and see how many passwords you can steal in 60 seconds".
You are badly overestimating their abilities, for instance by assuming that the typical Defcon attendee can code. We're talking past each other. Just take my word for it that bypassing the proposed "master password" is even easier than I've managed to make it sound.
Can you please explain the potential liabilities for making Chrome work the same way Safari does when attempting to reveal passwords? (I.e., ask for the Keychain password before unmasking.)
To me this would be a great solution and would improve Chrome's user experience. I am unsure why the strong argument against this.
Leaving your machine unlocked for 30 seconds versus 5 minutes is a big difference to some people. Chrome makes password access within the former time limit a more distinct possibility.
Having someone able to casually browse your passwords versus intending to attack your system and breach your trust to get them is a big difference.
Can you not see that Chrome lowers social and emotional barriers to password access by presenting them in this form? That is the concern here.
Your mother knows about chrome:// URLs? Most mundane/non-technical people I know don't know about URLs at all? My mother still types "www.facebook.com" into the Google search bar on google.com.
Here are other opportunities Chrome has missed:
* An FBI warning, like they have on DVDs, explaining the penalties for stealing user passwords.
* Automatically generate word-search puzzles like on the backs of chain restaurant kids menus, so that 5 year olds will have a harder time recovering passwords.
* Since most of the "attackers" the master password would block are probably senior citizens, typeset the passwords in a 7 point font.
* Since all of the "attackers" who would be thwarted by a Chrome master password are computer illiterate, make users answer a basic computer literacy quiz before showing them the password. You should have to be able to explain the difference between a library function and a system call when you push the "reveal password" button.
Note to The Guardian: I have at least 10 more similar "major security flaws" in Chrome (I gave up some more, like the red-green colorblind attacker countermeasure, on Twitter --- but I assure you I have 10 more) that I'm willing to disclose to you, and I assure you that you'll be able to find someone else on the Internet to give you quotes for your article about how terrible it is that Chrome has those flaws.
It is a security flaw, and a big one. The only embarrassing thing here is Google's employees attempts at downplaying this.
And please explain how to bypass Safari password manager, or 1Password, or any password manager with a master password, if you believe it's only a cosmetic feature.
Justin Schuh had a nice capsule summary of some available techniques for compromising logins:
https://news.ycombinator.com/item?id=6166731
- dump all your session cookies
- grab your history
- install malicious extension to intercept all your browsing activity
- install OS user account level monitoring software
The last one could plausibly work, in combination with "grab a copy of the encrypted 1Password key file", to compromise all the 1Password stuff. The others essentially work around 1Password, or so I believe.
This is why there are certain passwords that I don't even store in 1Password. It's also an argument for two-factor auth.
None of these are comparable to having a full-featured, user friendly GUI to grab all your passwords accessible with a simple "chrome://settings/passwords".
Why, because you feel safer if the attacker is at least required to understand how computers work? That doesn't make me feel safer at all.
You bypass a password manager the same way you bypass Chrome. Just open it. If someone left the PC unlocked, there is a good chance the password manager is unlocked too.
As far as I'm used too, you have to enter a password still for a PW manager.
There is a timeout. Some people configure it to lock only when you lock the workspace.
If the suggestion is to lock immediatly after you use a password, then people will complain that it's too cubersome to enter the master password everytime you need to enter a password.
Nope, that's not true. Anyway, I'm done with this discussion. Google fanboys can keep using Chrome and trying to defend this bullshit, I don't care. Personally I'm done with Chrome until they fix this.
How you know it's a serious, well-thought-out, easily supportable position being argued for is that it's capped off with the accusation that people who disagree are "Google fanboys".
Amen to that.
I think Chrome's implementation of security is flawed. If you stop thinking about this security as being a switch which is on or off and instead as a granular scale then you'll agree that Chrome's password handling is as low on that scale as possible. Now just so you know, I'm agreeing that Chrome can't fully lock down your passwords and I'm OK with the reasons why (convenience), but their doing something wrong here, they're not looking at the in-between.
The difference I see is if my spouse or boss wanted to look at my passwords they could, easily. I'm not OK with that. Now, tell me they have to install a trojan, a virus or some other software first to get access to my passwords and thats a level of safety which stops my boss. My boss won't have the technical know how to do it. My spouse could be looking just out of curiosity, the smallest roadblock would stop them. Chrome's implementation makes it easy for anyone to see passwords and that's just wrong!
The length of time anyone will have access to an unsupervised machine plays a role here. It shouldn't take 5 seconds of pointing and clicking that my gran could do to reveal all my passwords. It should take someone more effort!
I don't think it's fair to call something a flaw because you disagree with it. Google didn't do this by accident. It's a very purposely designed feature that apparently a bunch of HN-folks just learned about and strongly disagree with. Also, Firefox does this too...
And for the record, when I saw this feature 2 years ago I disagreed with it too - but it's not a flaw.
I absolutely agree. Although Firefox at least gives you the ability to set a master password to add additional security. Chrome does not.
They deliberately do not, because that password doesn't solve any security problems, but does communicate to users that Chrome is doing something to protect their account that it doesn't and can't do.
Firefox should lose the feature.
Can you clarify why the master password isn't offering any protection? It encrypts your other passwords so that they are not stored in plaintext on the filesystem; this alone seems like it's offering a little security, since my (perhaps mistaken) assumption is that it's more likely for someone to be able to read a file on your filesystem than to read in-memory passwords stored in RAM.
EDIT: Your other comment at https://news.ycombinator.com/item?id=6173111 probably explains your view on this; that there are few attacks in practice which would be thwarted by encrypting passwords at rest, and that the false sense of security on the part of the user would be disproportionately high.
> The fact you can view the passwords means they are stored in reversible form which means that the dark coders out there will be writing a Trojan to steal that password store as we speak.
Surely they have to be reversible, or the browser wouldn't be able to use them as passwords.
Given that:
- I understand the fact that the browser must be able to have the password in plaintext at the moment of logging to a website.
- I understand that if someone has access to my account on my computer then is able to access all the sensitive information that I have stored unencrypted on it, and not just my browser's passwords.
- I understand that is not something new or ground-breaking, or even something exclusively related to Chrome.
I still can't see how sensible having an option to show the passwords in plaintext, without protection, really is. Many people (non tech-savvy people in particular) for example do not lock their OS profile at all.
Requiring a Master Password by default (with the possibility of opting out in the settings) before using/showing passwords, and storing these in crypted form it would seem more sensible to me.
Why is Chrome named as the "bad guy"? If anything, Chrome reveals the issue, by showing just how accessible browser-saved passwords are in the first place. Do you think that it's impossible for malware to retrieve passwords from IE, Firefox, Safari and Opera? Just how is it possible to import the passwords from these applications, then?
This is not a security flaw. Comparing browser password storage to a safe is mildly retarded.
Chrome is the browser that auto updates with no user interaction, checks against website blacklists to protect you, and has an entire OS built around the concept of a hassle-free, locked-down, auto-maintained, disk-encrypted, usage.
Chrome is designed for the layman.
Does it warn you that your passwords are effortlessly stolen by anyone that can access your computer? No.
Does it warn you they're at least not encrypted? No.
Do you think the average Chrome user knows this?
Do you think the average user understands computer security like us IT professionals?
>Do you think that it's impossible for malware to retrieve passwords from IE, Firefox, Safari and Opera? Just how is it possible to import the passwords from these applications, then?
It actually is impossible for malware to instantly send off all of your saved passwords if you're using Firefox and have a (reasonably decent) master key set up. I assume Opera has a similar master key option. The keyword however is "instantly."
Now, the malware can and will still of course modify HTML on the fly and steal your passwords immediately after you login to websites, but it would probably take quite a bit of time for it to collect nearly as many passwords as there are stored in your browser's password vault, especially if you use websites that don't require you to re-login very often. And the longer that time window is, the higher the chance the malware will be detected either by odd computer behavior, or an AV detection.
They can also set up a keylogger and wait for you to input your master password at some point. It can sometimes be hard to determine what logged text is actually the master pass, due to how many keyloggers work, but this is of course a viable option.
All-in-all, master passwords do in fact hinder attackers. The first thing many malware spreaders do is dump browser and other saved credentials (often FTP, sometimes IM accounts so they can spam malicious links to contact lists); it's often a quick "in-and-out" dumping process. It's not uncommon for malware to successfully execute and exfiltrate some data as soon as it's loaded, but later as it infects other files or drops additional payloads, AV will fire and the user will try to clean up the machine.
And then there are the very simple cases of "friend/acquaintance uses computer, looks at your passwords really quickly, memorizes a few, goes home and screws with your accounts at a later time." Master passwords make that sort of situation fairly impossible.
I really do not personally see why Chrome doesn't allow master passwords as an option. It would not be a security silver bullet, but it does help.
Easier way would be to just wait for the user to enter the master key and then decrypt the passwords.
If Chrome wanted to be informative it would tell you clearly that your passwords are readable in plaintext at chrome://settings/passwords. It does not do this when it saves a password.
Either it tells you that your passwords are readable (and thus you are less likely to trust it) or it makes some attempt to prevent your passwords from being read within seconds. It can't have it both ways.
Philosophy question:
Given that a user left their session unlocked (!) in the presence of someone who is not them (!!) with a password file and other sensitive data in easy reach (!!!) - why is it Google's problem that the end user violated the first three rules of computer security?
*ed Downvotes don't answer the question, guys. At what point do you stop taking extraordinary measures to protect the user from their own lack of sense?
Same as reported here: https://news.ycombinator.com/item?id=6167331
Interesting to see the Guardian newspaper quoting someone from Hacker News.
Same is also true of Firefox - find the right path through the menu structure (different for each version) and reveal all your passwords.
Simple enough.
> Interesting to see the Guardian newspaper quoting someone from Hacker News.
He isn't just some random commenter though, he is the tech lead of browser security (according to his comment, which I'm guessing The Guardian didn't actually verify :D)
Justin is actually the Chrome security lead. He's also one of the authors of The Art Of Software Security Assessment, and someone with god-knows how many years experience in vulnerability research.
People can also browse My Documents if they're logged in to my account. Microsoft should get this bug fixed asap.
Chrome should ask for the master Keychain password when you attempt to unmask a password. It does not do this, and it could easily do this (like Safari does). So it's a flaw.
Alternatively Chrome should inform the user that saved passwords are easily readable in plaintext, so that users will not trust it as much. It does not do this either.
There's a difference between browsing someone's private documents and having permanent access to their email account via their password.
> Chrome should ask for the master Keychain password when you attempt to unmask a password. It does not do this, and it could easily do this (like Safari does).
Well, except that you can just dump the passwords from Keychain without the master password.
But that is completely missing the point relating to intent.
Browsing the Chrome's password page requires far less malicious intent than finding/writing a script to dump someone's keychain passwords.
That's the main issue for me with Chrome. I know people that I wouldn't trust not to navigate to chrome://settings/passwords, yet I would trust them not to actively attempt to defeat my computer's security (no matter how feeble).
Chrome makes it easier to breach trust. A bad design.
> But that is completely missing the point relating to intent.
Well, yeah, I'm certainly not seeing any point there.
> Browsing the Chrome's password page requires far less malicious intent than finding/writing a script to dump someone's keychain passwords.
No, it doesn't. It might require somewhat more effort, but it doesn't require any different amount of intent.
> I know people that I wouldn't trust not to navigate to chrome://settings/passwords, yet I would trust them not to actively attempt to defeat my computer's security
Intentionally navigating to chrome://settings/passwords is no less an active attempt to defeat security than doing a command line dump of the keychain passwords is.
> Chrome makes it easier to breach trust.
Its trivially easy to breach trust in about a million different ways if you are given unsupervised accessed to an unlocked OS user account with sensitive information attached to it. Chrome does not make any significant difference to that.
So you are defending the design of this system, even though it has a lower barrier-to-access than the alternative (as implemented by Safari).
> Intentionally navigating to chrome://settings/passwords is no less an active attempt to defeat security than doing a command line dump of the keychain passwords is.
I know people who would navigate to chrome://settings/passwords right in front of me as a way to annoy me — to force me to change my passwords. Their intent would be to annoy and not to attack. The fact is that you need less motivation, and less intent, to go to the password page than to deploy a script / modify the DOM / do any number of other things to get a user's passwords.
Navigating to that page is less of an active attempt to defeat security. Hell, even I feel like it's something I would try on someone's machine when I would never even consider breaching security in another way.
> Its trivially easy to breach trust in about a million different ways if you are given unsupervised accessed to an unlocked OS user account with sensitive information attached to it. Chrome does not make any significant difference to that.
I consider the difference to be significant. I want Chrome to improve its design in this area.
Either securing this page or informing the user that their passwords are readable would be a better design than what is currently implemented. Are you arguing this is not the case?
Just because you can do it a million other ways does not mean you should be fine with this way of accessing a user's private data.
That's why I renamed it to "My Döcuments". They'll never get in now.
It amazes me that some of the security professionals are sufficiently out of touch that they don't see this as an issue. The adversary in this case is the casual non-technical observer who might have a minute to click around but not install software to extract anything, it is not "hackers".
The adversary that can be trivially defeated by entering Meta+L before walking away from your desk, or by not allowing untrusted randoms around your console?
Right-click page
Click 'View page info'
Click 'Security'
Click 'View Cookies'
I just bypassed your Firefox/Safari/etc master password and owned your session. OH NOES, SECURITY FLAW!!!! (I also downloaded a rootkit and installed it in your user's home directory, but you probably don't find that as much of a flaw as me getting your cookies. Right?)
I will say that encrypting the passwords on-disk is a nice thing if you care about cold-rebooted disk attacks and don't implement disk encryption yourself. But the game is mostly over if they have access to your machine. If the machine is still on, a DMA or cold boot attack is probably going to net them the passwords even on a master-password-locked browser, because the browser still needs to access the passwords for forms without prompting you every time.
Sigh This just goes to show what kind of damage people with little knowledge and big egos can do. Ever read about Dunning-Kruger Syndrome folks? Now you are witnessing a typical example in all its pathetism. And all started here in HN.
Firefox: Preferences: Security: Saved Passwords: Show Passwords: Yes, I'm Sure.
And enter your master password if you use that, which you should, if you're storing passwords at all.
Isn't it a known fact that, when asked, browsers store passwords in plaintext? Why would anyone choose to let the browser 'remember their password' anyway?
I think this is the real debate. Since when did Browsers get into the account/password storing industry? Isn't this why we have browser extensions in the first place?
True that.
The answer is also kinda obvious. It started it as a matter of convenience ("I'm too fking bored to type out my long-ass password" or "I have so many passwords, I can't be bothered to remember them all" or "LastPass? What's that?") and has remained so till date. In fact, it will continue to do so until a zero-day exploit appears that can uncover these plaintext passwords, which, judging by current events, doesn't seem too far away
My OSX chrome definitely stores passwords in OSX Keychain Manager. Is that like a special setting or plugin I activated and forgot, not just what it always does on OSX? Or wait, am I somehow wrong? It sure looks like it's storing passwords in keychain manager, in that all of my website passwords are there in keychain manager.
I've already done analysis of most of the major browsers. It even hit the HN front page a couple months ago:
http://raidersec.blogspot.com/2013/06/how-browsers-store-you...
i don't get it. how is Chrome's handling different from Thunderbird's or Firefox's? they too have the exact same functionalities accessible to anyone sitting at the computer without extra security measures: Options > Security > Saved Passwords > Show Passwords
If you have a master password set, Firefox makes you type it in before it will show you the passwords. Chrome doesn't do that.
if... but the article mainly complained about not being obvious for "normal" people that their password can be read. i have my doubts that it would be more obvious for those people that they can (should) set a master password in firefox.
Chrome has a passphrase option for his sync capability why doesn't it use it as a master password ? https://support.google.com/chrome/answer/1181035?hl=en
I didn't realize anybody took Chrome's password storage seriously.
How the hell did this make the HN front page? This is a tempest in a teapot.
facepalm
Next up: Android wireless passphrases are also stored unencrypted!
Big news. Did they just start using Chrome at The Guardian?