We can do better – Please fix plaintext credential storage in Chrome
medium.comThis article is simply incorrect. The passwords are only stored in plaintext when there are no OS-level or desktop environment options available to protect them.[0] In the absence of such a system where exactly do you expect Chrome to store the encryption key for the list of passwords?
[1] https://code.google.com/p/chromium/wiki/LinuxPasswordStorage
edit: Apparently there are people that run either incredibly old versions of chrome or don't run a keystore daemon and actually upload all of their dotfiles to github so I guess that part is technically accurate.
Off the back of a napkin - the key should never be stored anywhere first of all. In the absence of keyring/keychain/etc., it'd be trivial to introduce a masterpassword implementation in the browser client which is XOR'd with secret credentials and stored as such.
Obviously not a 'secure' system by any stretch of the imagination but it's an order of magnitude better than storing in plaintext.
Okay, so it's possible someone might accidentally publish their passwords with an unwise git commit, but has anyone actually done this? Can anyone point to a real life example?
Yes! There are tons of accidentally-uploaded profiles on github, for instance. Search for the readme string and you'll see a number of very dangerous commits.
Once the attacker has the username, password and access to the computer, the game is already over. I can't see how adding anything on top is nothing but smoke and mirrors.
As addressed in the post - there are no mitigating factors in the scenario of accidental exposure. The lowest hanging fruit would be a dumb hashing function which uses some master password.
If you've been hit with an OS compromise you're pretty much SOL, but it shouldn't be so easy to grab highly sensitive data from accidentally exposed profiles.