Software developer questions why Google Chrome allows for display of saved passwords in plain text

Aug 08, 2013 by Bob Yirka report

(Phys.org) —Software developer Elliott Kember has ignited a controversy over the way Google Chrome allows users to see saved passwords in plain text. In a post on his website he describes the process users can follow to reveal all of the passwords Chrome has saved that allow for entry to various websites.

All offer users the option of saving login information so that they won't have to remember them themselves or go through the ritual of having to type them in. What many may not realize, however, is that most browsers, including Chrome, offer a way to view those passwords. At issue is whether Chrome should ask for a master-password before revealing those passwords. Kember says it should, while Google's security head Justin Schuh says no, it isn't necessary.

Schuh argues that once someone with nefarious purpose gains physical access to someone else's computer, the game is up. That person can visit sites found on a favorites list, check the history log, or basically, use the computer to visit any site the owner of the computer visits themselves. They won't need the passwords to gain entry, of course, because Chrome will provide them. Thus, Schuh says, there is little point in providing a false sense of security to users—if someone gains access to their computer, they're going to get into those sites (and possibly use sneaky techniques to capture login information as they go) whether they go find the clear text passwords or not. For that reason, he says, in a response posted on Web site Hacker News, implementing a master password would only give users a feeling that they have protected their login information, when clearly, they have not.

Makers of other browsers are divided on the issue—Mozilla recently added a master password option (though users have to turn the feature one) as has Safari. Microsoft secures saved passwords through its Web Credential Manager which is essentially a master password system.

Schuh says that Google has studied and debated the issue and has decided that the way passwords are shown now is the best way to go and thus the company has no plans to change things.

Chrome users do have other options of course—they can quit having passwords saved or buy a software program that saves the passwords for them, instead of allowing the browser to do it.

Explore further: Sandia report draws lessons learned from 'perfect heists' for national security

Related Stories

Password breach spreads beyond LinkedIn

Jun 07, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network. ...

Recommended for you

US won't reveal records on health website security

Aug 19, 2014

The Obama administration has concluded it will not publicly disclose federal records that could shed light on the security of the government's signature health care website because doing so could "potentially" allow hackers ...

Premier FBI cybersquad in Pittsburgh to add agents

Aug 17, 2014

The FBI's premier cybersquad has focused attention on computer-based crime in recent months by helping prosecutors charge five Chinese army intelligence officials with stealing trade secrets from major companies and by snaring ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

Expiorer
1.5 / 5 (8) Aug 08, 2013
If chrome will stop showing passwords, I will find a tool that recovers chrome saved passwords anyway. Because they are not encrypted. The only solution is master password like in firefox.
DistortedSignature
not rated yet Aug 08, 2013
But like Schuh said, if someone with malicious intent has physical access to your computer, does it matter?

I suppose one way could be that the browser prompts you with a request to enter you master password whenever it tries to autofill a password field. And as you said, that should be encrypted if that sort of method were to be enforced. Aren't there apps/add-ons that do this?
Neurons_At_Work
5 / 5 (1) Aug 09, 2013
Aren't there apps/add-ons that do this?


Yes, and some are very good. First, if one wants the browser to remember passwords, Firefox is probably the way to go, but one must select to use a master password, and then set one (sufficiently complex). I used to do this but not in at least 5 years. Of the apps and add-ons that are available, I personally have come to depend on Lastpass, which is fantastic. This is a free add-on for nearly all browsers, although a paid app for mobile ($12/yr). I have nearly 100 sites with usernames and passwords, all complex with caps/lowercase/numbers/symbols/20 char. minimum, etc. and Lastpass (after putting in its master password) remembers then all, encrypted, accessible and shared from any computer. All I do is pick the site from a drop down list and it loads up the site, autofills and autologs me in right to where I need to be. New sites are remembered after entering the new info once. 5 years, Linux, Windows, Android, no trouble whatsoever.
antialias_physorg
not rated yet Aug 09, 2013
It's sort of weird that they don't store the passwords as hashes (which is the industry standard) but in plaintext. While physical access to a computer means 'game over' there are many other ways of accessing a computer which would not compromise hashed passwords (e.g. a corrupted plugin might be able to read/export the hash, but that is orders of magnitude less useful to an attacker than a paintext password. Especially given that people tend to reuse paswords or formulate passwords for different sites along simple mnemonics.)