Software developer questions why Google Chrome allows for display of saved passwords in plain text

Aug 08, 2013 by Bob Yirka report

(Phys.org) —Software developer Elliott Kember has ignited a controversy over the way Google Chrome allows users to see saved passwords in plain text. In a post on his website he describes the process users can follow to reveal all of the passwords Chrome has saved that allow for entry to various websites.

All offer users the option of saving login information so that they won't have to remember them themselves or go through the ritual of having to type them in. What many may not realize, however, is that most browsers, including Chrome, offer a way to view those passwords. At issue is whether Chrome should ask for a master-password before revealing those passwords. Kember says it should, while Google's security head Justin Schuh says no, it isn't necessary.

Schuh argues that once someone with nefarious purpose gains physical access to someone else's computer, the game is up. That person can visit sites found on a favorites list, check the history log, or basically, use the computer to visit any site the owner of the computer visits themselves. They won't need the passwords to gain entry, of course, because Chrome will provide them. Thus, Schuh says, there is little point in providing a false sense of security to users—if someone gains access to their computer, they're going to get into those sites (and possibly use sneaky techniques to capture login information as they go) whether they go find the clear text passwords or not. For that reason, he says, in a response posted on Web site Hacker News, implementing a master password would only give users a feeling that they have protected their login information, when clearly, they have not.

Makers of other browsers are divided on the issue—Mozilla recently added a master password option (though users have to turn the feature one) as has Safari. Microsoft secures saved passwords through its Web Credential Manager which is essentially a master password system.

Schuh says that Google has studied and debated the issue and has decided that the way passwords are shown now is the best way to go and thus the company has no plans to change things.

Chrome users do have other options of course—they can quit having passwords saved or buy a software program that saves the passwords for them, instead of allowing the browser to do it.

Explore further: Feature stops apps from stealing phone users' passwords

Related Stories

Password breach spreads beyond LinkedIn

Jun 07, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network. ...

Recommended for you

Health care site flagged in Heartbleed review

14 hours ago

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

Expiorer
1.5 / 5 (8) Aug 08, 2013
If chrome will stop showing passwords, I will find a tool that recovers chrome saved passwords anyway. Because they are not encrypted. The only solution is master password like in firefox.
DistortedSignature
not rated yet Aug 08, 2013
But like Schuh said, if someone with malicious intent has physical access to your computer, does it matter?

I suppose one way could be that the browser prompts you with a request to enter you master password whenever it tries to autofill a password field. And as you said, that should be encrypted if that sort of method were to be enforced. Aren't there apps/add-ons that do this?
Neurons_At_Work
5 / 5 (1) Aug 09, 2013
Aren't there apps/add-ons that do this?


Yes, and some are very good. First, if one wants the browser to remember passwords, Firefox is probably the way to go, but one must select to use a master password, and then set one (sufficiently complex). I used to do this but not in at least 5 years. Of the apps and add-ons that are available, I personally have come to depend on Lastpass, which is fantastic. This is a free add-on for nearly all browsers, although a paid app for mobile ($12/yr). I have nearly 100 sites with usernames and passwords, all complex with caps/lowercase/numbers/symbols/20 char. minimum, etc. and Lastpass (after putting in its master password) remembers then all, encrypted, accessible and shared from any computer. All I do is pick the site from a drop down list and it loads up the site, autofills and autologs me in right to where I need to be. New sites are remembered after entering the new info once. 5 years, Linux, Windows, Android, no trouble whatsoever.
antialias_physorg
not rated yet Aug 09, 2013
It's sort of weird that they don't store the passwords as hashes (which is the industry standard) but in plaintext. While physical access to a computer means 'game over' there are many other ways of accessing a computer which would not compromise hashed passwords (e.g. a corrupted plugin might be able to read/export the hash, but that is orders of magnitude less useful to an attacker than a paintext password. Especially given that people tend to reuse paswords or formulate passwords for different sites along simple mnemonics.)

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...