Software developer questions why Google Chrome allows for display of saved passwords in plain text

August 8, 2013 by Bob Yirka, report

( —Software developer Elliott Kember has ignited a controversy over the way Google Chrome allows users to see saved passwords in plain text. In a post on his website he describes the process users can follow to reveal all of the passwords Chrome has saved that allow for entry to various websites.

All offer users the option of saving login information so that they won't have to remember them themselves or go through the ritual of having to type them in. What many may not realize, however, is that most browsers, including Chrome, offer a way to view those passwords. At issue is whether Chrome should ask for a master-password before revealing those passwords. Kember says it should, while Google's security head Justin Schuh says no, it isn't necessary.

Schuh argues that once someone with nefarious purpose gains physical access to someone else's computer, the game is up. That person can visit sites found on a favorites list, check the history log, or basically, use the computer to visit any site the owner of the computer visits themselves. They won't need the passwords to gain entry, of course, because Chrome will provide them. Thus, Schuh says, there is little point in providing a false sense of security to users—if someone gains access to their computer, they're going to get into those sites (and possibly use sneaky techniques to capture login information as they go) whether they go find the clear text passwords or not. For that reason, he says, in a response posted on Web site Hacker News, implementing a master password would only give users a feeling that they have protected their login information, when clearly, they have not.

Makers of other browsers are divided on the issue—Mozilla recently added a master password option (though users have to turn the feature one) as has Safari. Microsoft secures saved passwords through its Web Credential Manager which is essentially a master password system.

Schuh says that Google has studied and debated the issue and has decided that the way passwords are shown now is the best way to go and thus the company has no plans to change things.

Chrome users do have other options of course—they can quit having passwords saved or buy a software program that saves the passwords for them, instead of allowing the browser to do it.

Explore further: SplashData's annual list shows people still using easy-to-guess passwords

Related Stories

Password breach spreads beyond LinkedIn

June 7, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network.

Recommended for you

Tiny 'water bears' can teach us about survival

March 20, 2019

Earth's ultimate survivors can weather extreme heat, cold, radiation and even the vacuum of space. Now the U.S. military hopes these tiny critters called tardigrades can teach us about true toughness.

A decade on, smartphone-like software finally heads to space

March 20, 2019

Once a traditional satellite is launched into space, its physical hardware and computer software stay mostly immutable for the rest of its existence as it orbits the Earth, even as the technology it serves on the ground continues ...

Researchers find hidden proteins in bacteria

March 20, 2019

Scientists at the University of Illinois at Chicago have developed a way to identify the beginning of every gene—known as a translation start site or a start codon—in bacterial cell DNA with a single experiment and, through ...

Turn off a light, save a life, says new study

March 20, 2019

We all know that turning off lights and buying energy-efficient appliances affects our financial bottom line. Now, according to a new study by University of Wisconsin-Madison researchers, we know that saving energy also saves ...


Adjust slider to filter visible comments by rank

Display comments: newest first

1.5 / 5 (8) Aug 08, 2013
If chrome will stop showing passwords, I will find a tool that recovers chrome saved passwords anyway. Because they are not encrypted. The only solution is master password like in firefox.
not rated yet Aug 08, 2013
But like Schuh said, if someone with malicious intent has physical access to your computer, does it matter?

I suppose one way could be that the browser prompts you with a request to enter you master password whenever it tries to autofill a password field. And as you said, that should be encrypted if that sort of method were to be enforced. Aren't there apps/add-ons that do this?
not rated yet Aug 09, 2013
It's sort of weird that they don't store the passwords as hashes (which is the industry standard) but in plaintext. While physical access to a computer means 'game over' there are many other ways of accessing a computer which would not compromise hashed passwords (e.g. a corrupted plugin might be able to read/export the hash, but that is orders of magnitude less useful to an attacker than a paintext password. Especially given that people tend to reuse paswords or formulate passwords for different sites along simple mnemonics.)

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.