Software developer questions why Google Chrome allows for display of saved passwords in plain text

August 8, 2013 by Bob Yirka, Phys.org report

(Phys.org) —Software developer Elliott Kember has ignited a controversy over the way Google Chrome allows users to see saved passwords in plain text. In a post on his website he describes the process users can follow to reveal all of the passwords Chrome has saved that allow for entry to various websites.

All offer users the option of saving login information so that they won't have to remember them themselves or go through the ritual of having to type them in. What many may not realize, however, is that most browsers, including Chrome, offer a way to view those passwords. At issue is whether Chrome should ask for a master-password before revealing those passwords. Kember says it should, while Google's security head Justin Schuh says no, it isn't necessary.

Schuh argues that once someone with nefarious purpose gains physical access to someone else's computer, the game is up. That person can visit sites found on a favorites list, check the history log, or basically, use the computer to visit any site the owner of the computer visits themselves. They won't need the passwords to gain entry, of course, because Chrome will provide them. Thus, Schuh says, there is little point in providing a false sense of security to users—if someone gains access to their computer, they're going to get into those sites (and possibly use sneaky techniques to capture login information as they go) whether they go find the clear text passwords or not. For that reason, he says, in a response posted on Web site Hacker News, implementing a master password would only give users a feeling that they have protected their login information, when clearly, they have not.

Makers of other browsers are divided on the issue—Mozilla recently added a master password option (though users have to turn the feature one) as has Safari. Microsoft secures saved passwords through its Web Credential Manager which is essentially a master password system.

Schuh says that Google has studied and debated the issue and has decided that the way passwords are shown now is the best way to go and thus the company has no plans to change things.

Chrome users do have other options of course—they can quit having passwords saved or buy a software program that saves the passwords for them, instead of allowing the browser to do it.

Explore further: SplashData's annual list shows people still using easy-to-guess passwords

Related Stories

Password breach spreads beyond LinkedIn

June 7, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network.

Recommended for you

Technology near for real-time TV political fact checks

January 18, 2019

A Duke University team expects to have a product available for election year that will allow television networks to offer real-time fact checks onscreen when a politician makes a questionable claim during a speech or debate.

Privacy becomes a selling point at tech show

January 7, 2019

Apple is not among the exhibitors at the 2019 Consumer Electronics Show, but that didn't prevent the iPhone maker from sending a message to attendees on a large billboard.

China's Huawei unveils chip for global big data market

January 7, 2019

Huawei Technologies Ltd. showed off a new processor chip for data centers and cloud computing Monday, expanding into new and growing markets despite Western warnings the company might be a security risk.

3 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

Expiorer
1.5 / 5 (8) Aug 08, 2013
If chrome will stop showing passwords, I will find a tool that recovers chrome saved passwords anyway. Because they are not encrypted. The only solution is master password like in firefox.
DistortedSignature
not rated yet Aug 08, 2013
But like Schuh said, if someone with malicious intent has physical access to your computer, does it matter?

I suppose one way could be that the browser prompts you with a request to enter you master password whenever it tries to autofill a password field. And as you said, that should be encrypted if that sort of method were to be enforced. Aren't there apps/add-ons that do this?
antialias_physorg
not rated yet Aug 09, 2013
It's sort of weird that they don't store the passwords as hashes (which is the industry standard) but in plaintext. While physical access to a computer means 'game over' there are many other ways of accessing a computer which would not compromise hashed passwords (e.g. a corrupted plugin might be able to read/export the hash, but that is orders of magnitude less useful to an attacker than a paintext password. Especially given that people tend to reuse paswords or formulate passwords for different sites along simple mnemonics.)

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.