Software developer questions why Google Chrome allows for display of saved passwords in plain text

August 8, 2013 by Bob Yirka, report

( —Software developer Elliott Kember has ignited a controversy over the way Google Chrome allows users to see saved passwords in plain text. In a post on his website he describes the process users can follow to reveal all of the passwords Chrome has saved that allow for entry to various websites.

All offer users the option of saving login information so that they won't have to remember them themselves or go through the ritual of having to type them in. What many may not realize, however, is that most browsers, including Chrome, offer a way to view those passwords. At issue is whether Chrome should ask for a master-password before revealing those passwords. Kember says it should, while Google's security head Justin Schuh says no, it isn't necessary.

Schuh argues that once someone with nefarious purpose gains physical access to someone else's computer, the game is up. That person can visit sites found on a favorites list, check the history log, or basically, use the computer to visit any site the owner of the computer visits themselves. They won't need the passwords to gain entry, of course, because Chrome will provide them. Thus, Schuh says, there is little point in providing a false sense of security to users—if someone gains access to their computer, they're going to get into those sites (and possibly use sneaky techniques to capture login information as they go) whether they go find the clear text passwords or not. For that reason, he says, in a response posted on Web site Hacker News, implementing a master password would only give users a feeling that they have protected their login information, when clearly, they have not.

Makers of other browsers are divided on the issue—Mozilla recently added a master password option (though users have to turn the feature one) as has Safari. Microsoft secures saved passwords through its Web Credential Manager which is essentially a master password system.

Schuh says that Google has studied and debated the issue and has decided that the way passwords are shown now is the best way to go and thus the company has no plans to change things.

Chrome users do have other options of course—they can quit having passwords saved or buy a software program that saves the passwords for them, instead of allowing the browser to do it.

Explore further: SplashData's annual list shows people still using easy-to-guess passwords

Related Stories

Password breach spreads beyond LinkedIn

June 7, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network.

Recommended for you

Cryptocurrency rivals snap at Bitcoin's heels

January 14, 2018

Bitcoin may be the most famous cryptocurrency but, despite a dizzying rise, it's not the most lucrative one and far from alone in a universe that counts 1,400 rivals, and counting.


Adjust slider to filter visible comments by rank

Display comments: newest first

1.5 / 5 (8) Aug 08, 2013
If chrome will stop showing passwords, I will find a tool that recovers chrome saved passwords anyway. Because they are not encrypted. The only solution is master password like in firefox.
not rated yet Aug 08, 2013
But like Schuh said, if someone with malicious intent has physical access to your computer, does it matter?

I suppose one way could be that the browser prompts you with a request to enter you master password whenever it tries to autofill a password field. And as you said, that should be encrypted if that sort of method were to be enforced. Aren't there apps/add-ons that do this?
5 / 5 (1) Aug 09, 2013
Aren't there apps/add-ons that do this?

Yes, and some are very good. First, if one wants the browser to remember passwords, Firefox is probably the way to go, but one must select to use a master password, and then set one (sufficiently complex). I used to do this but not in at least 5 years. Of the apps and add-ons that are available, I personally have come to depend on Lastpass, which is fantastic. This is a free add-on for nearly all browsers, although a paid app for mobile ($12/yr). I have nearly 100 sites with usernames and passwords, all complex with caps/lowercase/numbers/symbols/20 char. minimum, etc. and Lastpass (after putting in its master password) remembers then all, encrypted, accessible and shared from any computer. All I do is pick the site from a drop down list and it loads up the site, autofills and autologs me in right to where I need to be. New sites are remembered after entering the new info once. 5 years, Linux, Windows, Android, no trouble whatsoever.
not rated yet Aug 09, 2013
It's sort of weird that they don't store the passwords as hashes (which is the industry standard) but in plaintext. While physical access to a computer means 'game over' there are many other ways of accessing a computer which would not compromise hashed passwords (e.g. a corrupted plugin might be able to read/export the hash, but that is orders of magnitude less useful to an attacker than a paintext password. Especially given that people tend to reuse paswords or formulate passwords for different sites along simple mnemonics.)

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.