Chrome password security issue stirs debate

Security researchers say the plain text used to display Web site passwords leaves Chrome vulnerable, but Google defends its strategy.

Lance Whitney
Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
3 min read

Another person with access to your computer can see your Google Chrome saved passwords through a simple series of steps. Should you be worried?

The security flaw was highlighted in a blog posted Tuesday by software developer Elliot Kember. In his blog, Kember described how your saved passwords in Chrome can be revealed in plain text, a process that any Chrome user can replicate.

In Chrome, click on the Settings icon, and then click on the Settings command from the pop-menu. In the Settings screen, click on the link to Show Advanced Settings. In the Passwords and Forms section, confirm that the option to "Offer to save passwords I enter on the web" is turned on. Click on the link to Manage Saved passwords.

Any Web sites for which you opted to save your password appear on the list. By default, the password is hidden by the usual series of asterisks. But simply click on the site name, click on the Show button, and your password appears in clear text.

Chrome users who lock down their computers may be safer than others. You can also turn off the ability to save passwords or simply say no when the browser asks. But the option is turned on by default. And imagine a scenario of shared or public computers, or a person who loses an unsecured laptop.

Kember called this an "insane password security strategy," criticizing Google for not even offering a master password option before someone can peek at all your saved passwords.

What is Google's response?

In a post on Web site Hacker News, Chrome security head Justin Schuh defended the lack of a master password:

I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.

Others, though, clearly disagree with Schuh.

Many responded to Schuh's post by arguing that not offering a master password or telling users that their passwords can appear in clear text gives them a false sense of security.

Even famed Web inventor Tim Berners-Lee jumped in to express his frustration, tweeting: "How to get all [your] big sister's passwords http://blog.elliottkember.com/chromes-insane-password-security-strategy ... and a disappointing reply from Chrome team."

Other browsers have been caught in a similar predicament but resolved the issue, according to The Guardian. In 2010, Mozilla added a master password option to Firefox, while Safari requires its users to enter a master password before revealing stored passwords.

Certain versions of Internet Explorer also had the same flaw, The Guardian added.

For now, concerned Chrome users should disable the save password option and perhaps consider a third-party tool such as RoboForm or LastPass to better manage their passwords.