Chrome not the only browser that stores plain-text passwords

When choosing to import his Safari bookmarks and settings into Google’s Chrome browser, software developer Elliot Kember discovered that although it seemed like he could opt out of importing his saved passwords, he had no choice but to do it:

“Why is ‘Saved passwords’ greyed out, and mandatory? Why have a check-box? This is the illusion of choice,” he says, and points out another thing that troubles him: the imported passwords can easily be revealed to anyone having physical access to the computer, via a click on the “Show” button in Chrome’s settings panel.

While admitting that developers and more knowledgeable users are aware that once a malicious individual has physical access to a computer the jig is up and the computer is effectively at his or her mercy, regular computer users might believe that they are safe.

“Google isn’t clear about its password security,” he says, adding that when every day millions of “regular” OS X users save their passwords in Chrome, they are faced with a prompt that misleads them into thinking the passwords are safely stored in their keychain when, in actuality, Chrome bypasses that protection.

In response to his rant, Google Chrome’s security chief Justin Schuh explained the company’s decision in this matter:

I’m the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.

Wired’s Kevin Poulsen understands both sides of the debate.

“Google is thinking like a security architect, and from that perspective, the company is completely right,” he says. “By making it easy for you to see those passwords with your own eyes, Google is declining to pretend that the passwords are partitioned off in another compartment.”

“But in day-to-day life, most Chrome users have to worry about what security geeks call the ‘unskilled attacker’,” he points out. “Even the flimsiest obstacle would be effective against these threats, while serving as a moral signpost declaring the Password Manager off-limits to the kind of casual snoops who are already paging through your browser history.”

In that respect, he believes that Google might want to thing about putting up a barrier in front of the Chrome Password Manager.

Malwarebytes researcher Armando Orozco shared that Chrome isn’t the only browser that allows people with physical access to the computer to easily see the stored passwords.

“Firefox also has this feature and is accessible through the Firefox menu then Options -> Options -> Security -> Saved Passwords. Firefox does prompt when accessing ‘Save Passwords’ but reveals them just the same,” he pointed out.

So, if you use Chrome and/or Firefox, you might want to consider to either clear out the saved passwords and insert them anew every time you want log into a specific service; store your passwords in a password manager app; or log out of your (password protected) OS user account each time you leave your computer unattended.