Did you know that Google Chrome stores saved passwords in plain text on your local computer?
Open Chrome and type this in the address bar:
Google corrals all your passwords in one place but none are encrypted. In fact, viewing the saved passwords is as easy as clicking the Show button next to the password dots.
This actually isn’t new news, but Elliott Kember, Software Developer and Director at Riot, brought it up on his blog yesterday.
Now your first response might be:
“Hey Vonnie, you’re overreacting. If someone already has physical access to your system then your computer is ready to be compromised.” Or perhaps you’re thinking, “What’s the big deal? Just use free password management software like LastPass and be done with it”.
Although these points are valid, I think they miss the core issue here: Google isn’t as transparent as it should be when it comes to password management.
Most people know nothing about password management. If you sat down at your co-worker’s computer, opened Chrome, went to his Password Settings and clicked Show, I doubt he’s going to say, “Oh well, I guess I’ll just use LastPass”.
My point is that people don’t expect it to be this easy to view their passwords! And given that most people use the same password to access multiple web resources, comprising saved passwords could be worse than deleterious because suddenly almost all the victims digital assets are instantly at risk.
Chrome isn’t transparent about Password Security
When Google Chrome prompts you to save your password it doesn’t tell you that it’s accessible to anyone who visits your password settings.
Justin Schuh, head of Security for Chrome offered this defense on Hackernews yesterday.
The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.
You can read the rest of his response on Hackernews but I think the central thrust of his argument is flawed because it puts too much responsibility on the OS. It’s like saying there’s no need to lock the safe in your bedroom as long as the front door of your house is bolted shut. In other words, what’s the point of locking the safe because once the thief is on the inside he has carte blanche access to all your valuables.
But, don’t you think having a combination lock on the safe might cause a less determined thief to look for something else? For something easier to steal first?
In my metaphor the front door is the password protected login screen of the OS and the Safe is Google Chrome. Chrome is an open safe – and there’s nothing safe about that.
Any security methodology will always have holes but different vulnerabilities require different levels of technical aptitude to succeed. If someone gains access to your physical machine they can wreak havoc on the system by stealing session cookies and installing malware on it but that requires specialized knowledge. The problem is that today, with this Google flaw, almost any eight year old kid can sit at her big bothers computer, pop open Chrome and steal his Facebook passwords.
The point of security is not to make data theft impossible but rather to make it as hard as possible to break so less determined hackers search for easier prey.
Neither Justin nor Google seems to understand this basic point, and quite frankly it’s a bit irritating.
All I’m advocating is that Google implement another layer of security that makes it a little harder to view clear text passwords. Maybe a simple sign-in requirement for the Passwords Setting page would suffice? I’m just really annoyed that such a large company like Google doesn’t seem interested in protecting it’s customers interests like it should.
What do you guys think about all this? Am I overreacting? Let me know in the comments below…