Why is the author so excited about this? We all knew this feature exists, infact, personally I have been using it to remember my old passwords. Yes, it could be dangerous if someone else is going to view it, but it is as dangerous as giving them your PC.
I'm surprised that such a 'no-value' article has made it to the front page.
First, Chrome does encrypt stored passwords. If you open the SQLite database in your profile and query the logins table you won't see a plain text password. For more on how Chrome stores passwords and the code behind it, see this post:
Second, Chrome does have a master password. Most users just don't notice it, because instead of being implemented in the application it integrates with the operating system.
You need to be logged in and have access to the Keychain to open the file. Most users leave their keychains open by default when logging into OS X.
This is true of Firefox and (possibly?) IE as well, though IE doesn't have an option to show the passwords in the UI.
If a user has access to your desktop, then it really doesn't matter if your saved passwords are stored in plain text, you've already lost.
And what's the alternative? Ask for a "master" password every time Chrome wants to auto-complete a password for you? That's what extensions like lastpass do, but I don't think it makes sense for that to be the default.
>"That's what extensions like lastpass do, but I don't think it makes sense for that to be the default."
LastPass keeps you logged in to your "vault" either while the browser remains open, or by time limit. So you're really only entering the master password once per session. I think Firefox has a similar feature; you enter a master password the first time you try to access your passwords.
People not using features like this, at the very the least, is pretty sad. LastPass saved my sanity.
If I want to read my password I need to enter my master password again. Even when I'm logged in. You could log into the website without the master password but reading the password needs it.
There is no way for it to encrypt the passwords without having to ask you to enter a master password each time it starts.
You could argue that it shouldn't let you see them through the user interface, but I would argue that this would be useless - security through obscurity.
I have no background at all in IT security, but I thought the passwords would be encrypted using a RSA system (the public key would be used to encrypt the password, the private key would be used to read them). The private key would be generated randomly when the browser is built, making it unique, and inaccessible (unless maybe with a debugger, but that's not something that could be done in couple of minutes).
Maybe what I just said is stupid and not feasible, in which case I'd be curious to know why.
I agree with this. The entire promise of password auto-save is to save the user TIME. If the browser locked itself every couple of minutes and asked for a master password between visits, it would not help the user save TIME.
I think the author is confusing a feature exclusively created for convenience with one that would be targeting security exclusively.
PS: However, what better way to get HN traffic than a sensational title like that...
it could for example use the system keychain on MacOS and not expose an interface. Chrome could then read the passwords from the keychain, but any user-access to the password would have to go through "keychain access" and require the users logon password to show in plain. Storage would also be encrypted, so it wouldn't be "security through obscurity" but rather a real step towards protected password storage.
This is the main problem with Chrome for me at the moment. How hard can it be to add a master password prompt before showing the passwords? Or even to only store them encrypted?
I know they wouldn't really be safe even if encrypted, but I just want them not to be available to any random person that has access to my computer for 3 minutes...
Not intended to excuse Chrome here in any way, but I've had no problem using KeePass for my passwords. I use a Chrome extension to let KeePass entries auto-populate in the browser, and my database locks itself after only a few minutes of inactivity (or I can explicitly lock it).
If you want to store them encrypted, then chrome has to ask your master password every time you want to actually use the stored passwords (i.e., open a random website).
If you don't store them encrypted - then your passwords (as well as everythin else) are available to any random person who has access to your computer for 3 minutes, and not showing them directly is just a minor inconvenience.
Actually, the solution is simple - don't have random persons access your computer for 3 minutes; always locking your screen when leaving is the simple and effective way to counter this risk and many others.
True, but that requires much more technical know-how.
For one you need to have a keylogger available when the victim is away from the computer. The keylogger may also be detected by a virus killer, now or it he further. The key logger most also send the passwords somewhere, leaving a forensic trace (or the culprit must get access to the computer again to retrieve the passwords).
The chrome "hack" on the other hand can easily be done if you have the opportunity and require no technical know-how or preparations. It also leaves no trace.
This problem has been mitigated in OS X with Keychain, Gnome with Keyring and KDE with Kwallet. If there would be a standard application like that for passwords in Windows it would probably make it easier for most users to keep their passwords from being so easily accessible in cleartext (and I know there are a lot of 3rd party options available, but only power users tend to install those).
On Linux Chrome (or just Chromium?) can use your system keyring to store passwords in a fairly secure manner. Now if only a) Firefox did that, too, and b) they could agree on a common standard so that you could share passwords between browsers.
most browsers don't encrypt your locally stored password ... if you've not setup a master password on Firefox it's accessible there in plaintext as well to almost anyone with the knowledge.
Firefox: Tools->Options->Security click on Saved Passwords button.
Does Chrome need a master password system? Yes
Is Chrome non-standard by not encrypting the locally stored passwords? Not really
I'm surprised that such a 'no-value' article has made it to the front page.