WARNING: Passwords you save on Chrome are completely unprotected and can be easily accessed by anyone

chrome

If you’re a Google Chrome user and you tend to let your browser save your passwords, take note. Due to poor programming on Google’s part, anyone with physical access to your machine can reveal all your passwords stored on Chrome, without the need for actually knowing any of them.

Web designer Elliot Kember called out Google and their slightly worrying way of handling passwords in Chrome. He highlighted the fact that all you need to do is visit chrome://settings/passwords on the browser to see a list of all the saved passwords. The passwords are of course shown as black dots as usual but it only takes one click to expose the full string of characters in plain-text. You can also access this same list through Chrome’s setting page.

This is on all operating systems that run Chrome, including Windows and Mac OS X.

chrome2

Unfortunately for users that think Google would be scrambling by now to fix this, they’re not. In fact, they’re well aware of the issue and don’t plan to fix it. According to Google’s head of Chrome Security, Justin Schuh, they don’t want “to provide users with a false sense of security and encourage risky behavior.” He also adds that if an attacker were able to gain physical access to a machine, “the game was lost” because there would be “too many vectors for [the attacker] to get what he wants.”

It should be noted the same issue is found in Firefox, Opera, Safari, and Internet Explorer. If you use their built-in password managers, people can easily reveal your passwords. However, Chrome’s competitors implement a layer of security for stored passwords by allowing you to use a master password or a system password. A master password or system password makes it so no one can access your stored passwords without entering the master/system password first. Chrome doesn’t have any of that. And while there are definitely solutions out there that people can use (read: third-party password managers), not everyone uses them and not everyone is aware of this lack of security in Chrome.

If this doesn’t sound bad to you, try it out right now. I didn’t think it was a big deal at first but after seeing firsthand how easy it would be for someone to see all my saved passwords… I’m hoping Google will change their mind and fix the issue. False security and physical access notwithstanding, how hard would it be to implement even a simple extra bit of security?

Until it is fixed, if it ever is, I suggest you use a third-party password manager to keep your passwords safe.

[via Elliot Kember, Y Combinator, The Verge]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

14 comments

  1. dipoun

    Hi, you can also do this: Right-click the password ******** then click INSPECT ELEMENT. Doucle click the password line and back key, then enter. And then you see the show password

    Sorry if my English is not good but I’m French

  2. DoktorThomas™

    Elcomsoft says, “Full disk encryption? No problem undone in less than 4 seconds.” The only way to truly keep your data safe is to never connect to the Internet. Even then the US fed.gov may access it …

  3. Mike G.

    100% password protection. Nobody can beat this.

    Simply do not store your passwords into your computer.

    Instead, keep them in a (locked) safe place off line.

    Trust yourself. :) Others that’s a gamble.

  4. thegreenwizard

    [@eMcE] Thanks, but is it not the same engine? Then what happens with the encryption, because I saw lately that Comodo put another browser based on Firefox engine, supposedly safer. Comodo Ice Dragon

  5. Seamus McSeamus

    [@thegreenwizard]
    I expect the situation would be the same with any of the Chrome derivatives. AFAIK the main focus of Iron and the others is defeating the information harvesting and tracking that Chrome supports, not so much with the way passwords are stored. I could, of course, be wrong.