Chrome Security Shocker Creates Password Anxiety

Google responds to criticism of stored password handling; security experts say Chrome security team is missing the forest for the trees.

9 Android Apps To Improve Security, Privacy (click image for larger view)
Should people be able to instantly retrieve -- in plaintext -- all the saved passwords stored by the browser theyre using?
Thats the information security question of the week after Elliott Kember, a director at software development firm Riot, called out
Chromes insane password security strategy
. Google isnt clear about its password security, he said in a blog post, in which he accused Chrome of not behaving as ordinary users would expect. Specifically, after Chrome gets its hands on a password, the browser will reveal it with a single click.
Kember acknowledged that technically astute types often recommend that people avoid storing their passwords in the browser, and use a third-party
password manager
instead. Another common argument, he said, is that the computer is already insecure as soon as you have physical access.
But would the average user -- who may share their computer with family or friends -- expect that anyone with access to their PC might so easily retrieve all stored passwords in a single go? Go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click show on a few of the rows. See what they have to say, said Kember. I bet you it wont be Thats how password management works.
[ Department of Homeland Security urges all website operators to check for vulnerability. Read
HTTPS Hackable In 30 Seconds: DHS Alert
. ]
Googles Chrome team, however, sees things differently. I appreciate how this appears to a novice, but weve literally spent years evaluating it and have quite a bit of data to inform our position, posted Justin Schuh, head of Chrome security, to the
Hacker News
site. And while youre certainly well intentioned, what youre proposing is that that we make users less safe than they are today by providing them [with] a false sense of security and encouraging dangerous behavior. Thats just not how we approach security on Chrome.
Schuh added that passwords stored by any application on a system are
trivially recoverable by anyone with access to that system
, and said adding a master password to the application was security theater.
Many security experts, however, said that Schuh missed the forest for the trees.
How to get all your big sisters passwords ... and a disappointing reply from Chrome team,
tweeted
World Wide Web inventor Tim Berners-Lee.
How do other browsers handle passwords? Apples Safari includes a show password setting, but to be enabled, OS X first requires the user to enter their master keychain password. In fact, Kembers post was sparked by his finding that when importing bookmarks on his Mac from Safari to Chrome, all of the passwords stored by Safari had to be automatically loaded into Chrome, at which point anyone with access to his Mac could reveal them with a single click -- no password required.
Like Chrome, both Firefox and Opera will show passwords, although they do allow users to restrict access to that feature by adding a master password. Still, per Schuhs comment, anyone with the requisite skills can still retrieve the stored passwords. The same applies for passwords stored by Internet Explorer, which can be retrieved via Registry tweaks or by using free
third-party tools
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chrome Security Shocker Creates Password Anxiety