Chrome Password Fail: A Good Reason NOT to Save Your Password Locally

If you’re using Chrome as your browser of choice, anyone with access to your computer could easily take a peek at all your saved passwords. All you have to do is:

1-Click on wrench icon on the top right of the browser
2-Click on “Options”
3-On the left of the “options” screen, click on “Personal Stuff”
4-Click on “Manage save passwords” in the password sub-section
5-Select any site from the displayed list
6-Click on the “show” button.

I understand that the browser needs to have a feature like this, but seriously Google, you guys need to protect this section a little better.

Edit: Now please, people, calm down. I only posted this to point out a “possible” security problem to those who were not aware of it. Now let’s all take a deep breath and see this post for what it is: a simple warning.

[Via]

Advertisements
Advertisement




69 Responses to Chrome Password Fail: A Good Reason NOT to Save Your Password Locally

  1. You're an idiot. Storing passwords on your computer is insecure by design to begin with.

    Guess what? Anyone with access to your computer can log in to those accounts and change your password anyway.

  2. You’re an idiot. Storing passwords on your computer is insecure by design to begin with.

    Guess what? Anyone with access to your computer can log in to those accounts and change your password anyway.

      • Anyone that ever clicks "remember" is fully aware of the implications of having their computer "REMEMBER" their password. After all, you'd expect to be able to "ask" the computer what it remembers some day, right?

        Not that shocking… actually, it's come in handy a number of times over the years for various people I've helped out, as well as myself. It's careless "journalism" like this that worries me that Google might actually make this feature less visible or reliable…

    • Dont be a DBag. Firefox had a lock on this before it even became popular. In Firefox between steps 2 and 3 is a Master Password that is used to encrypt the browsers saved password. A layer of security is still a layer of security, a lack of security is still a lack of security.

    • True, but master password isn't set by default. 99% of people, I imagine, won't have any additional layer of security. Never a good idea to store important passwords (i.e. one which have any association with money in any way) in your browsers saved form/passwords.

    • I think you lack some serious perspective. I manage an organization of about 400 employees. I know of a few off the top of my head who prefer to use Chrome. I can guarantee that none of them know of this. I will at least be sending an email out to the staff reminding them to lock their workstations when away from the desk. It may not be that important for you but people like me who manage lots of computers this is a good reminder for me to keep my staff informed on making sure they are taking some precautions when saving passwords.

  3. This article really doesn't make sense. If your passwords are stored in your browser, the hacker doesn't even need to see the password, they can just log right in. It is kind of a moot point.

    • Of course it makes sense. You can then use the password via another computer to log in to someone's account.

      • Why would you do that when you are already sitting at the computer and can gain access? Even if you couldn't see the password, you could go into the site and change it to whatever you want. Face it, if you are letting your browser store your passwords you have already given up your security.

        • Simple. Check their password history, jack the password, sneak off before you're caught. If they're a roommate with their own computer, you can now access their account via your computer with less risk of being caught doing so, and no need to change their password so that you'll know it – which will tip them off immediately.

        • if you leave the password unchanged it's possible to log on from another computer later without the user noticing it. if you change it the user knows something is going on when he cannot log on to his own account anymore. that is a big difference.

  4. Know what the remedy to this is?

    Don't let your browser manage your passwords. Or even save any sort of form entries.

  5. Firefox: Preferences –> Security –> Saved Passwords –> Show Passwords

    It's the same everywhere. I'm glad that this is being made more public. I think that both Firefox and Chrome should change their UI to remind the user that these are easily accessible in the options dialog.

    • Sean: Try setting a master password in Firefox. That way even if someone has access to your browser they can't see your passwords. Also the first time they go to a site for which you have Firefox managing your password it'll ask for the master password. No master password, no auto-complete of password for the site.

      Simples.

      • Just like my Chrome… You need to unlock my computer, to be able to access Chrome. :-)

        My point is, that if you don't set the master password, then everyone have access to it. Just like, if you don't set a password one your user account, people can use your computer and access your data.

        And by not securing the passwords with a master password by default, makes many people not set this password. I remember the first time I played with the master password – turn it off, because it was annoying to type in the password, when I wanted to access a site. I guess that many other people feel the same way.

        Today, I use Lastpass in Chrome, so Chrome haven't got any password information stored.

    • Read the rest of the comments. Firefox lets you input a master password. Thus protecting your passwords.

      Also, a looooot of people don't know about either of these 'features', so there is NOTHING wrong with blogging about it to inform people, and it certainly doesn't make the blogger dumb.

  6. There is protection. It's called locking your workstation. Or logging off.

    The passwords are stored in the user directory, not public. Although extra protection is always welcomed, it's essentially still down to the paranoid user to set their own protection. If someone was really that security concious they'd already know to encrypt their user directory and log off while not at the machine.

  7. This piece is just a blackhat hate piece of the Chrome browser. To be reasonable, it should include what could make it more secure instead of simply whining about something that has been around for ages (the fact you're suddenly NOW surprised means you lose geek cred, btw).

    It should have mentioned how Firefox has a feature that can be chosen to secure your passwords. The fact that it's an EXTRA step that must be taken and isn't obvious or explained after you approve to store the original password means it's not much more secure than the Chrome password. I've come across countless Firefox users who don't know what the Master Password is for because they're the typical user who doesn't want to be bothered with remembering a password and don't fiddle around with options enough to find the Master Password option.

  8. From the 10 Immutable Laws of Security…

    "Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore"

    Not sure why GaS still thinks this is bogus, but this is not some earth shattering security breach. If you're allowing anyone access to your computer, then there's far more things that they can do than get passwords from Chrome.

    If you're allowing anyone access to your computer account, then perhaps you should review the notices that pop up regarding "public" workstations.

    Otherwise, everyone else should follow the standing guidance: Keep a password on your computer's account, and lock it when you're away. If you do not have your own account, do not store passwords on the public account.

    Me thinks the author does not have their desktop very secure…

    • Most people do store t heir passwords, mainly because most people aren't stupid enough to use the same password for everything. You're trying to make anyone who has ever used any browser ever sound like an idiot for using one of the most commonly-used features of every said browser.

      I think your name is far too misleading.

  9. aahhmmm, well, this happens in firefox too in case you didn't notice.
    Go to tools > options > security > saved passwords > show

  10. Dear author,

    You are an idiot! This isn't a bug, it's a feature an it was used in Firefox years before Chrome even existed. Perhaps it is you who should be fired, for slander!

    • Click on LastPass chrome button.
      Click on "My LastPass Vault".
      Click "edit" next to the webpage you want the password to.
      Click "show" under password to see users's password.

  11. Now please, people, calm down. I only posted this to point out the “possible” security problem to people who were not aware of it. Now let’s all take a deep breath and see this post for what it is: a warning.

    • No, you didn't say it is a bug, but you wrote that somebody _should be fired_ for this. It implies that the first people who freaked out was _you_. Freaking out on such n00b things isn't really geek at all…

    • No, I was not aware of it because I never used the feature… Saving your password locally is just a bad idea. I took the title of the picture. The source is even linked under the post.

  12. WOW! I am amazed at how many people commented without reading the previous comments….. and to anyone who thinks the poster is "dumb" for pointing this out is just bashing out of a lack of fullfilment in life…
    the gist of this whole thing is that "not everyone knows that it is that easy" and many posted that for years , firefox has had a "master password" for these saved passwords… Google should seriously do the same… POINT MADE and reiterated..

    if you dont want to save your passwords cause you think its all together dumb, thats your chioce, but for those of us who like keeping passwords stored, a security measure like firefox's is definitely needed in Chrome
    @ OP thank you for sharing this tidbit, hopefully it will help people to learn to better secure their stuff and pay more attention

    • Firefox's Master Password feature is not at all any more secure than the Chrome security risk. If you enter the master password once in Firefox, your passwords are open until the browser is closed down. If you leave your browser up for any amount of time after that, you're risking your passwords stored in Firefox.

      Again, this is just hating and a freak out because the author failed as a geek.

    • i think all this "chrome-hate" talk is sorta outta line.. its not like the any part of the article says you should get a different browser and it definatly did not say that chrome was the ONLY browser with this problem… so… hate? no, just lacking big picture.

  13. This is not something specific to Chrome. Try the same thing with Firefox! Saving your passwords is not a good idea if your computer is ever somewhere public and out of your sight!!

    • Security is simple, actually. All it takes is not being careless , and boom, you are secure. In any case, if you or anyone else bashing the author would care to look at any of the other comments, you'd see that this is NOT the author's own headline.

  14. The thing is, you can solve this by having basic security measures on your computer. If no one but you can get on your computer, then there's nothing much anyone can do about those passwords.

  15. Isn't this primarily a site/forum for entertainment… security could and does come up just because of the genre of the forum but if people are this serious about the topic find a CISSP site and go crazy… now bring on the star wars humor!

  16. Firefox is doing this for years. Also it is standard practice and not insecure if you ask me. The problem is that if multiple users use the same computer you can have your passwords cracked. Perhaps for them this was a useful post.

  17. This article is pointless, if you have to worry about someone in your house stealing (info off your computer) A. your computer wasn't locked (yea ways around that also) and B. you have other issues!

    Why would you let people into your house that would steal stuff from you?!

  18. Why go to all that bother? I prefer to just read the passwords off the sticky note stuck to the monitor :)

  19. Actually, you can delete the passwords on your disk after syncing them using a Master Key. That way, your passwords are not stored on you OWN computer, but encrypted on Google's servers. Guess someone who writes posts to enlighten people should know this.

  20. Id rather have a family member/friend see my password/use it than a keylogger logging it everytime i type it in.

  21. This is a great blog, but this post is just dumb and unworthy. I know you've already updated it with the lame defense that it is "just a warning", but how is that an excuse if it is an unfair and inaccurate warning?

    First of all, why single out Chrome? Firefox will show you your passwords too. Options -> Security -> Saved Passwords -> Show Passwords. It's even less steps than Chrome. I imagine that Internet Explorer, Opera, Safari, etc. have similar functionality.

    Secondly, why are you letting other people log on to your account?! If you're dumb enough to have only one account on your computer, and letting anybody use it, then all bets are off, security wise. Anybody could also access all your banking details, your email and IM history, your bookmarks and browser history, your porn collections, etc. They can send emails or instant messages or tweets or whatever as you, etc. ad nauseam.

    If you intentionally give everybody that kind of access to your personal data then it's already too late and singling out one thing someone could do is kind of missing the point. Blaming Chrome for this is unfair when it's your own lack of decent security practice which is the problem.

    It's a bit like complaining that your wallet will let anybody see your credit cards and social security number when you leave it lying around unsupervised.
    Well duh…

    If you don't want people to have access to your personal data, including your stored passwords, then create your own account, and log out or lock the computer when you're not behind it. Chrome won't show you the passwords of *other users*…

    You really should retract this, or fix it so it's less of an unfair and unreasonable attack on Chrome.

    • I agree with you, most of the way. But it is something else, when you get access to see a persons passwords. You might let somebody use your computer, where they have access to send e-mails and so on.. but only very few programs let you see the password. And here is the big difference – a complete list of sites, usernames and passwords should be better protected.

      Firefox has kind of the same issue, because most people don't know about the master password.

      IE does not have the functionality – the passwords can be extracted, i'am sure, but no UI interface to easily access the sites/usernames/passwords.

      Let me change the question of this article a little: Do you want a password manager, that doesn't have a master password to access all your passwords? I sure don't want that.

      I use and love Chrome, but my passwords are stored with LastPass.

      • “I use and love Chrome, but my passwords are stored with LastPass.”

        Nicely demonstrating my point, since LastPass will *also* show you, or anybody else who happens to be using your account, your passwords, just like Chrome and Firefox will…

        • Unless you set it to require password get access to the passwords and/or set it to log out of LastPass, when you close the browser or after some time….

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.