Do you save passwords in Chrome? Maybe you should reconsider

Do you save passwords in Chrome? Maybe you should reconsider

Summary: Every modern browser lets you save and sync user names and passwords for your favorite websites. Maybe that's not such a good idea.

SHARE:
TOPICS: Security, Google
77

You might want to think twice before you let someone borrow your computer.

The most obvious risk of allowing someone else access to your desktop is that they can impersonate you, using any app where you’re already signed in. They could send prank messages using your default email client, or profess your undying love for Justin Bieber using your logged-in Twitter account.

That’s annoying, but far from fatal.

But the situation becomes considerably worse if you use Google Chrome to save and sync passwords for easy logins at your favorite websites. An intruder who has unrestricted access to your computer for even a minute can view and copy all of your saved passwords just by visiting an easy-to-remember settings page: chrome://settings/passwords.

That link opens the local copy of your saved password cache, which is synchronized to every machine where you sign in with your Google account.

And the funny thing is, anyone who visits that page can see the plaintext version of every saved password just by clicking a button.

The saved password list shows the web address, username, and password for each saved set of credentials. Initially, the saved password is displayed as a row of asterisks. But if you click the masked password, you see a “Show” button that you can click to immediately display the saved password.

chrome-password-show-button

A malicious or spiteful intruder who can lure you away from your computer briefly can see your saved passwords, then close the settings page. And you have no idea that your credentials have been compromised.

Here’s what the attacker sees. I’ve altered the passwords and blurred crucial details in this screenshot, but it should give you a good idea of the scope of the problem:

chrome-password-reveal

This isn’t a new feature, of course, but the issue got some publicity earlier today when software designer Elliott Kember posted a rant titled “Chrome’s insane password security strategy” at his blog. And the issue got more heated when the post sparked a discussion on Hacker News where Chrome developer Justin Schuh told Kember, in essence, That’s not a bug, it’s a feature:

I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.

Perhaps he's right. But that level of attack involves preparation on the part of a hacker, as well as a nontrivial amount of technical knowledge. This avenue of access is easy and quick and leaves no audit trail. It's a vulnerabillity that an evil sibling can exploit to make your life miserable. It's also one that a malicious co-worker can use with devastating effect.

This problem isn’t unique to Chrome. If your default browser is Firefox, you’re equally vulnerable. Anyone with physical access to your computer can click the Firefox menu, click Options, and then click the Saved Passwords button on the Security tab to get to this dialog box. No password is required to reveal all of your saved passwords in plaintext.

firefox-saved-passwords

Firefox at least includes the option to set a master password, although it's not enabled by default.

And don't get comfortable just because you use a Mac instead of Windows. The same easy access is available on Apple-branded devices.

Internet Explorer, on the other hand, requires an extra authentication step before you can view plaintext passwords. In Windows 7 and Windows 8, the IE password cache is stored in the Web Credential Manager. You can see your saved passwords, but clicking the Show button requires you to enter the credentials for your user account again.

ie-saved-passwords

This is all, of course, an illustration of one of the most fundamental principles of computer security. If someone else has physical access to your computer, it’s not your computer anymore. You’re literally at their mercy.

If you’re concerned about this issue, you should do three things:

1. Never leave your computer unlocked when you step away from the keyboard.

2. If you want to let someone borrow your computer, enable the guest account, which has limited user rights and no access to your confidential data.

3. Don’t save passwords in your browser. Use a third-party password manager instead, such as RoboForm, Lastpass, or 1Password. All of those third-party products save your credentials in encrypted stores that require you to supply credentials before accessing plaintext passwords.

Meanwhile, I do hope that Google’s developers rethink this policy. Chrome aggressively encourages users to save and sync passwords, using this interface:

chrome-save-password

The least they could do is explain why this is perhaps not such a great idea for customers who are vulnerable to casual attacks.

Topics: Security, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

77 comments
Log in or register to join the discussion
  • Thanks Ed!

    Not that that would stop me from using Chrome or change my behavior (I always lock my computer when I was away), but I really appreciate that this bring up the awareness of browser password management.

    Good job Ed!
    Samic
    • this data probably also falls under googles genetic

      tos when it gets sent to their services for syncing which means they can publicly publish it, sell it to anyone they want, etc etc just like they can with all your google docs and emails.
      Johnny Vegas
      • Do show a link to the facts you present as being true.

        “this data probably also falls under googles genetic”
        “tos when it gets sent to their services for syncing which means they can publicly publish it, sell it to anyone they want, etc etc just like they can with all your google docs and emails.”

        Sad.....
        RickLively
        • Here is your link

          "When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content."

          http://www.google.com/intl/en/policies/terms/

          What he wrote is absolutely correct, typos withstanding.

          And as to the Firefox issue, it is a nontrivial thing that Mozilla's browser offers you the option to password protect your passwords...even if it is not enabled by default.

          Mozilla has their user's privacy in their DNA. Google has spying on their users in their DNA. Even if they do add password protection on the browser end, the simple fact is that Google still knows your password. Mozilla's cloud syncing is encrypted *even to them* so that they can't see your passwords even if they wanted to.
          x I'm tc
          • Not true

            Chrome's passwords are stored locally. They are synced (with your permission) in encrypted format. There is nothing to suggest that Google stores, retains, or uses your passwords.

            One can object to this particular design decision without going all tinfoil-hat on it.
            Ed Bott
          • Thank you

            For a dose of sanity on this. I use a Chromebook, and whenever I travel, it is either turned off (since starting takes only a few seconds), or if it's closed by sleeping, a password is required to access it. I would never, ever think of letting anybody use it under my account. Everything on the Chromebook is automatically encrypted, so (as usual) the user is the weak link in security.

            Syncing passwords, and many other data elements is a user choice, although the default setting is to sync everything. I'm comfortable with syncing passwords because (whether logically or not) I am not comfortable with trusting my passwords to a third-party password manager like Lastpass (which I tried for a while, and ultimately decided not to use).

            Your article should also have mentioned Google's 2-step verification, which makes it much more difficult for an account to be compromised.

            http://www.google.com/landing/2step/

            If my phone ever gets a text message with a verification code, and it's not from my activity, I will know that my Google account is under attack, and take appropriate steps.
            S_Deemer
          • I am not saying Google do exploit your passwords

            Just that they could. And it is possibly within their legal right to do so.

            Furthermore, RickLively asked for a link to where it says they can disseminate your info, and I obliged.

            But I don't think we have to wear "tin foil hats" to be deeply distrustful of Google. I consider them to be a spyware company. It is the raison d'être for Chrome's existence. For that reason, Chrome (and Google's other products) should generally be avoided if one can help it. I would note that there was no evidence that the NSA was monitoring nearly all Web traffic worldwide, until there was.
            x I'm tc
        • Their own ToS

          Straight from Google's terms of service. I will provide a direct quote for you.

          “When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”
          mikeh810
  • This is INSANE

    That total lack of understanding even the BASICS of layered security is mind boggling. That somebody would actually defend it as good design I can only understand if it's the response one of Google's lawyers insisted on as a means of establishing a defense against gross negligence.
    Mike Galos
    • Agreed!

      Also, I finally have proof that my rule to ALWAYS use chrome on workplace PCs in an incognito window isn't crazy.

      Jeez...
      Xabier Granja
    • lack of understanding ?

      First, any browser stores your password without using a master password, you would be able to use the password in the first place by simply visiting the webpages associated with them, if they are already not being used in the browser at that time. So once you have the physical access to unprotected user session the result would be the same.
      Secondly, almost every modern preinstalled Microsoft Windows system makes the first user of a machine in the administrators group by default. So no password prompts by UAC when running the admin tasks. In contrast, on other systems using sudo or su (both in case when you're in and not in the admin group) you have to explicitly and manually disable the password prompt.
      So where are the "basics of layered security" here?
      eulampius
      • s/any browser stores/if any browser stores/

        .
        eulampius
      • Simple

        A layered security also called defense in depth means you don't assume the layers that call you are perfectly secure so you don't have to implement security. You implement security so that the more important a secret is the more layers have to be breached in order to have it be vulnerable. You assume that the layers protecting you WILL have flaws that WILL be exploited and you protect your assets even if those layers are breached. It's why you implement file security even if access is via a network with share security, for example. In that case if somebody got in via a flaw in the network software they still wouldn't have access to the secure file.

        (There's also the issue of non-repudiation that this also violates but that's another problem they have)

        And, the issue isn't that they store a password. It's that they DISPLAY that password in plaintext without requiring security credentials beyond the machine logon.


        (oh, and even if you ARE admin you still have security elevation prompts. You just have to only acknowledge them and approve the elevation of the process rather than elevate them with a logon to a different security principal - see Ed's IE example above or try it yourself).

        I'm guessing from the line editor replace string syntax in your correction below that you come from a *ix background rather than Windows so perhaps you could tell us if Firefox and Chrome are equally broken on your platform of choice as they are on Windows and OS X.
        Mike Galos
        • Once gain, Mike

          You seem to fail discerning the lack of layered security in the default setups of UAC, in other words, in most modern Windows systems. If a miscreant gets a hold of a typical Windows session, the user is pwned.

          Yes, on my LMDE system Firefox does allow to get to the password storing page. Not sure about Chrome(ium) though.
          As far as what gave me away is concerned. The subst. construct/command "s/" is pretty popular with many CROSSPLATFORM tools and programming languages, such as sed, Perl, vi(m), less/more etc. So, my "background" could have easily been Windows as well.
          eulampius
          • forgot to mention

            that personally, I do not always allow firefox to store passwords. An exception is the one for zdnet, e.g. My personal passwords are stored in text files, encrypted by gnupg. Pinetry key-manager handles the passphrase protecting them. There is also seahorse/mate-keyring, another passphrase/password cashing agent on the system for some admin tasks.
            eulampius
          • Nope

            Actually the Windows system (including UAC) is a layered system.

            What Google is advising is that users should entirely trust all access to all resources to a successful logon. Seriously. Their "logic" is that if a person has physical access they theoretically have ALL access so anything after that is a deceptive "false sense of security" that should be avoided since teaching the users a lesson is more important than making the system secure to the 90%+ people who don't travel around with a set of hacking tools and an in depth knowledge of system internals. They negate both the idea of defense in depth and non-repudiation.

            As for identifying your shibboleth s/xxxs/yyyy syntax, yes, there ARE copies of 1960s style *ix tools on multiple platforms but aside from people who spend a LOT of time using them they've died the death they deserved as archaic remnants of a more primitive past along with card punches and DECwriter printer terminals. That they're "cross platform" really is only in the same sense of lowest common denominator thinking that afflicted the early days of Java when the debate was whether to support more than one mouse button since that would allow code that wasn't portable across all platforms.

            By comparison, very few Windows people still use edlin or copy con: to edit and create text files. The rest of us who spent time on things like vi gave it up when we decided that actually using a full screen editor made more sense than editing termcap entries files and working one line at a time. You went with LMDE and not just a text shell over a tty line so you obviously see the benefits.
            Mike Galos
          • SO

            No UAC password prompt for admin tasks is a layered security, while no password prompt for online accounts in Chrome(ium), Firefox is not. Okay, no other questions.
            >>As for identifying your shibboleth s/xxxs/yyyy ...
            Wow, just wow. Wheel is known for even longer, so what's your point? Did Microsoft come up already with their Perl, vim or even a terminal emulator? We all know how they did with their own "Bash" or rather Powershell, 15-20 years after the original one. What did they do all those years? They were saying that a shell, command line, a minimal headless system are all a "shibboleth", obsolete, morally outdated etc.
            >>By comparison, very few Windows people still use edlin or copy con: to edit and create text files

            Please, tell a GNU Emacs user something about text editors... Ido prefer a gui, non-nox variant though. LMDE doesn't contract this paradigm, it just confirms it.
            eulampius
      • Accounts

        the key here is to use accounts. It is the most basic concept of any modern operating system (apart from personal devices like smartphones or iPads).

        Never use an administrator account as the default account. I always create user accounts without admin rights and if anybody is going to be using my computer when I am not sitting next to them, they get their own login or the guest login.

        It isn't a 100% guarantee, but for the average user it is more than enough.
        wright_is
        • Of course admin access isn't required to tamper with Chrome anyway

          As they insist on installing it in your user account instead of in the program files meaning that anyone who manages to exploit ANY security vuln gets to tamper with your web browser; whereas IE / Firefox / Opera / almost any other app written by someone competent in the last 10 years require admin privileges to tamper with.
          If they decide that layer of security is not neccessary then they clearly don't believe in / understand defense in depth.
          mog0
      • Not quite the same

        Being able to access a password protected Web site when you are using someone's computer is still a security risk, but it is a much lesser one than being able to gain quick, unauditable access to someones entire password list.
        x I'm tc