Who's in bed with Chrome on reckless password management?

Who's in bed with Chrome on reckless password management?

Summary: There's plenty of room under the blankets of poor security.

SHARE:
40

Read this

Do you save passwords in Chrome? Maybe you should reconsider

Do you save passwords in Chrome? Maybe you should reconsider

Every modern browser lets you save and sync user names and passwords for your favorite websites. Maybe that's not such a good idea.

In 2008, the then-venerable Bugtraq mailing list sent out this warning: "Chrome stores passwords in CLEAR TEXT."

In 2011, The Windows Club blog reported: "Chrome, Firefox expose passwords in plain text."

In 2012, timmy_42 wrote in a Google Group discussion on Chrome: "Chrome devs have said many times that they won't add a master password."

In 2013, Elliott Kember "exposed" "Chrome's insane password security strategy."

Word of Chrome's password shortcomings is not news, it is trend to be swept away by tomorrow's "newly discovered" controversy and resurrected in another five years by the next "sleuth" to stumble upon the "truth."

It's been five years of Chrome warnings, folks. How have you changed your behavior?

If you haven't, whose fault is that in 2013 with a digital network that's recently looked like a surveillance state?

How long will Internet end-users sit back and figure that Google, Facebook, Apple, or any other service provider will choose the user's digital well-being over service rollouts, market share and revenue numbers?

It won't happen. It won't be legislated. And there won't be any Superheroes to save the day.

But end-users who gulp down convenience without considering security exposure are fooling themselves. It's the oldest trade-off in computer science.

In response to growing criticism over the past few days, Justin Schuh, head of Chrome security, responded to Kember: "It matters that you don't seem to understand the threat model here."

And while Schuh was defending Google's password management implementation, in more generic terms he hit at the heart of the larger issue.

It matters that a sizeable chunk of Internet users have little idea how to defend themselves in a mean and nasty CyberWorld that delights in soiling reputations and emptying pockets. Many end-users have their defenses down even though they have their personal and private data out.

Ignorance is not an excuse. Information on Chrome's password storage has been in the public domain for five years. And Google's vow not to change their browser has been heard for nearly that long.

Ask yourself, who's at fault here?

Google shouldn't offer a master password to guard passwords stored in Chrome, it should kill the browser's password storage feature. And so should every other browser vendor.

The cry to Facebook two years ago was that privacy settings should be opt-in. Why should it be any different for a password management system that could put your digital life at risk?

But end-users who gulp down convenience without considering security exposure are fooling themselves. It's the oldest trade-off in computer science.

It's mind boggling that users could be so blind. In the real world, I clearly understand why I shouldn't store my cash in my neighbor's mailbox. But the same sort of logic seems lost on the virtual world.

One commenter on a Hacker News discussion list argued that his bank account passwords, Amazon password and passwords to other financial accounts are at risk even from computer novices who could dig his credentials out of Chrome.

Really! Bank-account passwords stored in Chrome?

Shouldn't the concern be over storing personal security information in a browser offered for free from a company that tracks your digital footprints, collects data about you via that same browser, and sells that information to third-parties?

I'm assuming end-users have at least heard this news about Google and Chrome over the past five years.

Google is being hounded for not being responsible.

And while that might be half the case, I argue the other half is irresponsible users storing valuable credentials in a piece of software the vendor has said repeatedly will not protect you from prying eyes.

We chastise Google for clearly stating (and defending) their password storage policy (no matter how crazy some think it is) while in the same breath we beg them to clearly state their terms and conditions. And then we fail to act accordingly in either instance.

In Dec. 2011, three years after Bugtraq first said Chrome stores passwords in plain text, the browser became the most popular Web client with nearly 24% of the worldwide market, according to StatCounter.

Clearly few are getting the security vulnerability message in clear text.

It's time that we learn not to hide our digital valuables in the first dialog box that asks to store our credentials and offers an "OK" button.

It's time to educate, not criticize. It's time to change our own behavior as much as we want the vendor to change theirs.

Topics: Security, Enterprise 2.0

About

John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

40 comments
Log in or register to join the discussion
  • Confusion?

    "The cry to Facebook two years ago was that privacy settings should be opt-in. Why should it be any different for a password management system that could put your digital life at risk?"

    The save a password is opt-in for each an every password with an explanation. People are acting like some sort of encryption would protect these password and then make it safe to leave your computer unlocked? Encryption won't help and there are plenty of other security risk involved with browsers (Java Applets still being one most aren't secure from).
    alex_darkness
  • thoughts

    "It's been five years of Chrome warnings, folks. How have you changed your behavior?"

    Installed LastPass, disabled Google's built-in password management. Didn't know about this particular vulnerability, but I've known that browsers sometimes have less than ideal protection.

    "Ask yourself, who's at fault here?"

    There is no one person at fault - and the Google browser could do a better job at educating users. And when users *are* educated, they should be given the tools to protect themselves. Google's strategy is far less than ideal; blaming the users won't fix them.

    "In the real world, I clearly understand why I shouldn't store my cash in my neighbor's mailbox."

    Google's password manager shouldn't be the equivalent of your neighbor's mailbox. It should be the equivalent of a lockbox in your house.

    One person said it an interesting way: Their valuables and guns are locked up separately from the rest of their house, because they don't want people to have access to them even when they're allowed access to the house for, say, a party.
    CobraA1
    • LastPass - a good answer

      @CrobraA1, good call. I use LastPass, and also disabled the password management in Google Chrome.
      rfoard
    • Thoughts

      Exactly! To expect your average user to keep up with every tech article out there and know about every flaw as they come out is absurd. Yea, people should be educated, but the products that we use should also be held to a higher standard. You wouldn’t expect your bank to say, “Well, it’s not our job to keep your money safe,” or your smartphone maker to say, “Well, you shouldn’t have stored your pictures on your phone.” Just like we expect our money to be safe in a bank, we should expect our data to be safe in services we use; especially for companies as big as Google. There is no excuse for them to not have layered security. If they are too lazy to do that, then stop asking to store passwords in a way that makes the average user think that it’s safe.

      The author’s arrogance to think that every user should know by now about this flaw is baffling. I’m an IT guy and I haven’t even heard this before the recent outcry (though I had with Firefox) and you expect my Grandma to have known better? I know that it’s not as secure to store passwords in your browser, but it shouldn’t be as easy as some non-techie guy finding about this flaw and being able to find all of my Grandma’s passwords within one minute of being on the computer. They should at least have to work for it.

      Yea.. yea.. you shouldn’t let anyone on your computer under your account. Honestly, not everyone is that paranoid about people being able to look at their pictures on their computer. Some people don’t want to set up another account just so they can let someone check their facebook real quick. Like CobraA1 pointed out, you invite people to your house, but keep your valuables locked up. For a lot of people, the only “valuables” they have on the computer are on websites, which should be “locked in the lockbox.”

      There is no reason that passwords should be that easy to find regardless of the “right” way of doing things. I don’t like to let people see my paycheck, but in the off-chance that someone does, I wouldn’t want my social security number and my bank PIN on there. Oh, but people shouldn’t see it anyway, so it’s your fault that they stole your identity, not whoever put all your information on there. What a load of crap. Get over yourself John Fontana.
      dblizard87
  • I will say this again, stay away from Google services for good

    Most Google platforms are poorly designed, the code is taken from open source projects and the technology is pirated or copied from competing firms. Take Android for example, Java is a stolen technology.

    Google creates a lot of shoddy services on top of these platforms so that anybody could abuse them and the ultimate benefactor is Google...

    Stay away from cheap Google product and services.
    OwlllllllNet
    • Right on schedule...

      OwlllllllNet can always be counted on for a misinformed response.
      S_Deemer
    • Same for Microsoft

      Stay away from All Microsoft products and services too...
      itguy10
    • do you mean beneficiary?

      I think you do. Or maybe you don't know the definition of a benefactor.
      Drew@...
    • yes but howlnet, your a microsoft shill.

      Why would we believe you spruiking Microsoft and slagging Google, when Microsoft are a twice convicted predatory monopolist with their own privacy issues that are trying to do all the same things Google do, they just are not as good at it.

      Microsoft also have a far far far far worse historic security record than Google.

      You keep shilling and I and others will keep shining a light on it. Eventually whomever pulls your strings will realize that having Microsoft's shady history pointed out whenever you post your "opinions" is not in their best interest.
      frankieh
  • I agree with Google: not a real issue

    I think the issue is a bit overblown.

    The real security flaw is letting anyone have access to your computer. That person has access to all of your files and all of your programs including ... the email client that be used to reset password by email :)

    If your computer contains personal and sensitive data then nobody else should have access to it period. If it's a shared machine then you should not store sensitive information on it including saved passwords.

    I fail to see a scenario in which somebody has access to my pc and encrypted chrome passwords is what keeps my data safe.
    galaxstar
    • It is a matter of time

      If they only have a short period of time, then plaintext passwords are readily available, but encrypted passwords would take more time to decrypt.
      grayknight
      • Actually, it only takes a few minutes to break them.

        ANY symmetric encryption can be broken in just a few minutes.

        All it takes is a decent rainbow table.
        jessepollard
        • Really?

          AES-256 is a robust symmetric encryption algorithm. If a strong password is used and stored with salt, can it really be brute forced like you say?
          arpitchauhan
    • Chrome in the Enterprise is not trustworthy

      Passwords in clear text just exposes the naiveté of Google security devs. With so much activity going on at my enterprise clients, no one needs to own a box longer than 2 minutes to open Chrome, go to settings, take a pic with their smartphone and close up. Easy case, happens all the time, a disgruntled goes to help another user in their office or cube. User needing help grabs coffee or whatever, giving the disgruntled just enough time to take a picture of the Chrome passwords to play with later. Not a very sophisticated attack, but they're the best kind.

      Chrome devs and Google are looking like amateurs.
      n0mad3
      • Re: Chrome in the Enterprise is not trustworthy

        To be honest any enterprise computer should not be having any browser installed that can't be locked from the user being able to save any passwords in.
        If you can't lock chrome using whatever device administration tool you have, lock-out installs unless approved.
        It's definitely not Google's responsibility to take the lead in and enterprise corporations security, unless they are supplying them directly. In which case all required steps will be taken as per the requirement of the Security team.
        Boothy_p
        • we force unattended screen lock via policy.

          anyone with access to your pc can run a keylogger in userspace and catch your passwords in any browser. Google are correct in that regard.

          We force machines to lock quickly when not used to stop just that issue. And we educate users to lock their machines when away from them. Anything else is false security.

          having said that, I wish google would just add a master password so people who want it can have it and we can move on.
          frankieh
  • how can you when majority use gmail....

    i use gmail and its far better than the new outlook so dont push it as your pure windows with phone tablet and computer... so dont push something that you dont own personally for example any google or apple products so dont make acquisitions without facts otherwise your putting out bias info and the majority of people i know dont care so you can live like that i fear of taking info.. you just jealous that google products dont exsist on windows phone and dont have plans to do so, so quit whining and talking trash about android and even ios... google maps gmail youtube and translate are way products than what Microsoft produces...
    ITGuy000
    • Could you try again, using some form of English?

      Your post makes absolutely no sense. IOS?? Windows Phone? Acquisitions?
      I didn't see where Mr. Fontana was "pushing" anything other than using common sense,
      which is good advice. Your post...not so much.
      wizard57m-cnet
      • Agreed - spelling, punctuation, grammar are approximately 3rd-grade level

        (talking about retrofan) So I wonder about the content. Same emotional maturity as the 3rd grade kid, certainly, so probably not much objective judgement either.

        The power of the Internet is that just about everyone has access. The weakness of the Internet is the same.
        chrisbedford
  • Allowing JavaScript to run everywhere is worse. Watering hole attacks?

    From the article:
    "But end-users who gulp down convenience without considering security exposure are fooling themselves."

    Many more users get nailed with JavaScript than with password exposure via their web browser. Let's talk about whitelisting one's frequently-visited, legitimate web sites and making JavaScript available, by default, only to those whitelisted sites.

    The Google Chrome browser has this capability built-in, but the user must choose to use it. Ditto with Opera. With Mozilla Firefox, one must download, install, configure and use the NoScript add-on. And with Internet Explorer, one must use a Windows server OS because Enhanced Security Configuration for IE is not available as an option for Windows client OSs.
    Rabid Howler Monkey