Who's in bed with Chrome on reckless password management?

There's plenty of room under the blankets of poor security.
Written by John Fontana, Contributor

In 2008, the then-venerable Bugtraq mailing list sent out this warning: "Chrome stores passwords in CLEAR TEXT."

In 2011, The Windows Club blog reported: "Chrome, Firefox expose passwords in plain text."

In 2012, timmy_42 wrote in a Google Group discussion on Chrome: "Chrome devs have said many times that they won't add a master password."

In 2013, Elliott Kember "exposed" "Chrome's insane password security strategy."

Word of Chrome's password shortcomings is not news, it is trend to be swept away by tomorrow's "newly discovered" controversy and resurrected in another five years by the next "sleuth" to stumble upon the "truth."

It's been five years of Chrome warnings, folks. How have you changed your behavior?

If you haven't, whose fault is that in 2013 with a digital network that's recently looked like a surveillance state?

How long will Internet end-users sit back and figure that Google, Facebook, Apple, or any other service provider will choose the user's digital well-being over service rollouts, market share and revenue numbers?

It won't happen. It won't be legislated. And there won't be any Superheroes to save the day.

But end-users who gulp down convenience without considering security exposure are fooling themselves. It's the oldest trade-off in computer science.

In response to growing criticism over the past few days, Justin Schuh, head of Chrome security, responded to Kember: "It matters that you don't seem to understand the threat model here."

And while Schuh was defending Google's password management implementation, in more generic terms he hit at the heart of the larger issue.

It matters that a sizeable chunk of Internet users have little idea how to defend themselves in a mean and nasty CyberWorld that delights in soiling reputations and emptying pockets. Many end-users have their defenses down even though they have their personal and private data out.

Ignorance is not an excuse. Information on Chrome's password storage has been in the public domain for five years. And Google's vow not to change their browser has been heard for nearly that long.

Ask yourself, who's at fault here?

Google shouldn't offer a master password to guard passwords stored in Chrome, it should kill the browser's password storage feature. And so should every other browser vendor.

The cry to Facebook two years ago was that privacy settings should be opt-in. Why should it be any different for a password management system that could put your digital life at risk?

But end-users who gulp down convenience without considering security exposure are fooling themselves. It's the oldest trade-off in computer science.

It's mind boggling that users could be so blind. In the real world, I clearly understand why I shouldn't store my cash in my neighbor's mailbox. But the same sort of logic seems lost on the virtual world.

One commenter on a Hacker News discussion list argued that his bank account passwords, Amazon password and passwords to other financial accounts are at risk even from computer novices who could dig his credentials out of Chrome.

Really! Bank-account passwords stored in Chrome?

Shouldn't the concern be over storing personal security information in a browser offered for free from a company that tracks your digital footprints, collects data about you via that same browser, and sells that information to third-parties?

I'm assuming end-users have at least heard this news about Google and Chrome over the past five years.

Google is being hounded for not being responsible.

And while that might be half the case, I argue the other half is irresponsible users storing valuable credentials in a piece of software the vendor has said repeatedly will not protect you from prying eyes.

We chastise Google for clearly stating (and defending) their password storage policy (no matter how crazy some think it is) while in the same breath we beg them to clearly state their terms and conditions. And then we fail to act accordingly in either instance.

In Dec. 2011, three years after Bugtraq first said Chrome stores passwords in plain text, the browser became the most popular Web client with nearly 24% of the worldwide market, according to StatCounter.

Clearly few are getting the security vulnerability message in clear text.

It's time that we learn not to hide our digital valuables in the first dialog box that asks to store our credentials and offers an "OK" button.

It's time to educate, not criticize. It's time to change our own behavior as much as we want the vendor to change theirs.

Editorial standards