Google’s Chrome browser has come under fire this week after software developer Elliott Kember revealed on his Svbtle blog that he discovered that Chrome makes it possible for anyone with access to you computer to see all your saved passwords. Inevitably, the press (including Digital Trends) picked up the story, and began sounding the alarm bells.
As Kember explains, typing “chrome://settings/passwords” into the browser (or clicking Chrome>Preferences>Show advanced settings>Manage saved passwords) will bring up a box that contains your usernames and hidden passwords for each of your saved sites. Click on a password, and a box appears that allows you to show the actual password right there, in plain sight.
The problem people have with this system is that, if someone you don’t trust (like a thief or crappy roommate) gains physical access to your computer, they can easily get your login credentials for, potentially, every website, email account, and social network you use.
In response to Kember’s complaints, Justin Schuh, who works on Google Chrome Security, claimed in a thread on YCombinator’s Hacker News that he and his team have “literally spent years evaluating” the safest way to store passwords in Chrome, and that “quite a bit of data” supports the theory that storing passwords differently would “make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior.”
My reaction: How is this news? Why are we upset? And, if there is reason to be upset, why aren’t we blasting Firefox out of the sky for doing exactly the same thing? That’s right, Firefox does it, too.
How is this Chrome ‘flaw’ news?
Let me preface this by saying, like Kember, I am not anything close to an expert on browser security. But I do know one thing: the system Chrome v28 has in place for viewing saved passwords is an improvement over what it was. In earlier versions, Chrome had only one “show passwords” button, and it revealed all the passwords at once. Now, you can select each password individually. Does the “problem” of someone gaining access to your computer and stealing your digital life still exist in both instances? Yes – but it’s certainly no worse now than it has been for a long time; I would say it’s a slight improvement, from a user perspective at least.
Why are we upset?
I’m going to go out on a limb here and assume that Schuh knows what he’s talking about when it comes to browser security. He works at Google, after all, and most of us do not. In other words, the way Chrome (and Firefox) store passwords by default probably is the best way to stop the most likely kind of attacks – those that come over the Web.
Yes, it may be possible for someone to snag your passwords if they have direct physical access to your computer. But, as Schuh explains, if that has happened “the game was lost.”
Plus, if you are particularly concerned this feature, remember that nobody is forcing you to save your passwords in your browser. In fact, most prudent cybersecurity folks will tell you that using a password manager is a far better way to keep yourself safe than going with Chrome’s offerings.
Firefox does it, too
Seriously, the default password saving feature in Firefox is virtually identical to Chrome’s – save for the fact that clicking “show passwords” shows all the passwords. Here’s a quick video I shot of what I’m talking about:
Now, this is just for the default settings for saving passwords in Firefox. The browser actually has a fairly good quality password manager built in. Under Firefox>Preferences>Security, click the box that says “Use a master password.” You’ll then be prompted to create a relatively high quality master password, meaning you can’t create it unless you use all the tricks: symbols, capital letters, numbers, and a good length. Only after you meet all those criteria will Firefox let you create the master password, which will then be required to see all your saved passwords. You will also have to input your master password on any site for which you’ve saved your login credentials – all of which adds an extra level of security in case someone bad really does snag your laptop.
Deep breath, everyone
Okay, so this feature does make Firefox more secure than Chrome, but that compliment only applies if you’ve enabled the master password feature in Firefox, which absolutely nobody tells you to do.
Furthermore, the downside to Chrome is also one of the things that makes it such a useful browser; because you can log into Chrome from any computer that has it, a hacker would really only need to crack your Google account password to then have access to your login credentials – and he or she wouldn’t need physical access to your computer to exploit that loophole. (Why is this not the thing we’re all pissed off about?) Good news is, you can turn on two-step authentication on your Google account, which will make that security gap far tighter.
So there you have it, folks, storing your passwords in your browser is probably a dumb idea, especially if you go with the default settings and have a crappy password “protecting” your Google account. Moving along …