Lay off Chrome – Firefox has the same password security ‘flaw’

lay off chrome firefox has the same password security flaw screen shot 2013 08 at 2 41 46 pm

Google’s Chrome browser has come under fire this week after software developer Elliott Kember revealed on his Svbtle blog that he discovered that Chrome makes it possible for anyone with access to you computer to see all your saved passwords. Inevitably, the press (including Digital Trends) picked up the story, and began sounding the alarm bells.

As Kember explains, typing “chrome://settings/passwords” into the browser (or clicking Chrome>Preferences>Show advanced settings>Manage saved passwords) will bring up a box that contains your usernames and hidden passwords for each of your saved sites. Click on a password, and a box appears that allows you to show the actual password right there, in plain sight.

The problem people have with this system is that, if someone you don’t trust (like a thief or crappy roommate) gains physical access to your computer, they can easily get your login credentials for, potentially, every website, email account, and social network you use.

In response to Kember’s complaints, Justin Schuh, who works on Google Chrome Security, claimed in a thread on YCombinator’s Hacker News that he and his team have “literally spent years evaluating” the safest way to store passwords in Chrome, and that “quite a bit of data” supports the theory that storing passwords differently would “make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior.”

My reaction: How is this news? Why are we upset? And, if there is reason to be upset, why aren’t we blasting Firefox out of the sky for doing exactly the same thing? That’s right, Firefox does it, too. 

How is this Chrome ‘flaw’ news?

Let me preface this by saying, like Kember, I am not anything close to an expert on browser security. But I do know one thing: the system Chrome v28 has in place for viewing saved passwords is an improvement over what it was. In earlier versions, Chrome had only one “show passwords” button, and it revealed all the passwords at once. Now, you can select each password individually. Does the “problem” of someone gaining access to your computer and stealing your digital life still exist in both instances? Yes – but it’s certainly no worse now than it has been for a long time; I would say it’s a slight improvement, from a user perspective at least.

Why are we upset?

I’m going to go out on a limb here and assume that Schuh knows what he’s talking about when it comes to browser security. He works at Google, after all, and most of us do not. In other words, the way Chrome (and Firefox) store passwords by default probably is the best way to stop the most likely kind of attacks – those that come over the Web.

Yes, it may be possible for someone to snag your passwords if they have direct physical access to your computer. But, as Schuh explains, if that has happened “the game was lost.”

Plus, if you are particularly concerned this feature, remember that nobody is forcing you to save your passwords in your browser. In fact, most prudent cybersecurity folks will tell you that using a password manager is a far better way to keep yourself safe than going with Chrome’s offerings.

Firefox does it, too

Seriously, the default password saving feature in Firefox is virtually identical to Chrome’s – save for the fact that clicking “show passwords” shows all the passwords. Here’s a quick video I shot of what I’m talking about:

Now, this is just for the default settings for saving passwords in Firefox. The browser actually has a fairly good quality password manager built in. Under Firefox>Preferences>Security, click the box that says “Use a master password.” You’ll then be prompted to create a relatively high quality master password, meaning you can’t create it unless you use all the tricks: symbols, capital letters, numbers, and a good length. Only after you meet all those criteria will Firefox let you create the master password, which will then be required to see all your saved passwords. You will also have to input your master password on any site for which you’ve saved your login credentials – all of which adds an extra level of security in case someone bad really does snag your laptop.

Deep breath, everyone

Okay, so this feature does make Firefox more secure than Chrome, but that compliment only applies if you’ve enabled the master password feature in Firefox, which absolutely nobody tells you to do.

Furthermore, the downside to Chrome is also one of the things that makes it such a useful browser; because you can log into Chrome from any computer that has it, a hacker would really only need to crack your Google account password to then have access to your login credentials – and he or she wouldn’t need physical access to your computer to exploit that loophole. (Why is this not the thing we’re all pissed off about?) Good news is, you can turn on two-step authentication on your Google account, which will make that security gap far tighter.

So there you have it, folks, storing your passwords in your browser is probably a dumb idea, especially if you go with the default settings and have a crappy password “protecting” your Google account. Moving along …

Product Review

Size matters not. Acer's Predator Orion 3000 is a pint-sized PC Vader would use

Choosing the right gaming PC can be an overwhelming decision, but thankfully that’s not the case as Acer has configured the Predator Orion 3000 with solid components, delivering competitive performance for its value.
Deals

Walmart chops $175 off the 2017 10.5-inch, 64GB iPad Pro

Discounts on Apple products are hard to come by, even when it involves prior generation products. However, we've spotted a sale on 2017 iPad Pro tablet at Walmart, with some colors as much as $175 off retail.
Computing

The fabled 16-inch MacBook Pro could launch this October

Rumors have been swirling around the new 16-inch MacBook Pro, and a new report claims it could be in your hands this October. That’s not all, as the same report predicts refreshes to the MacBook Air and 13-inch MacBook Pro.
Computing

Besides a rumored launch in October, the 16-inch MacBook Pro is a mystery

An all-new MacBook Pro is on the horizon, with Apple said to equip its new laptop with a 16-inch display and powerful processors. We’ve got everything you need to know here, from price and performance to release date and rumors.
Computing

Battle of the bezels: Can the ZenBook S13 outdo the fan-favorite XPS 13?

The Asus ZenBook S13 wants to take on the Dell XPS 13 in the tiny-bezel laptop wars. The ZenBook is fast and well-built, but does it offer enough value to take on our favorite small laptop?
Computing

Ryzen 3000 has already made huge impact, and it's only getting started

AMD's upcoming Ryzen 3000 generation of CPUs could be the most powerful processors we've ever seen, with higher core counts, greater clock speeds, and competitive pricing. Here's what we know so far.
Computing

Microsoft patent hints at new ways to interact with dual-screen Surface tablet

It is no secret that Microsoft has been working on a folding dual-screen Surface tablet, but now a recent patent suggests that the Surface Centarus could feature multifunction buttons.
Computing

The choice between the 13-inch and 15-inch MacBook Pros is about more than size

If you’re in the market for a new MacBook Pro, which model should you choose? Is the MacBook Pro 13 or MacBook Pro 15 the best option for you? Don’t worry, our guide will help you decide which model to go for.
Computing

AMD's Ryzen CPUs offer some of the best bang for the buck, but which is best?

AMD's Ryzen CPUs have had a huge impact on the PC industry, from gaming to productivity, but which ones are the best? To find out we put some of the chips through their paces and came out with some solid recommendations.
Computing

Does Equifax owe you money? Here’s how you can find out

Equifax has agreed to a settlement for its 2017 data breach that includes restitution payments and other benefits for consumers affected by the data breach. Here's what we know so far about these payments and benefits and how to claim them.
Computing

NZXT’s H510 PC case brings style and sophistication to your custom gaming rig

Are you looking to upgrade your gaming desktop by building your own gaming PC? NZXT's H510 PC case, which comes in a compact tower form factor, will help bring modern styling to your gaming desktop PC for just $79.
Deals

The ZenBook Pro 15 laptop is now $370 off at B&H for back-to-school season

Summer may feel like it’s in full swing, but back-to-school season is almost here. Now at B&H ahead of back to school season, you can score an Asus ZenBook Pro 15 UX550 GE laptop for just $1,129 through August 31.
Computing

A year ahead of Libra’s launch, scammers are already setting up shop on Facebook

With about a year to go until Facebook's cryptocurrency becomes available to the public, scammers are already setting up shop on Instagram, Twitter, and Facebook itself by pushing fake discount exchanges.
Home Theater

Confused about LED vs. LCD TVs? Here's everything you need to know

Our LED vs. LCD TV buying guide explains why these two common types of displays are fundamentally connected, how they differ, what to look for when buying an LED TV, and what's next for TV technology.