Skip to main content

Lay off Chrome – Firefox has the same password security ‘flaw’

lay off chrome firefox has the same password security flaw screen shot 2013 08 at 2 41 46 pm
Image used with permission by copyright holder

Google’s Chrome browser has come under fire this week after software developer Elliott Kember revealed on his Svbtle blog that he discovered that Chrome makes it possible for anyone with access to you computer to see all your saved passwords. Inevitably, the press (including Digital Trends) picked up the story, and began sounding the alarm bells.

As Kember explains, typing “chrome://settings/passwords” into the browser (or clicking Chrome>Preferences>Show advanced settings>Manage saved passwords) will bring up a box that contains your usernames and hidden passwords for each of your saved sites. Click on a password, and a box appears that allows you to show the actual password right there, in plain sight.

Recommended Videos

The problem people have with this system is that, if someone you don’t trust (like a thief or crappy roommate) gains physical access to your computer, they can easily get your login credentials for, potentially, every website, email account, and social network you use.

In response to Kember’s complaints, Justin Schuh, who works on Google Chrome Security, claimed in a thread on YCombinator’s Hacker News that he and his team have “literally spent years evaluating” the safest way to store passwords in Chrome, and that “quite a bit of data” supports the theory that storing passwords differently would “make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior.”

My reaction: How is this news? Why are we upset? And, if there is reason to be upset, why aren’t we blasting Firefox out of the sky for doing exactly the same thing? That’s right, Firefox does it, too. 

How is this Chrome ‘flaw’ news?

Let me preface this by saying, like Kember, I am not anything close to an expert on browser security. But I do know one thing: the system Chrome v28 has in place for viewing saved passwords is an improvement over what it was. In earlier versions, Chrome had only one “show passwords” button, and it revealed all the passwords at once. Now, you can select each password individually. Does the “problem” of someone gaining access to your computer and stealing your digital life still exist in both instances? Yes – but it’s certainly no worse now than it has been for a long time; I would say it’s a slight improvement, from a user perspective at least.

Why are we upset?

I’m going to go out on a limb here and assume that Schuh knows what he’s talking about when it comes to browser security. He works at Google, after all, and most of us do not. In other words, the way Chrome (and Firefox) store passwords by default probably is the best way to stop the most likely kind of attacks – those that come over the Web.

Yes, it may be possible for someone to snag your passwords if they have direct physical access to your computer. But, as Schuh explains, if that has happened “the game was lost.”

Plus, if you are particularly concerned this feature, remember that nobody is forcing you to save your passwords in your browser. In fact, most prudent cybersecurity folks will tell you that using a password manager is a far better way to keep yourself safe than going with Chrome’s offerings.

Firefox does it, too

Seriously, the default password saving feature in Firefox is virtually identical to Chrome’s – save for the fact that clicking “show passwords” shows all the passwords. Here’s a quick video I shot of what I’m talking about:

Now, this is just for the default settings for saving passwords in Firefox. The browser actually has a fairly good quality password manager built in. Under Firefox>Preferences>Security, click the box that says “Use a master password.” You’ll then be prompted to create a relatively high quality master password, meaning you can’t create it unless you use all the tricks: symbols, capital letters, numbers, and a good length. Only after you meet all those criteria will Firefox let you create the master password, which will then be required to see all your saved passwords. You will also have to input your master password on any site for which you’ve saved your login credentials – all of which adds an extra level of security in case someone bad really does snag your laptop.

Deep breath, everyone

Okay, so this feature does make Firefox more secure than Chrome, but that compliment only applies if you’ve enabled the master password feature in Firefox, which absolutely nobody tells you to do.

Furthermore, the downside to Chrome is also one of the things that makes it such a useful browser; because you can log into Chrome from any computer that has it, a hacker would really only need to crack your Google account password to then have access to your login credentials – and he or she wouldn’t need physical access to your computer to exploit that loophole. (Why is this not the thing we’re all pissed off about?) Good news is, you can turn on two-step authentication on your Google account, which will make that security gap far tighter.

So there you have it, folks, storing your passwords in your browser is probably a dumb idea, especially if you go with the default settings and have a crappy password “protecting” your Google account. Moving along …

Topics
Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
This massive exploit lets hackers breach apps like Chrome, 1Password, and Telegram
A dark mystery hand typing on a laptop computer at night.

A massive security bug has just been discovered that affects WebP images used in untold numbers of websites and apps, and it could potentially let hackers break into your computer and extract data from it. In fact, Google has already seen it being actively exploited in the wild. Because of that, it’s essential that you patch your computer as soon as possible.

The discovery has been detailed by researcher Alex Ivanovs, who wrote about the bug in a blog post. Right now, it seems to affect almost all of the best web browsers, including Chrome, Firefox, Edge, and Brave. WebP images are used all over the web, meaning huge numbers of sites and apps could be affected.

Read more
Chrome is making a key change to protect you from phishing
Google Chrome with pinned tabs on a MacBook on a table.

Phishing campaigns -- where a fraudulent website or email is made to look like it comes from a legitimate source -- have caused a huge amount of destruction, leading to untold numbers of virus infections and money lost through scams. Google has just rolled out a powerful way to fight phishing in its Chrome browser, however, and it could help you avoid falling victim.

As part of Chrome’s 15th-anniversary update, Google will be pushing its Enhanced Safe Browsing feature to all users in the coming weeks. This checks website URLs against a list of malicious sites stored on Google’s cloud servers, all in real time. If a match is found, the website is blocked and a warning is displayed to users.

Read more
Chrome has a security problem — here’s how Google is fixing it
Google Chrome icon in mac dock.

Google is looking to get ahead of high-severity vulnerabilities on its Chrome browser by shortening the time between security updates.

The brand hopes that more frequent updates will give bad actors less time to access and exploit n-day and zero-day flaws found within Chrome browser code.

Read more