Lay off Chrome – Firefox has the same password security ‘flaw’

lay off chrome firefox has the same password security flaw screen shot 2013 08 at 2 41 46 pm

Google’s Chrome browser has come under fire this week after software developer Elliott Kember revealed on his Svbtle blog that he discovered that Chrome makes it possible for anyone with access to you computer to see all your saved passwords. Inevitably, the press (including Digital Trends) picked up the story, and began sounding the alarm bells.

As Kember explains, typing “chrome://settings/passwords” into the browser (or clicking Chrome>Preferences>Show advanced settings>Manage saved passwords) will bring up a box that contains your usernames and hidden passwords for each of your saved sites. Click on a password, and a box appears that allows you to show the actual password right there, in plain sight.

The problem people have with this system is that, if someone you don’t trust (like a thief or crappy roommate) gains physical access to your computer, they can easily get your login credentials for, potentially, every website, email account, and social network you use.

In response to Kember’s complaints, Justin Schuh, who works on Google Chrome Security, claimed in a thread on YCombinator’s Hacker News that he and his team have “literally spent years evaluating” the safest way to store passwords in Chrome, and that “quite a bit of data” supports the theory that storing passwords differently would “make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior.”

My reaction: How is this news? Why are we upset? And, if there is reason to be upset, why aren’t we blasting Firefox out of the sky for doing exactly the same thing? That’s right, Firefox does it, too. 

How is this Chrome ‘flaw’ news?

Let me preface this by saying, like Kember, I am not anything close to an expert on browser security. But I do know one thing: the system Chrome v28 has in place for viewing saved passwords is an improvement over what it was. In earlier versions, Chrome had only one “show passwords” button, and it revealed all the passwords at once. Now, you can select each password individually. Does the “problem” of someone gaining access to your computer and stealing your digital life still exist in both instances? Yes – but it’s certainly no worse now than it has been for a long time; I would say it’s a slight improvement, from a user perspective at least.

Why are we upset?

I’m going to go out on a limb here and assume that Schuh knows what he’s talking about when it comes to browser security. He works at Google, after all, and most of us do not. In other words, the way Chrome (and Firefox) store passwords by default probably is the best way to stop the most likely kind of attacks – those that come over the Web.

Yes, it may be possible for someone to snag your passwords if they have direct physical access to your computer. But, as Schuh explains, if that has happened “the game was lost.”

Plus, if you are particularly concerned this feature, remember that nobody is forcing you to save your passwords in your browser. In fact, most prudent cybersecurity folks will tell you that using a password manager is a far better way to keep yourself safe than going with Chrome’s offerings.

Firefox does it, too

Seriously, the default password saving feature in Firefox is virtually identical to Chrome’s – save for the fact that clicking “show passwords” shows all the passwords. Here’s a quick video I shot of what I’m talking about:

Now, this is just for the default settings for saving passwords in Firefox. The browser actually has a fairly good quality password manager built in. Under Firefox>Preferences>Security, click the box that says “Use a master password.” You’ll then be prompted to create a relatively high quality master password, meaning you can’t create it unless you use all the tricks: symbols, capital letters, numbers, and a good length. Only after you meet all those criteria will Firefox let you create the master password, which will then be required to see all your saved passwords. You will also have to input your master password on any site for which you’ve saved your login credentials – all of which adds an extra level of security in case someone bad really does snag your laptop.

Deep breath, everyone

Okay, so this feature does make Firefox more secure than Chrome, but that compliment only applies if you’ve enabled the master password feature in Firefox, which absolutely nobody tells you to do.

Furthermore, the downside to Chrome is also one of the things that makes it such a useful browser; because you can log into Chrome from any computer that has it, a hacker would really only need to crack your Google account password to then have access to your login credentials – and he or she wouldn’t need physical access to your computer to exploit that loophole. (Why is this not the thing we’re all pissed off about?) Good news is, you can turn on two-step authentication on your Google account, which will make that security gap far tighter.

So there you have it, folks, storing your passwords in your browser is probably a dumb idea, especially if you go with the default settings and have a crappy password “protecting” your Google account. Moving along …


3DMark’s Port Royal lets you benchmark ray tracing on Nvidia’s RTX cards

UL is adding another benchmarking utility to its popular 3DMark suite to help gamers measure their graphics card's ray tracing performance. You'll soon be able to measure how Nvidia's RTX 2070, 2080, and 2080 Ti stack up.

Our favorite Windows apps will help you get the most out of your new PC

Not sure what apps you should be downloading for your newfangled Windows device? Here are the best Windows apps, whether you need something to speed up your machine or access your Netflix queue. Check out our categories and favorite picks.

How to change your Gmail password in just a few quick steps

Regularly updating your passwords is a good way to stay secure online, but each site and service has their own way of doing it. Here's a quick guide on how to change your Gmail password in a few short steps.

Change your Outlook password quickly and easily by following these steps

Keeping your digital accounts locked up with strong, unique passwords is important, so learning how to change your Outlook password quickly and easily is one of the best ways to stay safe online.

Best free parental control software for PC, Mac, iOS, and Android

The internet can be a dangerous place, especially for your loved ones. Check out our selection of the best free parental control software for Windows and Mac OS X, so you can monitor your child and block unsavory sites.

Snatch Apple’s 2017 15-inch MacBook Pro for up to $1,200 off at B&H

The latest deal at B&H is offering up 2017 15-inch Apple MacBook Pros, in space gray and silver, with Intel Core i7 quad-core CPUs, 16GB of RAM, and AMD Radeon Pro 560 GPUs with up to 2TB of SSD storage.

I tried an LTE laptop for a month, and I wasn’t really convinced

LTE laptops offer up plenty of benefits and are becoming more common. After spending one month with one in my daily life in New York City, I really wondered if it is something that consumers really need in their lives.

Microsoft’s Chromium Edge browser may be adding your Chrome extensions

Fans sticking to Google Chrome because due to its vast extension library might be able to switch over to Microsoft's latest iteration of Edge, as a project manager confirms that the company has its eyes on Chrome extensions.

Apple Mac users should take a bite out of these awesome games

Contrary to popular belief, there exists a bevy of popular A-list games compatible for Mac computers. Take a look at our picks for the best Mac games available for Apple fans.
Emerging Tech

An A.I. cracks the internet’s squiggly letter bot test in 0.5 seconds

How do you prove that you’re a human when communicating on the internet? The answer used to be by solving a CAPTCHA puzzle. But maybe not for too much longer. Here is the reason why.

Qualcomm’s dual-screen PC concept looks like two connected Surface Go tablets

In Qualcomm's video teaser, we got a glimpse of the company's vision for how a dual-screen ARM PC should work. The internet reacted to Qualcomm's video, calling the device in question merely a mashup of two Surface Go tablets.

Check out the best Green Monday deals for those last-minute gifts

Black Friday and Cyber Monday have come and gone, but that doesn't mean you've missed your chance of finding a great deal. We're talking about Green Monday, of course, and it falls on December 10.

Hololens 2 could give the Always Connected PC a new, ‘aggressive’ form

Microsoft is said to be leaning on Qualcomm to power its Hololens 2 headset. Instead of Intel CPUs, the next Hololens could use a Snapdragon 850 processor, allowing it to benefit from the always-connected features.

Chrome’s dark mode may cast its shadow over Macs by early 2019

By early 2019 Google may release a version of Chrome for Mac users that offers a Dark Mode feature to match MacOS Mojave's recent darkening.