Anyone can see your saved passwords in Chrome
And Google is ok with that
All those Chrome users sitting snugly, carefree at the thought of using the most secure of the mainstream browsers, wake up! A few days back Elliott Kember, a developer at design and development studio Riot pointed out that Chrome let anyone having access to your computer see all the passwords stored in Chrome.
There’s no master password, no security, not even a prompt that “these passwords are visible”. Elliot Kember
This is as simple as it gets:
- Go to Chrome>Settings>Show advanced settings>Manage saved passwords
- Click on the show button on any of the Saved password rows
That’s it. All your passwords are just a few clicks away from any interested intruder.
When I first heard of this, I was sure that Google will come up with a master password solution to fix this immediately. However, Chrome’s browser security tech head, Justin Schuh ,has now clarified that Google feels it is of no use to fix this bug as anyone gaining access to your system can always beat any master password security.
We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior.
I have not heard such a bad argument in many years.
I live in a gated community with quite a tight security system — CCTVs, boom-barriers and the works. I’m sure it is pretty difficult for any unauthorized person to enter the premises. As per Mr. Schuh’s argument, I should not bother locking my flat door, as anyone able to intrude into the complex can anyways pick the door lock!
A very simple reason to have an added layer of security is to differentiate between crimes of intent and opportunity. If your car windows are rolled down, any passer-by can pick the laptop inside. If it is not, it would probably be a desperate thug who has to break through the glass.By showing passwords in a few clicks, Chrome is making it ridiculously easy for anyone who has access to snoop in.
While phones are personal devices, laptops are less so and many families have a shared desktop with common login. All these shared devices are then vulnerable to snooping. You may argue that your sister isn't tech-savvy enough to find out and probably she isn't. But we all know that security through obscurity does not work. Is asking for an authentication to view the stored passwords too much? I don’t think so.
