This is embarrassing. What The Guardian (and, earlier, HN) is describing simply isn't a security flaw; rather, HN appears to have had a mild temper tantrum over the lack of a cosmetic "security" feature that, had Chrome implemented it, could have just as easily led to another temper tantrum over how easy it is to bypass.
I think Chrome's implementation of security is flawed. If you stop thinking about this security as being a switch which is on or off and instead as a granular scale then you'll agree that Chrome's password handling is as low on that scale as possible. Now just so you know, I'm agreeing that Chrome can't fully lock down your passwords and I'm OK with the reasons why (convenience), but their doing something wrong here, they're not looking at the in-between.<p>The difference I see is if my spouse or boss wanted to look at my passwords they could, easily. I'm not OK with that. Now, tell me they have to install a trojan, a virus or some other software first to get access to my passwords and thats a level of safety which stops my boss. My boss won't have the technical know how to do it. My spouse could be looking just out of curiosity, the smallest roadblock would stop them. Chrome's implementation makes it easy for anyone to see passwords and that's just wrong!<p>The length of time anyone will have access to an unsupervised machine plays a role here. It shouldn't take 5 seconds of pointing and clicking that my gran could do to reveal all my passwords. It should take someone more effort!
I don't think it's fair to call something a flaw because you disagree with it. Google didn't do this by accident. It's a very purposely designed feature that apparently a bunch of HN-folks just learned about and strongly disagree with. Also, Firefox does this too...<p>And for the record, when I saw this feature 2 years ago I disagreed with it too - but it's not a flaw.
> The fact you can view the passwords means they are stored in reversible form which means that the dark coders out there will be writing a Trojan to steal that password store as we speak.<p>Surely they have to be reversible, or the browser wouldn't be able to use them as passwords.
Given that:<p>- I understand the fact that the browser must be able to have the password in plaintext at the moment of logging to a website.<p>- I understand that if someone has access to my account on my computer then is able to access all the sensitive information that I have stored unencrypted on it, and not just my browser's passwords.<p>- I understand that is not something new or ground-breaking, or even something exclusively related to Chrome.<p>I still can't see how sensible having an option to show the passwords in plaintext, without protection, really is. Many people (non tech-savvy people in particular) for example do not lock their OS profile at all.<p>Requiring a Master Password by default (with the possibility of opting out in the settings) before using/showing passwords, and storing these in crypted form it would seem more sensible to me.
Why is Chrome named as the "bad guy"? If anything, Chrome reveals the issue, by showing just how accessible browser-saved passwords are in the first place.
Do you think that it's impossible for malware to retrieve passwords from IE, Firefox, Safari and Opera? Just how is it possible to import the passwords from these applications, then?<p>This is not a security flaw. Comparing browser password storage to a safe is mildly retarded.
Philosophy question:<p>Given that a user left their session unlocked (!) in the presence of someone who is not them (!!) with a password file and other sensitive data in easy reach (!!!) - why is it Google's problem that the end user violated the first three rules of computer security?<p>*ed Downvotes don't answer the question, guys. At what point do you stop taking extraordinary measures to protect the user from their own lack of sense?
Same as reported here: <a href="https://news.ycombinator.com/item?id=6167331" rel="nofollow">https://news.ycombinator.com/item?id=6167331</a><p>Interesting to see the Guardian newspaper quoting someone from Hacker News.<p>Same is also true of Firefox - find the right path through the menu structure (different for each version) and reveal all your passwords.<p>Simple enough.
It amazes me that some of the security professionals are sufficiently out of touch that they don't see this as an issue. The adversary in this case is the casual non-technical observer who might have a minute to click around but not install software to extract anything, it is not "hackers".
Right-click page<p>Click 'View page info'<p>Click 'Security'<p>Click 'View Cookies'<p>I just bypassed your Firefox/Safari/etc master password and owned your session. OH NOES, SECURITY FLAW!!!! (I also downloaded a rootkit and installed it in your user's home directory, but you probably don't find that as much of a flaw as me getting your cookies. Right?)<p>I will say that encrypting the passwords on-disk is a nice thing if you care about cold-rebooted disk attacks and don't implement disk encryption yourself. But the game is mostly over if they have access to your machine. If the machine is still on, a DMA or cold boot attack is probably going to net them the passwords even on a master-password-locked browser, because the browser still needs to access the passwords for forms without prompting you every time.
<i>Sigh</i> This just goes to show what kind of damage people with little knowledge and big egos can do. Ever read about Dunning-Kruger Syndrome folks? Now you are witnessing a typical example in all its pathetism. And all started here in HN.
Firefox: Preferences: Security: Saved Passwords: Show Passwords: Yes, I'm Sure.<p>And enter your master password if you use that, which you should, if you're storing passwords at all.
Isn't it a known fact that, when asked, browsers store passwords in plaintext? Why would anyone choose to let the browser 'remember their password' anyway?
My OSX chrome definitely stores passwords in OSX Keychain Manager. Is that like a special setting or plugin I activated and forgot, not just what it always does on OSX? Or wait, am I somehow wrong? It sure looks like it's storing passwords in keychain manager, in that all of my website passwords are there in keychain manager.
I've already done analysis of most of the major browsers. It even hit the HN front page a couple months ago:<p><a href="http://raidersec.blogspot.com/2013/06/how-browsers-store-your-passwords-and.html" rel="nofollow">http://raidersec.blogspot.com/2013/06/how-browsers-store-you...</a>
i don't get it. how is Chrome's handling different from Thunderbird's or Firefox's? they too have the exact same functionalities accessible to anyone sitting at the computer without extra security measures: Options > Security > Saved Passwords > Show Passwords
Chrome has a passphrase option for his sync capability why doesn't it use it as a master password ?
<a href="https://support.google.com/chrome/answer/1181035?hl=en" rel="nofollow">https://support.google.com/chrome/answer/1181035?hl=en</a>