How Browsers Store Your Passwords (and Why You Shouldn't Let Them)

From <a href="http:&#x2F;&#x2F;www.chromium.org&#x2F;Home&#x2F;chromium-security&#x2F;security-faq" rel="nofollow">http:&#x2F;&#x2F;www.chromium.org&#x2F;Home&#x2F;chromium-security&#x2F;security-faq</a>:<p>Why aren&#x27;t physically-local attacks in Chrome&#x27;s threat model?<p><i>People sometimes report that they can compromise Chrome by installing a malicious DLL on a computer in a place where Chrome will find it and load it. (See <a href="https:&#x2F;&#x2F;code.google.com&#x2F;p&#x2F;chromium&#x2F;issues&#x2F;detail?id=130284" rel="nofollow">https:&#x2F;&#x2F;code.google.com&#x2F;p&#x2F;chromium&#x2F;issues&#x2F;detail?id=130284</a> for one example.) People also sometimes report password disclosure using the Inspect Element feature (see e.g. <a href="https:&#x2F;&#x2F;code.google.com&#x2F;p&#x2F;chromium&#x2F;issues&#x2F;detail?id=126398" rel="nofollow">https:&#x2F;&#x2F;code.google.com&#x2F;p&#x2F;chromium&#x2F;issues&#x2F;detail?id=126398</a>).<p>We consider these attacks outside Chrome&#x27;s threat model, because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your computer as you, or who can run software with the privileges of your operating system user account. Such an attacker can modify executables and DLLs, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your computer, and nothing Chrome can do would provide a serious guarantee of defense. This problem is not special to Chrome ­— all applications must trust the physically-local user.</i>

Here is a recent discussion on chromium-dev about the password manager: <a href="https:&#x2F;&#x2F;groups.google.com&#x2F;a&#x2F;chromium.org&#x2F;forum&#x2F;#!searchin&#x2F;chromium-dev&#x2F;password&#x2F;chromium-dev&#x2F;r-HQ5vgeFYE&#x2F;avzJ8kfvYOkJ" rel="nofollow">https:&#x2F;&#x2F;groups.google.com&#x2F;a&#x2F;chromium.org&#x2F;forum&#x2F;#!searchin&#x2F;ch...</a><p>Evidently, only 0.0085% of users toggle on the &quot;Use a master password&quot;

Also in Chrome:<p>Go to Settings -&gt; Show advanced settings -&gt; Manage saved passwords -&gt; Click on a &quot;hidden&quot; password -&gt; Click on &quot;Show&quot; button -&gt; Voila, password shown in plain text

One thing I&#x27;ve been meaning to test. Does Chrome&#x27;s form-autofill (the thing where it fills in as much of a form as it can when you specify an email address) populate hidden fields if they match? If-so, it seems like potential for mischief to create some form inputs of type &quot;hidden&quot; or just some visually-hidden form inputs using style sheets to capture more information than a user is aware is being populated and submitted.

Chrome OSX stores in OSX keychain, out of the box. Which is a fairly secure way to store passwords.

Other side of an airtight hatchway? For this to be at all relevant, you&#x27;re already got me running your binary with my user&#x27;s permissions.

Slightly off topic:<p>Why does Chrome, when the registration page includes both email and username fields, only remember the email but then insert it into the username field when you attempt to log in? I know some sites let you use the two interchangeably to login, but doesn&#x27;t this seem like a silly assumption on Chrome&#x27;s part? Why not remember both, and insert the username OR the email depending on what the field is called?

Google recently refused to give me access to my account when I&#x27;d lost the password.<p>While it was intensely frustrating at the time I&#x27;m actually grateful that it is so hard to get an account. I provided considerable amounts of information, but it wasn&#x27;t enough for them to hand it over.<p>Still, when I got access to my super secret hard copy of passwords, and loaded Chrome onto a new machine, and signed into Google, I was a bit alarmed by just how much stuff came back from them onto my local machine. I&#x27;m currently slowly migrating to Yubikey and a nice password safe and better passwords for everything.

if I can channel RMS for a second; If you use Windows at this point, it&#x27;s very clear that you do not care about security as much as you care about convenience. Whatever browser you attempt to put on top of that backdoor&#x2F;COFEE-infested nightmare matters almost as much as what bikini you wear before jumping into a vat of acid.<p>That said, It&#x27;s very good to know that Firefox is the safest of the three. If I ever again have the misfortune of advising windows users on the safest browser to use, I will definitely let them know that it would take far longer to compromise their passwords in firefox (even hours longer!) than the other browsers.<p>Myself, I&#x27;ll stick to Firefox with the KWallet extension under Kubuntu.

Passwords are a terrible way to authenticate people anyway. The sooner we start using certificates and smartcards, the better.

Chrome may be the most unsafe browser in the world just because how it gives away saved passwords in clear text with extreme ease. This is such a blatant violation of trust with users that developers who implemented this and thought this was OK shouldn&#x27;t be allowed to work on anything related to security. They did not understood the simple fact that most users of Chrome do not have a clue about all these intricacies of software security. They use Chrome because they trust it to keep them safe. When they save their passwords they don&#x27;t get any clear warning that many 7 year old can get all of their passwords in 30 seconds without installing or running any additional software on their machine.

I don&#x27;t get it, if there is malware on your computer you are compromised anyway - it could just keylog to get the passwords... so why bother about how secure is to get the stored passwords for a program running on the same computer?<p>...if there was a remotely exploitable browser bug that would make the browser leak them it would be a threat, but this post seems meaningless from a security pov.

Every browser seems to implement its own password management scheme. None of them are as good as the same functionality that already exists in the operating system. Browsers should request access to passwords from the OS when needed, perhaps once per session.

I&#x27;ve been thinking about this (and the more general keychain problem) recently. Wouldn&#x27;t it make sense to have your keychain stored on your smartphone, and allow applications access over a standard protocol using NFC&#x2F;USB&#x2F;Bluetooth?<p>Better still, let the phone do the public key cryptography (as in plan9&#x27;s factotum), so that your private keys never leave your phone.

His Web page commonly has 128 characters per line. So, on a 17&quot; monitor, the page is just unreadable.

I use my browsers password store only for harmless profiles, like here and other blogs. The issue I run into most is that a slight url variation, common with webmail, toggles its asking to remember.