Chrome secures your passwords by not securing your passwords

Google Chrome LogoGoogle has come under fire for their security practices, which includes keeping a database of all saved passwords stored on your device, easily accessed through your account.

This means that anyone who has physical access to your machines can get immediate access to all passwords you have chosen to store on your device.

Elliot Kember, software developer at Riot, points out that not only is this a questionable security measure, but it gives people a fast track to your online data.

Basically, this is how it works:

Go to your Chrome Settings page and click Show Advanced Settings.

Scroll down to Passwords and Forms and click Manage Passwords next to the “Offer to save passwords I enter on the web” prompt.

This brings up a new box that shows all of the passwords you have saved and their corresponding pages. You can hit “Show” on any one of these, and it shows the password in full.  It even gives the username/email information you use for the account.

Why is this so alarming? It literally asks for nothing to gain this information. You do not have to be signed into your Google account, there is no master or authorization password, and you don’t have to verify your identity in any way. All you need is access to the device in question and you can gain entry to any website where a password has been saved.

Take a moment to consider how many times you have selected to have a password saved. What is that feature activated on? Your email? Your Facebook account? Your blog or professional site?

If that wasn’t bad enough, a comment was posted about this on Y Combinator by Chrome security tech lead Justin Schuh which you can read in full here. But the bottom line of the comment seems to be:

” We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior.”

See? They are doing it for our own good! Bad guys can get access to all your information anyway, so why should they offer even a single boundary to prevent it? We are truly fortunate that they take this “protecting you by not protecting you” approach.

Gag me. This reasoning is ridiculous, and I honestly wonder if this was a statement that Google would have chosen to put out. Perhaps Mr Schuh was speaking on his own?

We will have to wait and see.

Source: Elliot Kember

Leave a Comment

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.