Google Chrome's Security Flaw: How to Safely Store Passwords

Earlier this week, software developer Elliot Kember made some noise on the Net about how the Chrome browser stores passwords.

Kember's points are all true: Chrome, and most browsers in general, are terrible when it comes to password safety. But as the Dothraki on Game of Thrones would put it, "It is known." Chrome's password safety, or lack thereof, isn't surprising.

It's never been a good idea to let your browser remember your passwords for you, or any sensitive information at all for that matter. Sure, it's convenient, but that also means anyone who accesses your computer also has immediate, effortless access to all your personal accounts: email, bank statements, credit card purchases and more.

How Chrome stores passwords

If you have a Google account (and who doesn't, these days?), you can sign in and out of Chrome, the browser made by Google. If you sign in to Chrome with your Google account, the passwords, bookmarks and favorites that Chrome stores will be saved on your Google account. That way, you can access all these things from any computer.
MORE - 10 Desktop Password Managers.

The problem is that Chrome stores this data in a very insecure way. You don't even need to know someone's Google password to get access to any and all passwords stored on Chrome, for example — not if you have access to their computer.

All you have to do is go into the browser's settings and navigate to Password settings. From there you can press a button to view, in plaintext (i.e., unobscured by those little black dots), all the passwords saved to that browser.

Additionally, when porting bookmarks from another browser into Chrome, Chrome often requires that you port the other browser's saved passwords as well. There are plenty of ways a snoop with only a basic level of computer savvy could exploit that feature to compromise a target's secure information.

Quite a few people were upset when Kember pointed out these vulnerabilities, but Chrome has stored passwords in this manner for a while.

Google has no plans to change the way Chrome manages passwords. Justin Schuh, Chrome's security chief, told Hacker News that to do so would be tantamount to lying to users.

He said that if aggressors got onto your computer, there are so many worse things they could do than open up Chrome and copy-paste your passwords. For example, they could install malware or monitoring software onto your system. They could view your entire search history.

"My point is that once the bad guy got access to your account, the game was lost, because there are just too many vectors for him to get what he wants," Schuh said.

For that reason, Google won't provide better browser-based password storage, because the company doesn't want you to feel safer than you actually are.

"We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security and [thus] encourage risky behavior."

This thread is closed for comments
1 comment
    Your comment
  • Pherule
    "We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security and [thus] encourage risky behavior."

    And the whole point goes right over Google's collaborative, bloated head.