Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why storing passwords in Chrome is a bad idea

Tony Bradley | Aug. 12, 2013
Google’s Web browser offers no protection to secure and protect your saved passwords.

It seems like almost every website you visit has a login of some sort. Managing and remembering them is virtually impossible, so for convenience the major Web browsers offer a feature that saves your passwords. But software developer has discovered that it's a bad idea to trust this sensitive information to your browser--especially if your business uses Google Chrome.

Elliot Kember wrote a blog post about the critical flaw in Chrome password security. He had decided to switch from Safari to Chrome and wanted to import his Safari bookmarks so he'd have access to all of the same sites and content between the two browsers. He was alarmed to find that one of the "options" under "Import bookmarks and settings" is to import saved passwords. However, the option is grayed out and automatically checked, meaning it's mandatory and there's no choice to not import saved passwords.

Aside from the irony of having a checkbox for something that is clearly not optional, the import setting set off some red flags for Kember. Chrome does not provide any protection for the passwords it stores--there is no master password that locks access to managing the saved passwords. The passwords are stored in plain-text, and can be exposed by simply clicking the "show" button next to the password field.

Kember writes in his post, "In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market--the users. The overwhelming majority. They don't know it works like this. They don't expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay."

As convenient as it may be, it's generally a bad idea to let your browser--any browser--store your password information. Granted, most do a better job of locking things down than Chrome, but the browser only manages passwords for websites and Web-based applications, which means you'd still need a different, separate tool for managing other password credentials.

Complexity is the enemy of security. Graham Cluley, a respected security expert, recommends using a password management utility like LastPass, or 1Password. For Mac OS X users (especially when Mavericks is officially released) using the iCloud Keychain is an alternative solution as well.

The other enemy of security, however, is convenience. Any feature or capability that makes it easier for you to remember login credentials or access sensitive data also increases the risk that an attacker can exploit that convenience for nefarious activities. Having a master key to protect stored passwords is better than not having one, but having a master key is also an Achilles heel that provides access to all of your passwords if an attacker can just figure out how to crack the master key.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.