Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Chrome's password security insanity can be cured

Gregg Keizer | Aug. 12, 2013
Google should lock up Chrome passwords with a master key to make casual thieves work harder.

Click on the 'Show' button in Chrome's saved-password UI and anyone with access to the machine sees the goods.

Chrome isn't the only browser than lets anyone with access to the machine see passwords: Mozilla's Firefox does too, although as Storms noted, it does offer an option of locking access with a second, or master, password.

Apple's Safari and Microsoft's Internet Explorer (IE) are more secure from ad hock password theft. Both require users to again enter their user account password -- the operating system's overarching log-in password -- to view saved passwords, in effect treating the user account password as a master key.

All four browsers encrypt the password file, some using stronger encryption than others. But Chrome and Firefox automatically call on the existing user account password to decrypt the file without asking the person in front of the key to lift a finger.

Put plainly, the casual thief who steps up to the keyboard of a running PC or Mac has to also know the user account password to view Safari's and IE's password file. But they can immediately see its contents on Chrome, as well as on Firefox if no master key has been set earlier.

Thus, Storms' call for Google to add an optional master password to Chrome so that it's at least on par with Firefox. Requiring people to type in the user account password once again would be even better.

This week's Chrome password crisis was not news: The issue has come up before, although the blow-back this time has been staggering in comparison. "That was my first reaction, actually," said Storms when asked whether the new brouhaha is a tempest in a teacup, or is legitimate. "It's been like that for a long time ... [so] why now and doesn't everyone already know this?"

But Storms wasn't downplaying the concern of critics. "It is a rather strange situation, since Chrome drove to the top of the list [based on it being] the most secure browser from online malware," he said.

Inserting a master key requirement into Chrome should not be a big deal, code-wide, Storms said. "I wouldn't think it would be that difficult for them," he said.

Users reluctant to let Chrome or any other browser save passwords have options, Storms said, notably password managers that are specifically designed to secure passwords while still making them readily available for site log-ins.

Storms suggested 1Password (Windows, OS X; $49.99). But there are lots of other choices, including KeePass (Windows; free), LastPass (Windows, OS X; free or $12/year for premium version) and RoboForm (Windows, OS X; $29.95).


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.