Chrome's password security insanity can be cured
Prompted by blow-up over Chrome's apathy about password security, expert urges Google to lock passwords with a master key
Computerworld - Google should lock up Chrome passwords with a master key to make casual thieves work harder, a security expert said Thursday.
"Google ought to at least be protecting the storage of [Chrome's password] data with a master password," said Andrew Storms, senior director of DevOps at CloudPassage, in an IM interview.
Storms was reacting to the blow-up this week after software developer Elliott Kember noticed that Chrome lets anyone with physical access to a computer easily spy and snoop on saved passwords.
Kember called Chrome's practice an "insane password security strategy."
Chrome stores passwords at the user's request, then recalls them automatically for site and service log-ins. A quick trip to the browser's address bar -- type "chrome://settings/passwords" there -- displays accounts, usernames and passwords.
Although the passwords are disguised with asterisks, one click on the "Show" button and the password appears in plain text.
Kember objected to Chrome's system. "There's no master password, no security, not even a prompt that 'these passwords are visible,'" he wrote. Anyone with access to the computer -- a co-worker, say, or a child or spouse on a shared system -- could easily pilfer passwords from the browser. "Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click 'Show' on a few. See what they have to say," Kember said.
Chrome has always handled passwords this way, but the quick explosion of commentary on the Web signaled that few knew as much.
Google didn't help its case, or Chrome's long-touted reputation as a secure browser, when Jason Shuh, the browser's security tech lead, dismissed the complaints in a message on Hacker News, where he said the password access wasn't an oversight, but by design.
"We don't want to provide users with a false sense of security, and encourage risky behavior," Shuh said to the critics who wondered why Chrome did not, at least, require a second-level password -- a "master key" in the parlance -- to access the in-clear passwords. "We want to be very clear that when you grant someone access to your OS user account, that they can get at everything," Shuh added. "Because in effect, that's really what they get."
Storms didn't see it that way. And from the digital fisticuffs triggered by Shuh's comments, nor did most users.
Shuh was missing the point, said Storms. "Let's agree that one needs access to the computer where the passwords are stored," said Storms. "But they ought to be offering an additional layer of security, a master password, like Firefox does." Otherwise, he continued, there was no barrier to even spontaneous spying.
Google declined to comment on the brouhaha or whether it will react to the online beat down by changing Chrome's password handling.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Data on the Move = Business on the Move; How Strategic Secure Managed File Transfer Adds Value and Drives Business This whitepaper describes the formal and informal file-sharing methods business employees use to perform their daily functions and explains that, from sending small...
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- Supercharge Your Web and Mobile App Development with High-Productivity Hybrid Cloud Webinar: Hear from industry experts about the amazing power at the intersection of next-generation web and mobile application development and cloud platforms.
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Internet White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!