Chrome's password security insanity can be cured

Prompted by blow-up over Chrome's apathy about password security, expert urges Google to lock passwords with a master key

Google should lock up Chrome passwords with a master key to make casual thieves work harder, a security expert said Thursday.

"Google ought to at least be protecting the storage of [Chrome's password] data with a master password," said Andrew Storms, senior director of DevOps at CloudPassage, in an IM interview.

Storms was reacting to the blow-up this week after software developer Elliott Kember noticed that Chrome lets anyone with physical access to a computer easily spy and snoop on saved passwords.

Kember called Chrome's practice an "insane password security strategy."

Chrome stores passwords at the user's request, then recalls them automatically for site and service log-ins. A quick trip to the browser's address bar -- type "chrome://settings/passwords" there -- displays accounts, usernames and passwords.

Although the passwords are disguised with asterisks, one click on the "Show" button and the password appears in plain text.

Kember objected to Chrome's system. "There's no master password, no security, not even a prompt that 'these passwords are visible,'" he wrote. Anyone with access to the computer -- a co-worker, say, or a child or spouse on a shared system -- could easily pilfer passwords from the browser. "Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click 'Show' on a few. See what they have to say," Kember said.

Chrome has always handled passwords this way, but the quick explosion of commentary on the Web signaled that few knew as much.

Google didn't help its case, or Chrome's long-touted reputation as a secure browser, when Jason Shuh, the browser's security tech lead, dismissed the complaints in a message on Hacker News, where he said the password access wasn't an oversight, but by design.

"We don't want to provide users with a false sense of security, and encourage risky behavior," Shuh said to the critics who wondered why Chrome did not, at least, require a second-level password -- a "master key" in the parlance -- to access the in-clear passwords. "We want to be very clear that when you grant someone access to your OS user account, that they can get at everything," Shuh added. "Because in effect, that's really what they get."

Storms didn't see it that way. And from the digital fisticuffs triggered by Shuh's comments, nor did most users.

Shuh was missing the point, said Storms. "Let's agree that one needs access to the computer where the passwords are stored," said Storms. "But they ought to be offering an additional layer of security, a master password, like Firefox does." Otherwise, he continued, there was no barrier to even spontaneous spying.

Google declined to comment on the brouhaha or whether it will react to the online beat down by changing Chrome's password handling.

Click on the 'Show' button in Chrome's saved-password UI and anyone with access to the machine sees the goods.

Chrome isn't the only browser than lets anyone with access to the machine see passwords: Mozilla's Firefox does too, although as Storms noted, it does offer an option of locking access with a second, or master, password.

Apple's Safari and Microsoft's Internet Explorer (IE) are more secure from ad hock password theft. Both require users to again enter their user account password -- the operating system's overarching log-in password -- to view saved passwords, in effect treating the user account password as a master key.

All four browsers encrypt the password file, some using stronger encryption than others. But Chrome and Firefox automatically call on the existing user account password to decrypt the file without asking the person in front of the key to lift a finger.

Put plainly, the casual thief who steps up to the keyboard of a running PC or Mac has to also know the user account password to view Safari's and IE's password file. But they can immediately see its contents on Chrome, as well as on Firefox if no master key has been set earlier.

Thus, Storms' call for Google to add an optional master password to Chrome so that it's at least on par with Firefox. Requiring people to type in the user account password once again would be even better.

This week's Chrome password crisis was not news: The issue has come up before, although the blow-back this time has been staggering in comparison. "That was my first reaction, actually," said Storms when asked whether the new brouhaha is a tempest in a teacup, or is legitimate. "It's been like that for a long time ... [so] why now and doesn't everyone already know this?"

But Storms wasn't downplaying the concern of critics. "It is a rather strange situation, since Chrome drove to the top of the list [based on it being] the most secure browser from online malware," he said.

Inserting a master key requirement into Chrome should not be a big deal, code-wide, Storms said. "I wouldn't think it would be that difficult for them," he said.

Users reluctant to let Chrome or any other browser save passwords have options, Storms said, notably password managers that are specifically designed to secure passwords while still making them readily available for site log-ins.

Storms suggested 1Password (Windows, OS X; $49.99). But there are lots of other choices, including KeePass (Windows; free), LastPass (Windows, OS X; free or $12/year for premium version) and RoboForm (Windows, OS X; $29.95).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about internet in Computerworld's Internet Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecurityinternet

More about Andrew Corporation (Australia)AppleGoogleMicrosoftMozillaTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place