Mashable

Tech

Chrome's Password Security Strategy Is Insane

Chrome-code
By Elliott Kember

The other day, I was using Chrome in development for an Ember.js app. I use Safari for day-to-day browsing, but it has a habit of aggressively caching files when I least expect it, so from time to time I switch to Chrome.

I decided to hit Chrome’s “import bookmarks now” link and see if I could import my bookmarklets from Safari, so things would be nice and consistent between the two browsers. I didn’t expect to get this:

Import-Bookmarks

This struck me as particularly odd. Why is “saved passwords” greyed out, and mandatory? Why have a check-box? This is the illusion of choice. I think it’s deeply misleading, and here's why...

This is a page in Chrome’s settings panel:

Passwords

See that “show” button? It does what you think it does.

Saved-Passwords

There’s no master password, no security, not even a prompt that “these passwords are visible”. Visit chrome://settings/passwords in Chrome if you don’t believe me.

There are two sides to this: the developer and the user. Both roles have vastly different opinions as to how the computer works. Any time I try to draw attention to this, I get the usual responses from technical people:

  • Just use 1Pass.

  • The computer is already insecure as soon as you have physical access.

  • That’s just how password management works.

While all of these points are valid, this doesn’t address the real problem: Google isn’t clear about its password security.

In a world where Google promotes its browser on YouTube, in cinema pre-rolls and on billboards, the clear audience is not developers. It’s the mass market — the users, the overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, everyday users save their passwords in Chrome. This is not OK.

Chrome-Allow

This dialog is even more misleading. By using words like “confidential information” and “stored in your keychain," OSX describes the state of your saved password’s current security. It’s the very security Chrome is about to bypass by displaying your passwords in plain-text, outside your keychain, without requiring a password. When you visit a website, Chrome prompts for every password it can find for that domain.

Today, ask somebody who isn't tech-savvy to borrow his or her computer. Visit chrome://settings/passwords and click “show” on a few of the rows. See what they have to say.

UPDATE: Justin Schuh, head of Chrome security, says I’m wrong, and this is not going to change.

Elliott Kember is a software developer and director at Riot. This article was originally published on his personal blog.

Mashable composite. Image: iStockphoto, nikicruz

Load Comments

More in Tech

The New Stuff

The Next Big Thing

What's Hot

Mashable is the largest independent online news site dedicated to covering digital culture, social media and technology. With more than 20 million unique monthly visitors, Mashable has one of the most engaged online news communities. Founded in 2005, Mashable is headquartered in New York City with an office in San Francisco.
  • ©2005-2013 Mashable, Inc.
  • Reproduction without explicit permission is prohibited. All Rights Reserved.
  • Designed in collaboration with Code & Theory