Memo from 2008: Chrome stores passwords in plain text (*gasp*)

Just when I thought shoddy tech "journalism" couldn't stoop any lower, there is now a supposedly "new" report out that Chrome stores its passwords in plain text.

From Google Chrome security flaw offers unrestricted password access at The Guardian:

A serious flaw in the security of Google's Chrome browser lets anyone with access to a user's computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.

Absolutely no mention that this has been known for years. Why this is being reported now, I have no idea.

From Google Chrome flaw exposes user passwords at The Telegraph:

Software developer Elliott Kember stumbled across the vulnerability when importing his bookmarks from Apple's Safari browser to Google Chrome. He discovered that it was mandatory to import saved passwords from one browser to the other – something he described as 'odd'.

After doing a bit more digging, he found that Google does not protect passwords from being viewed when a user is logged in and running Chrome. Anyone with access to the computer can view stored passwords by going to the advanced settings page and clicking on the “Passwords and forms” option, followed by “Manage saved passwords”.

Here the reporter goes a step further to make it sound as if this is some new discovery.

This is not a new discovery. Many people, including the developers at Google, know about this, and have known about this for years. It's a deliberate (albeit bad) design choice. I knew about it in 2009, and I've known about it ever since.

Someone back in December 2008 already reported it to Google:

Google, Why does your browser Chrome not have a master password for saved passwords? This is ridiculous

and Google's response:

Hi everybody,

We understand that many of you want a master password for your saved passwords in Google Chrome. You’ve laid out many scenarios in which this might be useful, but the most common is that if your computer were to fall into the wrong hands, that person would then have access to your saved passwords.

While we agree that this situation would be terrible, we believe that a master password would not sufficiently protect you from danger. Someone with physical access to your computer could install a keylogger to steal your passwords or go to the sites where your passwords are stored and get them from the automatically filled-in password fields. A master password required to show saved passwords would not prevent these outcomes.

Currently, the best method for protecting your saved passwords is to lock your computer whenever you step away from it, even for a short period of time. We encrypt your saved passwords on your hard disk. To access these passwords, someone would either need to log in as you or circumvent the encryption.

We know this is a long-standing issue, and we see where you're coming from. Please know that your security is our highest priority, and our decision not to implement the master password feature is base

Okay. It took Google almost a year to make that official response, but that's still almost three years ago!

I thought the "There are millions of Android malware apps (which no one is actually installing)" scare headlines were bad enough. Now known bugs that are deliberate design choices are suddenly newly-discovered security flaws. I can't palm forehead this enough...

If you want to store passwords with a master password, use Firefox. The master password encrypts your saved passwords. It's not a perfect solution, but it's better than what Chrome's doing... and has been doing for years.

Join the Conversation

2 Comments

  1. Why? Come, milady, and I shall tell you…

    Once upon a time, “journalists” (who then bore the more prosaic name of “reporters”, but we’ll get to why the name change in a moment), started at the bottom and learned the trade by starting out as copyboys, or some similar low-ranking position, and worked their way up.

    Then it became fashionable to hire journalism school graduates. This accounts for the name change, and the bad reporting. Used to be, reporters spent years, usually at the same paper, learning the ropes. Developing context. Knowing the streets. Now, we have a bunch of people who learned their “trade” during a four-year sabbatical from reality called “college”. COLLEGE IS NOT REAL LIFE!

    As far as tech reporting, I’ll bet the “journalist” in question read a bit about the “plain passwords” thing, and managed to pad it into an 800-word scare piece. Fear sells, even ill-informed fear. This, more than any political bias, is the reason for the sorry state of journalism today. No research. No context. “If it bleeds, it leads.”

Leave a comment

Leave a Reply to Christopher W Cancel reply

Your email address will not be published. Required fields are marked *