Categories
Uncategorized

Memo from 2008: Chrome stores passwords in plain text (*gasp*)

Just when I thought shoddy tech "journalism" couldn't stoop any lower, there is now a supposedly "new" report out that Chrome stores its passwords in plain text.

From Google Chrome security flaw offers unrestricted password access at The Guardian:

A serious flaw in the security of Google's Chrome browser lets anyone with access to a user's computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.

Absolutely no mention that this has been known for years. Why this is being reported now, I have no idea.

From Google Chrome flaw exposes user passwords at The Telegraph:

Software developer Elliott Kember stumbled across the vulnerability when importing his bookmarks from Apple's Safari browser to Google Chrome. He discovered that it was mandatory to import saved passwords from one browser to the other – something he described as 'odd'.

After doing a bit more digging, he found that Google does not protect passwords from being viewed when a user is logged in and running Chrome. Anyone with access to the computer can view stored passwords by going to the advanced settings page and clicking on the “Passwords and forms” option, followed by “Manage saved passwords”.

Here the reporter goes a step further to make it sound as if this is some new discovery.

This is not a new discovery. Many people, including the developers at Google, know about this, and have known about this for years. It's a deliberate (albeit bad) design choice. I knew about it in 2009, and I've known about it ever since.

Someone back in December 2008 already reported it to Google:

Google, Why does your browser Chrome not have a master password for saved passwords? This is ridiculous

and Google's response:

Hi everybody,

We understand that many of you want a master password for your saved passwords in Google Chrome. You’ve laid out many scenarios in which this might be useful, but the most common is that if your computer were to fall into the wrong hands, that person would then have access to your saved passwords.

While we agree that this situation would be terrible, we believe that a master password would not sufficiently protect you from danger. Someone with physical access to your computer could install a keylogger to steal your passwords or go to the sites where your passwords are stored and get them from the automatically filled-in password fields. A master password required to show saved passwords would not prevent these outcomes.

Currently, the best method for protecting your saved passwords is to lock your computer whenever you step away from it, even for a short period of time. We encrypt your saved passwords on your hard disk. To access these passwords, someone would either need to log in as you or circumvent the encryption.

We know this is a long-standing issue, and we see where you're coming from. Please know that your security is our highest priority, and our decision not to implement the master password feature is base

Okay. It took Google almost a year to make that official response, but that's still almost three years ago!

I thought the "There are millions of Android malware apps (which no one is actually installing)" scare headlines were bad enough. Now known bugs that are deliberate design choices are suddenly newly-discovered security flaws. I can't palm forehead this enough...

If you want to store passwords with a master password, use Firefox. The master password encrypts your saved passwords. It's not a perfect solution, but it's better than what Chrome's doing... and has been doing for years.

Categories
Uncategorized

Chrome fails again – back to Firefox

Every now and then I buy into the hype about how “fast” Chrome is and how much better it is than Firefox and how Firefox’s only advantage is its many extensions. Then I actually try to use Chrome as my main browser and realize how badly implemented it is for my purposes. More details on that from last year’s post The extension that makes Google Chrome bearable, but I left off that list this bit of annoyance: Are you sure you want to open 31 tabs?

I’ve done some Google searching on this, and there appears to be no way to turn off this warning. I have daily bookmarks I open… every day. And they’re stored in one folder I right-click to open all at once. I don’t really need Nanny Chrome asking me every time if I’m sure I want to open all those bookmarks. Thank you, Firefox, for remaining an amazing browser that does everything I need it to.

Categories
Web Browsers

Bookmark Organization in Browsers

The other day I was talking with a Windows-using friend. She’s using an old laptop of ours, as her newer laptop is having various hardware and software issues. I noticed she was using Chrome, and I asked her how she liked it. She liked it for the most part, except she didn’t like how Google wouldn’t let her organize her own bookmarks. She said she can’t imagine it would be that difficult. I told her it was probably quite the opposite. Google’s “smart” bookmarking in Chrome (with the most frequently visited and most recently visited sites showing up in the Opera-like speed dial page) is probably more difficult to implement (from a programming perspective) than the more traditional bookmark style (organize it yourself).

She then described to me how she organizes her bookmarks, and I was fascinated by her way of thinking about sites. She organizes them based on action (see, shop, read, share, etc.). I organize mine in kind of a strange way too. My bookmarks I organize by how often I view them. So I have a folder full of “weekly” bookmarks and a folder full of “daily” bookmarks. Inside the daily ones, I have my Bloglines reader, which contains all the sites I would ordinarily bookmark except that they have RSS feeds, so I’d prefer Bloglines to keep me informed of when they update instead. So every day, I open all the sites in my daily folder in tabs, and every week I open my weekly bookmarks in tabs. And any non-bookmarked site I visit I just use Google or Firefox’s own “smart” address bar to find.

How do you all (my small set of loyal readers—thanks for visiting!) organize your bookmarks? Or do you bother organizing them at all? Or do you even have bookmarks?

Categories
Web Browsers

Already switching back to Firefox from Google Chrome

When Google Chrome hit the scene a little while ago, I was excited. Scott McCloud’s online comic book (although confusing at times) was a good sell on Chrome’s features, and I particularly liked the way it handles each tab as a separate process.

Immediately, on my computer at work, I installed Chrome and started using it as my default browser. The speed was amazing. In terms of rendering pages, it seemed to be as fast as Opera, and the interface responsiveness made it seem even faster. I also dug how Chrome’s version of the “speed dial” was dynamic based on the pages you’ve visited (in Opera’s you have to set the speed dial pages manually).

But, alas, Chrome (like Opera) has annoying tab behavior. It opens new tabs next to the current tab. That doesn’t work well with how I browse. I like to open links in new tabs at the end of the row so that I can get to them eventually. I don’t like to switch to them right away after closing the current tab. I tried to put up with it for a while, but Firefox is the browser that works with my style. Maybe someone will come up with a preference hack for Chrome that will change the tab behavior. Until then, I’ll remain a Firefox user.