Chrome-saved cleartext passwords not a flaw, Google says

By

Master passwords a bad idea, Chrome lead says.

Google Chrome passwords are stored in cleartext, a function that Google dismisses as a flaw.

Chrome-saved cleartext passwords not a flaw, Google says

Software developer Elliott Kember discovered that all saved passwords can be displayed in plain text in the Chrome settings panel.

“There's no master password, no security, not even a prompt that ‘these passwords are visible,'” Kember said.

Google said passwords were encrypted on Google servers while Chrome browser security lead Justin Schuh said any attacker who gained access to an account could dump all session cookies, grab history, install monitoring software or install malicious extensions to intercept browsing activity.

His point was that “once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.”

Popular web browser Firefox offers a master password feature but Schuh's said that provided users with a false sense of security and encouraged risky behaviour.

“There's a big disconnect between what people ‘should' do, and what people ‘actually' do," Kember said.

"For instance, supposedly you're supposed to switch user accounts on a computer whenever someone else uses it. But in the real world, people borrow their friends' computers all the time.”

A forum user, signing off as hobbes300, responded to Schuh's post, saying, "Your logic doesn't follow...Don't forget, all security, regardless of how good it is, is just a delay mechanism. It's perfectly valid to delay the easy attacks as well as the hard ones."

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?