 |
| Passwords one click away for anyone who access your Chrome browser. |
Strangely the issue is buried very deep in the project web-page as moderators are moving the issue from one part to the other making it difficult for users to follow and see the real importance of the issue. Here is the observation of the user *grinapo:
Btw this issue _was_closed_.Merged into Issue 1397 which was closed; and merged into Issue 812 which is "profile/login support", so I guess master password request was buried deep.Here are some links where the problem is debated :
http://code.google.com/p/chromium/issues/detail?id=812
http://code.google.com/p/chromium/issues/detail?id=1397
http://code.google.com/p/chromium/issues/detail?id=27971
http://code.google.com/p/chromium/issues/detail?id=53
Google's official position can be found here : http://www.google.com/support/forum/p/Chrome/thread?tid=5f249c4fa04ecd17&hl=en
The reason of the blog is to bring awareness on this issue of security deficiency and to make a pool that will gather statistics about the relevance of the issue in the real world.
As for me I really like Google Chrome but I continue to use Firefox because of two important features : master-password and Mozilla Weave (which is off topic and I will not elaborate).
An very interesting post about this issue can also be found here http://lwn.net/Articles/388309/
Master passwords for browsers provide a measure of security against some common, if weak, attack vectors. Firefox has had master passwords for some time, but Google's Chrome browser does not, nor does it seem to have any kind of priority to be added. That makes some users rather unhappy, to the point of saying that they won't use the browser until it is implemented. Google's position seems to be that master passwords only provide an illusion of security, but that is an oversimplification.
The idea behind a master password is to protect the credentials (username and password) for accessing web sites that are stored by the browser. The master password is required to unlock (really decrypt) the credential storage before the browser can auto-fill login forms. Without a master password, Firefox stores credential information unencrypted on the disk. Chrome does encrypt the credentials using the user's session information—but only on Windows—for Linux it stores them unencrypted.
As Jamie Strandboge describes in a blog posting, it is trivial to extract the credentials stored by Chrome on Linux in a SQLite database file. A bug filed against Chrome in September 2008 requests adding a master password, and, while it has seen many comments, it has also seen little action on the part of the Chrome developers. For Linux users, it is pretty clear that leaving an unencrypted version of all stored passwords on the disk is a security hole; it definitely requires access to the data, either on the machine itself or elsewhere—like a network share or backup of the home directory. Ways to get that access aren't very hard to envision. Since the data is encrypted on Windows, the picture there is a little murkier.
It is certainly true that anyone who gets physical access to your machine can do an amazing amount of harm to it if they want to. But it is also true that many people allow their computer to be used by others to do a quick search or check email. Those uses are typically short in duration and are "semi-supervised" in the sense that the owner is often around and might very well notice someone installing a keylogger or running some kind of password cracker. What may escape notice is someone using the browser interface in fairly standard ways—to look at stored passwords for example.
The answer, according to Chrome developer Peter Kasting is to "lock your desktop (it's two keys!) or close Chrome" if you don't trust those with physical access. Essentially, because of the way Chrome is implemented, there is no secure way to allow someone to use your open browser session—or even to start a new one for them to use. With Firefox, one can start a new browser and not provide the master password (or just log out of the "Software Security Device"), which will allow semi-untrusted users to jump on and do a quick Google—or check Gmail.
Given the sensitivity of stored passwords—though many sensitive web sites, like banks and brokerages, have started disallowing credential storage—a master password protecting them gives users a sense of protection. It may well be that the average user overestimates the amount of protection that a master password provides, but that doesn't mean it provides no protection. There is certainly a big difference between a sophisticated hacker willing to risk jail time by installing a keylogger and a "friend" who thinks it would be funny to update your Facebook status for you. The latter is likely to be thwarted by a master password.
It is a bit hard to understand why the Chrome developers are so unwilling to consider adding the feature. It shouldn't be particularly difficult in a technical sense. The "UI complexity" argument rings a little hollow. The lack of any way to get password encryption on Linux just seems like a bug that needs to be fixed, though there isn't any real indication that it will be. Maybe someone in the community needs to take a crack at it—it is, after all, free software.
* pro * - maxthelene 02.09.2008
What I had in mind is something like what Firefox has. It is an option to set a master password for the browser so that private things are protected. It could be used in a variety of ways, but the one that is most important to me is that when you click "show passwords" in the stored passwords menu you should be prompted to enter the master password for the browser. That way if I let my little sister check her email on my computer she can use my browser, but she can't see the stored password for my facebook account so she can play a joke on me. It is basically a way of validating my identity during a console session. - to make it better it could prompt you for it after a period of inactivity or give you the option to go-un-priveleged.
* pro * - leslie 02.09.2008
Yeah, this is a potential security flaw (for example, allowing someone else to use your browser, they can view all saved passwords from 'Options' -> 'Show Saved Passwords')
* pro * - ptas... 02.09.2008
You have my vote on this feature. Not having this is a significant security flaw. The way it's implemented in Firefox would suffice, with the addition of Jessome's suggestion that "the entire 'stored passwords' menu should itself be password protected".
* pro * - spadgos 03.09.2008
I'll also add this: This should totally be added, similar to how Firefox has done it. Leaving it off by default is fine, it would just annoy those people who don't care - those who do care will take the 3 seconds to find how to turn it on. One thing which *must* be different to how Firefox has implemented this is how it prompts you for the master password. FFx shows a prompt which steals focus and will continue to return on subsequent pages even if it had been canceled previously. As maxthelen said in Comment #2, this feature works well if you want to let a kid sister use your computer without letting them get into all your accounts - the way Firefox does this, it makes browsing *really* annoying for the kid sister, so much so that I had to create a new Firefox profile with the master password turned off.
= con = - pkasting 03.09.2008
Working as intended. There has been much internal debate about this issue in the past which I will not reiterate here, except to summarize. Master passwords as implemented in other browsers provide more of an illusion of security than actual security. They also inconvenience users. Chrome uses the Windows crypto routines to encrypt local passwords, giving you some protection against remote data theft; for local data theft a master password wouldn't help. Eventually this need can be fulfilled in other ways that we have design ideas for.
* pro * - reneluckwo 03.09.2008
It does, however, protect my passwords in a way that let's regular users use my computer without getting access to my passwords, cookies, etc. I imagine it would be easy to implement for you due to the clever way you've build the browser :) This is the one thing keeping me with FireFox.
* pro * - smsoko 03.09.2008
I would reiterate what reneluckow says. While pkast is correct that the master password only gives an "illusion of security" I think he misses the point entirely. pkast is saying that the passwrods use windows crypto while stored which is wonderful but all a hacker has to do is sit at the workstation (or via remote access) launch chrome and select show password from the options menu. Isn't that like encrypting your entire hard drive with multiple levels of security...then leaving a post-it note on the screen with all the password info?* pro * - sam.derbyshire 03.09.2008
I do think this should be added at least as an option like it is in Firefox, you click the "add master password". That way it would not inconvenience anyone. I agree that it does not give a huge load of a security, but being able to see other people's passwords if using their browser in a click of a button is just wrong. I really think this feature should be added.* pro * - Shareof Vulcan 04.09.2008
At my office, the IT department has _all_ passwords. This allows me to keep my personal passwords safe on my work computer. Please, _please_ reconsider this decision.* pro * - simplymtb 05.09.2008
I also posted this "problem" so i agree. This means that anyone who can acces my PC when i forget to lock it can see all my passwords. I was stunned that this option was so easy to see. So PLEASE put in a Master Password cause these kind of things make this program look bad* pro * - guillaumeflipo 05.09.2008
We indeed need a Master Password over the recorded passwords !Everyone can come and open your Chrome, and get all your passwords ! Absurd !* pro * - sfjacobs 05.09.2008
Inconvenience them how? The whole discussion is focused on avoiding others being able to see your stored passwords. What sort of security are you talking about? If you are not able to see them and "Chrome uses the Windows crypto routines to encrypt local passwords, giving you some protection against remote data theft" (comment 13), what other security are you looking for? This would address the security concern that you voiced over others seeing your passwords (thus adding an equivalent amount of security to a master password in that context). It would not address the concern over others using your saved passwords, but as the discussion above indicates, Google is more willing to live with that over the inconvenience of typing in a master password.* pro * - maxthelen 05.09.2008
If you click the little wrench in the upper corner and then click options and then select the Minor Tweaks tab and then click "show saved passwords" it takes you t a menu with all the sites you have passwords stored for. If you highlight a site you can then click the "show password" button and it prints the password right beneath the button in the gray. Not only can anyone who is borrowing your computer to use the internet use your saved passwords, but anyone with even a little experience with web browsers can learn exactly what your password is just by asking the browser, it could be 512 billion bit NSA encryption - it doesn't matter, the browser just hands it out to whoever asks from the console.* pro * - shmuelp 05.08.2009
Even if the passwords are encrypted when stored on disk (comment #13), if Chromium can decrypt them without user input, then so can other programs. At the very least, malware running when a person is logged in could decrypt and read them. For me, that's the main reason I want a master password option.= con = - erikheemskerk 26.09.2008
In response to comment 24; if someone borrows your computer, do you let them use your user account? If so, well there's your problem! Having a master password is 'security through obscurity'. Plus, it degrades usability. I already have to convince Windows I am who I say I am, why would I also have to convince my browser?* pro * - maxthelen 26.09.2008
* pro * drew.stnoebraker 06.10.2008
I run XP and I hate fast user switching because its a resource consumer with little practical benefit for me. So, I have it off - which, of course, means that if I log off it closes everything I have running, making your resolution very impractical. I'm not letting strangers use my computer, just friends who need to check their email real quickly. 'Security through obscurity' is a very legitimate method for preventing people you trust from getting information that they just don't need to know. Example: If your online banking gets jacked with its not a good situation to have a friend as a suspect because you know they had unrestricted access to the password. As far as degrading usability there are different methods for requiring the password that are non-obtrusive. I will suffice to say that the title of this thread is "No Master Password OPTION" ;) thanks
I am very surprised this feature has been denied. Pkasting's explanation does not address the concern, and therefore leads me to believe that the need has been misunderstood. Even if there are ways around it... master passwords provide significant security against guest users easily or accidentally obtaining an owner's passwords, and therefore access to the owner's website accounts (e.g. online shopping, email, etc.)... even website for which passwords are not stored, if the owner/user reuses passwords. It is only the lack of a master password that offers any inconvenience to users... as long as the master password is off by default (as it is and should be in firefox), users who don't want it never notice it.. but without the option users who do feel the need for it are highly inconvenienced by being forced to not store passwords, or to use a browser that has this feature. 2 things to improve upon firefox's feature: in firefox, there are only 2 options: on or off. When it is on, it requests a master password 3 times before opening a firefox session (perhaps because I have 3 home page tabs with stored passwords.. but this is a bug and needs to be fixed), and causes a major slow-down of the computer, even though it does not seem to be using up resources. However, it would be nice to have a second option, where the master password is not needed to use websites with sotred passwords... only to view the stored passwords.* pro * - jspeavey 29.10.2008
Until this issue is addressed, I will not be using chrome nor will I allow it to be used in my company. For those arguing that this is just 'security through obscurity' you are fundamentally wrong and are truly missing the point. Someone having access to my Windows account, for whatever reason, should not mean that they should get simple and unauthenticated access to *every password on every system that I save in chrome* and also get the ability to see/copy them for their own use.
This is just too easy a target for too large a risk with too easy a solution:
1) allow the setting of a master password that is used to encrypt the password store.
2) Allow the user the ability to set the time period before re-requiring authentication to the password store. and3) Absolutely always require re-authentication to the password store when the user requests to see the passwords.
* pro * - opodaniel 20.06.2009
I like chrome because it is simple and quick but I won't use it until it have a master password. Let's face it, in this days you need password for a lot of places, you cannot just read news, we have forums of discussion, different mailboxes, maybe some places where we buy stuff. Not having any protection for the passwords is really not a good idea. Any vulnerability in OS can be exploited by some hackers and collect millions of user passwords, because they know where the file with passwords are located on computer. Let's make their job a little harder, not give them our privacy on silver plate.* pro * gerardc 09.10.2009
Details of the encryption used by Firefox when a master password is specified: http://luxsci.com/blog/master-password-encryption-in-firefox-and-thunderbird.html
> pkasting
> Working as intended. There has been much internal debate about this issue in the past Clearly not enough if things were left in this situation.
> Master passwords as implemented in other browsers provide more of an illusion of security than actual security.
Well sure if you don't point out what this illusion is then nobody can tell you where you're logic is going completely wrong. You can crack 3DES in CBC mode can you? Perhaps it is your use of the feature that leads to an "illusion of security than actual security".
> They also inconvenience users.
Yep, more security == more inconvenience. That's the way it's always been and always will be. Not a good reason to be insecure.
> Chrome uses the Windows crypto routines to encrypt local passwords, giving you some protection against remote data theft;
Talk about "illusion of security"!
> for local data theft a master password wouldn't help.
Again, you can crack 3DES in CBC mode? I know I can't, but I can certainly grab all of my coworker's Chrome passwords.
> Eventually this need can be fulfilled in other ways that we have design ideas for.
Great, so the browser has been out for how long now without any good way for users to encrypt the passwords that are saved to it?* pro * - grinapo 17.02.2010
I wonder whether everyone's deaf and blind regarding this issue. I do not see (but I confess I didn't read all linked discussions since they seem to reiterate things already said) whether anyone really considered this. Let me tell you how my machines work. Firefox. Passwords are encrypted with master. Timeout is 5 minutes from the last password input. When master pw times out you need to enter it again for _anything_ using sensitive information, even to see what sites I have saved passwords for. So, basically Bob has *2.5 minutes* on average if I forget to exit the browser to get my passwords. After that, either he cracks the password, tries to get it form the machine (which could or could not be feasible with no root access) or beats me to tell it. I see no other way for him to get at my passwords, saved forms or anything master pw protected. Opera implements similar master pw timeout. I fail to see how this could be an illusion. Using proper pw input, proper encryption and timed out master pw this protects private data. Correct me if I'm wrong, please. Thank you. If you can't this should be a security related wish and ought to block release. IMO.* pro * - grinapo 28.02.2010
Comment 45: the problem isn't that this doesn't bother _many_ of us, but that there is a philosophical debate about it's merit, where the opponents usually omit every fact which would contradict their opinion. :-) Until the debate is ongoing it seems nobody want to start to implement anything. By the way those who think master passwords cannot work have ever checked FireFox's FIPS grade mode? It uses master password and magically still possess this government grade certification. (Obviously it means a bit even more strict pw expiration and usage, we do not need to be THAT strict, but it shows the feasibility and security of the feature implemented.) But I don't believe even this would convince the "opposite side" commenters.
Btw this issue _was_closed_.Merged into Issue 1397 which was closed; and merged into Issue 812 which is "profile/login support", so I guess master password request was buried deep.
* pro* - nonoitall 07.04.2010
I agree this issue needs fixing. A master password isn't an "illusion of security" at all. grinapo hit the nail on the head. Without a master password, if my laptop gets stolen or someone goes snooping on it when I'm not around, my passwords are an open book. It wouldn't even take a particularly tech savvy person to get at them. With a master password, the only way someone can access my passwords is (1) if my master password has already been entered (and hasn't expired), (2) by coercing me or (3) by brute force. As long as I own a laptop, I will never use Chrome until this issue is resolved.* pro * - opodaniel 21.04.2010
I think a blog should be created regarding this issue since Pkasting is erasing a lot of good and full of reason posts. I like Google a lot, but lately some of the employee's action make me take distance. I also am in China right now, so it won't be so hard :)
*-*gerardc
@opodaniel Can you provide some evidence that entries have been deleted? One of the posts that was here earlier but has since been removed should suffice. I imagine you have been recieving email coppies of all posts in the same way I have, so it should be pretty easy to point to an entry that has been deleted without good cause.
*.*opodaniel
No, I don't have those mails because I have unsubscribed from this issue. I am a happy Firefox user, with no pretension from Chrome until this issue is solved. This bring me to another strange issue which is off-topic, but I should answer to your question. I asked before what should I do in order to stop receiving mails with this issue ( because is easy to see that in 2 years time nothing have been done - so there's no point to see people asking for master-pass and developers tell them that windows provide enough protection). I think it was Pkasting who tell me how to do it.. but strangely each time they merge issue's I start receiving the mails and have to unsubscribe from something that I didn't subscribe in the first place, or that I have Already Unsubscribed. The idea is that I've already read this topic several times, and I think that maybe while merging issues, some posts were lost or moved.. who knows.. From my point of view there should be a lot more posts.I have no evidence whatsoever.
Anyway I think a blog where people could express their opinion with possibility to vote would be a good idea. Google would see what people think about this very important issue. There are two questions to be answer by each one of us:
- While Chrome is a product of Google , and is free, why should Google listen to the users? Look at Apple how well it does and how much profit it makes :).
- If Google is not listening, and there are such good alternatives out there.. why should we loose time to help improve? After all.. all products of Google while being free (Google search engine, Google docs, gmail, etc..), are indexed by Google which help them improve the Google Ad-Sense and Ad-Word money making machine. So nothing is really free in life.. except life of-course.
* pro * clr... 05.06.2010
Chrome it's my default browser, but, sadly, I still have to use Firefox to store my passwords. When will this change? This feature it's the last one missing to the retirement of my Firefox.
* pro * sebdanger2 23.06.2010
I agree with cmsoko and grinapo, this issue should be fixed, having a master password is very useful (especially as when you try and view your stored passwords in FireFox you have to reenter it), and yes it is a slight inconvenience to users (less so if you don't close chrome and just hibernate or suspend your PC) but not letting Chrome store any passwords (so know one can see them) is even more of a inconvenience! Please Google sort this out it really can't be that difficult (um... maybe I should have a look at the chromium code and implement it myself!)
* pro * nghtvsion 24.06.2010
ok tl;dr past the halfway point, but i saw no one touch on this point, which differs entirely from the "everybody being able to see your passwords if they want" angle; when i set chrome to save a password, it's saved, right? teh next time i visit that site, the password is pre-filled for me. OR FOR ANYONE ELSE WHO VISITS THAT SITE ON MY BROWSER. with ff, true - if you cancel the enter master password prompt, it comes back. boo hoo for the poor soul at my house, having to use my internet and clicking "cancel" three or four times. which do i care more about, the fact that my friend has to use his click finger a little more than necessary, or the fact that he can get into my facebook, bank, email account, etc just by visiting the site? this issue is keeping me with firefox as well.* pro * antoine.ody 20.07.2010
I totally agree with nghtvsion. This ISSUE is also keeping me with firefox. Example: my laptop has it's HD encrypted, is password protected, and would log you out after 5 minutes of inactivity. Still, I find useful to be able to let someone use it and walk away, without him beeing able to access all my login-protected websites.* pro * gerardong 23.09.2010
Good to know it is fine with MacOS. Wondering what is doing IE on this issue? They use Crypto API and they don't show saved passwords on IE preferencies. And i really think that doing that it's JUST FINE. It will take a lot more time to download and execute a cracking tool, rather than clicking on preferences->Show Passwords. If the developers think they are making it clear that the "save password" is not secure by adding the "show pass" button (instead of putting a warning), then you should know that YOU ARE WRONG. You should REMOVE THE BUTTON and add a warning. Because people save passwords anyway no matter how insecure it is! If you are a chrome user, you fall in the following categories:
a) You don't know how insecure it is to save a password => so, you use it.
b) You know how insecure it is, but dont care. => so you use it anyway.
c) You know, and dont use it.
In cases a and b, removing the button (and warn them how insecure it is) will somewhat help them from password stealing from "non-technical users". And that is what we want, and what IE does. We don't care there are a billion cracking tools to steal passwords cause we hope our antivirus will prevent them from running.* pro * jwilliamwilox 11.11.2010
DON'T BE EVIL Just give us what we are asking for. Most of us are even asking nicely, suppressing our urge to just blurt out what we're really thinking, which would sound something like "What the H-E-double-HockeySticks could they be THINKING?!?!" Resistance to such a benign request make me wonder if we should audit CHROME code. Do _their_ servers have access to our saved passwords? AND . . . is this some of the first anecdotal evidence that the Google-is-positioning-itself-to-one-day-take-over-the-world conspiracy theory might actually have merit? (How can you not SEE it?! They even have cars that DRIVE THEMSELVES!!!) Please, Google. You have the power to stop the wild speculation. A shroud of doubt and fear is settling upon us. Make it stop. Just add the feature already. It's not that big of a deal.* pro *djdaddp 14.11.2010
I am amazed that this is still getting push-back from Google and it is why I am using Firefox and will migrate to Firefox on my Android as soon as it's stable. Having support for "other password managers" is a kludge. With Firefox my encrypted passwords are automatically synced to every PC I use (and soon to Android). It's easy and I still have local control on each PC. This is not an issue of evil people remotely stealing my passwords - if that were the case, I would have no problem with Chrome. This is an issue of me being able to share a computer with my son and not allowing him to access my passwords.
What is your Opinion on this issue? Is it a true issue, is it false problem? Do you use Chrome and if so do you store your passwords knowing that any person who use your computer can see them?
Great work creating this blog entry. It is insane that this issue has not received any logical response from anybody inside Google.
ReplyDelete-- gerardc
They are about to implement using linux password storage solutions, but voiced their problems about their implementation. Well, time will tell.
ReplyDelete