Programmers slam Google for Chrome's 'insane password security'

Users' login details and passwords are easy to find in plain text, all it takes is access to someone's browser

Google is facing widespread criticism from technology bloggers over the password storage system used in its Chrome browser.

Simply typing “chrome://settings/passwords” into the browser’s address box reveals a comprehensive list of the user’s login details, with any computer user able to click a ‘show’ button to reveal the hidden passwords.

This does not mean that the passwords are stored on the hard drive in plain text, but that they can be made visible in plain text to anyone with access to the user’s computer.

Any individual who can enter a user’s computer log-in (which could be as easy as finding the computer when left unattended) would then be able to copy somebody’s login details for all of their online accounts.

The flaw was discovered by UK-based software developer Elliott Kember, who detailed the process on his blog. Kember’s criticisms draw attention to the differences between how Google markets its browser to developers and how it markets it to a wider, less tech-aware audience:

“In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers,” says Kember. “It’s the mass market - the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.”

The story has attracted a lot of attention, with Sir Tim Berners-Lee, the British computer scientist known for his integral role in inventing the internet, saying:

Google responded in kind after the story was posted on social news site Hacker News with Chrome security engineer Justin Schuh commenting: “I appreciate how this appears to a novice, but we've literally spent years evaluating it and have quite a bit of data to inform our position.

"And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior."

“You don't seem to understand the threat model here. You think your passwords are protected somehow in other applications, but they're simply not."

A feature or a flaw?

Other comments on the Hacker News comment thread reveal the divided reaction amongst the tech community. Some users point out that passwords are always going to be fairly insecure, and that to think otherwise is naïve.

Others counter that passwords just shouldn’t be so easily accessed by someone without any technical knowledge, and that Google could offer more security – such as a master password that needs to be entered before other login details are shown.

Speaking to The Independent, Kember commented: "I think they [Google] are taking crazy pills. They seem to be out of touch with how real users are using computers every day. Google's go-to argument is that users "should" lock their computers constantly, and use separate user accounts for each user.

"But that's not the way people are using computers. Even if it were, it's no excuse to bring all my passwords to one place and reveal them. I don't expect computers to work that way - nobody does."

One solution to the problem is to set a 'master key' that needs to be entered before viewing all your passwords. This comes as default in Internet Explorer and can be turned on in Firefox from the 'security' tab. Users looking for extra peace of mind might also look into third-party software such as LastPass or 1Password.

Life and Style
ebookNow available in paperback
ebooks
ebookPart of The Independent’s new eBook series The Great Composers
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Recruitment Genius: 2nd / 3rd Line IT Support Engineer - IT Managed Services

    £30000 - £36000 per annum: Recruitment Genius: This IT support company are loo...

    Ashdown Group: Technical IT Manager - North London - Growing business

    £40000 - £50000 per annum: Ashdown Group: A growing business that has been ope...

    Recruitment Genius: Telesales Manager / Account Manager

    £20000 - £25000 per annum: Recruitment Genius: This B2B software supplier, spe...

    Recruitment Genius: Systems Application Analyst - Data, SQL

    £22000 - £29000 per annum: Recruitment Genius: This fast growing SaaS (Softwar...

    Day In a Page

    Not even the 'putrid throat' could stop the Ross Poldark swoon-fest'

    Not even the 'putrid throat' could stop the Ross Poldark swoon-fest'

    How a costume drama became a Sunday night staple
    Miliband promises no stamp duty for first-time buyers as he pushes Tories on housing

    Miliband promises no stamp duty for first-time buyers

    Labour leader pushes Tories on housing
    Aviation history is littered with grand failures - from the the Bristol Brabazon to Concorde - but what went wrong with the SuperJumbo?

    Aviation history is littered with grand failures

    But what went wrong with the SuperJumbo?
    Fear of Putin, Islamists and immigration is giving rise to a new generation of Soviet-style 'iron curtains' right across Europe

    Fortress Europe?

    Fear of Putin, Islamists and immigration is giving rise to a new generation of 'iron curtains'
    Never mind what you're wearing, it's what you're reclining on

    Never mind what you're wearing

    It's what you're reclining on that matters
    General Election 2015: Chuka Umunna on the benefits of immigration, humility – and his leader Ed Miliband

    Chuka Umunna: A virus of racism runs through Ukip

    The shadow business secretary on the benefits of immigration, humility – and his leader Ed Miliband
    Yemen crisis: This exotic war will soon become Europe's problem

    Yemen's exotic war will soon affect Europe

    Terrorism and boatloads of desperate migrants will be the outcome of the Saudi air campaign, says Patrick Cockburn
    Marginal Streets project aims to document voters in the run-up to the General Election

    Marginal Streets project documents voters

    Independent photographers Joseph Fox and Orlando Gili are uploading two portraits of constituents to their website for each day of the campaign
    Game of Thrones: Visit the real-life kingdom of Westeros to see where violent history ends and telly tourism begins

    The real-life kingdom of Westeros

    Is there something a little uncomfortable about Game of Thrones shooting in Northern Ireland?
    How to survive a social-media mauling, by the tough women of Twitter

    How to survive a Twitter mauling

    Mary Beard, Caroline Criado-Perez, Louise Mensch, Bunny La Roche and Courtney Barrasford reveal how to trounce the trolls
    Gallipoli centenary: At dawn, the young remember the young who perished in one of the First World War's bloodiest battles

    At dawn, the young remember the young

    A century ago, soldiers of the Empire – many no more than boys – spilt on to Gallipoli’s beaches. On this 100th Anzac Day, there are personal, poetic tributes to their sacrifice
    Dissent is slowly building against the billions spent on presidential campaigns – even among politicians themselves

    Follow the money as never before

    Dissent is slowly building against the billions spent on presidential campaigns – even among politicians themselves, reports Rupert Cornwell
    Samuel West interview: The actor and director on austerity, unionisation, and not mentioning his famous parents

    Samuel West interview

    The actor and director on austerity, unionisation, and not mentioning his famous parents
    General Election 2015: Imagine if the leading political parties were fashion labels

    Imagine if the leading political parties were fashion labels

    Fashion editor, Alexander Fury, on what the leaders' appearances tell us about them
    Phumzile Mlambo-Ngcuka: Home can be the unsafest place for women

    Phumzile Mlambo-Ngcuka: Home can be the unsafest place for women

    The architect of the HeForShe movement and head of UN Women on the world's failure to combat domestic violence