Programmers slam Google for Chrome's 'insane password security'
Users' login details and passwords are easy to find in plain text, all it takes is access to someone's browser
Google is facing widespread criticism from technology bloggers over the password storage system used in its Chrome browser.
Simply typing “chrome://settings/passwords” into the browser’s address box reveals a comprehensive list of the user’s login details, with any computer user able to click a ‘show’ button to reveal the hidden passwords.
This does not mean that the passwords are stored on the hard drive in plain text, but that they can be made visible in plain text to anyone with access to the user’s computer.
Any individual who can enter a user’s computer log-in (which could be as easy as finding the computer when left unattended) would then be able to copy somebody’s login details for all of their online accounts.
The flaw was discovered by UK-based software developer Elliott Kember, who detailed the process on his blog. Kember’s criticisms draw attention to the differences between how Google markets its browser to developers and how it markets it to a wider, less tech-aware audience:
“In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers,” says Kember. “It’s the mass market - the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.”
The story has attracted a lot of attention, with Sir Tim Berners-Lee, the British computer scientist known for his integral role in inventing the internet, saying:
How to get all you big sister's passwords http://t.co/CpytKWH9aT and a disappointing reply from Chrome team.— Tim Berners-Lee (@timberners_lee) August 6, 2013
Google responded in kind after the story was posted on social news site Hacker News with Chrome security engineer Justin Schuh commenting: “I appreciate how this appears to a novice, but we've literally spent years evaluating it and have quite a bit of data to inform our position.
"And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior."
“You don't seem to understand the threat model here. You think your passwords are protected somehow in other applications, but they're simply not."
A feature or a flaw?
Other comments on the Hacker News comment thread reveal the divided reaction amongst the tech community. Some users point out that passwords are always going to be fairly insecure, and that to think otherwise is naïve.
Others counter that passwords just shouldn’t be so easily accessed by someone without any technical knowledge, and that Google could offer more security – such as a master password that needs to be entered before other login details are shown.
Speaking to The Independent, Kember commented: "I think they [Google] are taking crazy pills. They seem to be out of touch with how real users are using computers every day. Google's go-to argument is that users "should" lock their computers constantly, and use separate user accounts for each user.
"But that's not the way people are using computers. Even if it were, it's no excuse to bring all my passwords to one place and reveal them. I don't expect computers to work that way - nobody does."
One solution to the problem is to set a 'master key' that needs to be entered before viewing all your passwords. This comes as default in Internet Explorer and can be turned on in Firefox from the 'security' tab. Users looking for extra peace of mind might also look into third-party software such as LastPass or 1Password.
Life & Style blogs
Winter crisis in A&E: Hospitals declare 'black alerts' as admissions shatter records, but full stats still unpublished
Unpaid make-up artists reveal the ugly side of Miss World
Bill Granger recipes: Tenderstem broccoli omelette; Fried eggs with Mexican-style tomato and chilli sauce; Pan-fried cavolo nero with soft-boiled egg
Google launches 'Contributor' payment service for ad-free internet browsing
When is a wine made in Piedmont not a Piemonte wine? When EU rules make Italian vineyards invisible
Rochester by-election: Ukip gains second MP as Tory defector Mark Reckless holds seat
'Beast of Bolsover' Dennis Skinner takes Ukip MP Mark Reckless to task moments after he is sworn in
Rochester by-election: Labour MP Emily Thornberry resigns after posting white van and England flags tweet
France 'blocks' Russian sailors from boarding a warship
Revealed: How the world gets rich – from privatising British public services
Rochester aftermath: Sacking of Emily Thornberry will make work of Labour MPs '10 times harder'
- 1 To help fuel their propaganda machine against the poor, our government has now decided to redefine the word 'welfare'
- 2 Tower Bridge glass walkway 'smashed' by night-time visitor dropping bottle of beer
- 3 Anti-gay hate preacher accidentally tweets 4,000 followers cartoon clip of him 'confessing' to be a 'homosexual sodomite'
- 4 Woman opens professional cuddling shop – gets 10,000 customers in first week
- 5 Grayson Perry: London needs affordable housing because 'rich people don't create culture'
iJobs Gadgets & Tech
£45000 - £65000 per annum: Recruitment Genius: This is a fantastic opportunity...
£20000 per annum: Recruitment Genius: A Customer Service Executive is required...
£37000 - £39000 per annum + benefits: Ashdown Group: SQL Database Administrato...
£26000 - £32000 per annum: Recruitment Genius: Expanding creative studio requi...