Google may soon offer Chrome users a little extra protection for their passwords – which could previously be accessed in “one click” on unattended machines.
The feature caused controversy earlier this year after developer Elliot Kember revealed that any stored passwords could be revealed simply by pressing a button saying, “Show”.
The latest build for Chromium for Mac – the open-source web browser project from which Chrome draws its code – includes an additional feature which allows users to “lock” stored passwords, according to a report by Ars Technica.
“If you enable password manager reauthentication and then restart the browser, the next time you view your list of passwords you’ll be prompted to enter the system password before being allowed to view them in plain text,” the site writes.
Previously, any unattended machine offered passers-by the opportunity to see a list of plain-text passwords simply by visiting chrome://settings/passwords, Engadget pointed out in its report, describing Google’s attitude to security as “relaxed”. The Verge described Google’s previous approach as leaving passwords “just a click away”.
The new approach – requiring a system password – fits with Google’s initial defense of its policy, where Justin Schuh, security tech lead for Chrome replied in detail to Kember’s post on Ycombinator saying, “The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.”
Other browsers contain “extra” security measures – Firefox allows users to create a master password, and Internet Explorer does not allow access to lists of passwords.
ESET Senior Research Fellow David Harley said at the time, “It’s a really bad idea to save passwords in Chrome on a machine that can be accessed without authentication (obviously a bad idea in itself), or where an account is shared (also not good practice – especially on business machines – but probably not uncommon on home machines). I’d suggest that it’s usually better to use some sort of password manager to store your passwords than a browser…”
Firefox allows users to create master passwords to protect their login data from snoopers, while Internet Explorer simply doesn’t provide snoopers an easily accessible list of passwords. Safari protects passwords with the OS X password.
Google has not commented, and there is no guarantee the new feature will appear in Chrome either on Mac or Windows, The Verge points out.
Author Rob Waugh, We Live Security