Pixel Envy

Written by Nick Heer.

Chrome’s Insane Password Security Strategy, Redux

In August, Elliott Kember discovered that you could view all of the saved passwords in plain text in any user’s Chrome browser simply by typing chrome://settings/passwords into the address bar. Head of Chrome security Justin Schuh inexplicably found no major issue:

The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.

I thought this was ridiculous:

… this just seems like a silly way to rationalize a plainly poor decision. Using no security at all is not better than modest security.

Google must have agreed, because there’s a new experimental flag in the new version of Chromium, according to evangelist François Beaufort:

Once you’ve enabled the chrome://flags/#enable-password-manager-reauthentication flag, user who’s trying to reveal a plain text password in chrome://settings/passwords will be prompted to reauthenticate with the User Mac OS password.

Good. With any sense at all, this will be the default for Chrome going forward.

Update: Reader Tom Hagopian points out that iCloud Keychain does not require a passcode, and that if no passcode is set, you can view any password saved with Safari or synced with iCloud. If you set a passcode, it will prompt for it before viewing each password. So, set a passcode.