In August, Elliott Kember discovered that you could view all of the saved passwords in plain text in any user’s Chrome browser simply by typing
chrome://settings/passwords into the address bar. Head of Chrome security Justin Schuh inexplicably found no major issue:
The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.
I thought this was ridiculous:
… this just seems like a silly way to rationalize a plainly poor decision. Using no security at all is not better than modest security.
Google must have agreed, because there’s a new experimental flag in the new version of Chromium, according to evangelist François Beaufort:
Once you’ve enabled the chrome://flags/#enable-password-manager-reauthentication flag, user who’s trying to reveal a plain text password in chrome://settings/passwords will be prompted to reauthenticate with the User Mac OS password.
Good. With any sense at all, this will be the default for Chrome going forward.
Update: Reader Tom Hagopian points out that iCloud Keychain does not require a passcode, and that if no passcode is set, you can view any password saved with Safari or synced with iCloud. If you set a passcode, it will prompt for it before viewing each password. So, set a passcode.