This is a big deal because it makes reading passwords easy to do in seconds, and easy to do inconspicuously.
If you were to modify the DOM to unmask passwords it would take longer, and it's not something you can do while a co-worker or friend lends you their laptop for a minute. This flaw presents additional opportunity to anyone who wants to read another person's passwords.
It is not merely "cosmetic." It actually presents a real problem for anyone who does not logout of their account every time someone else uses their computer. Sure, this is probably best practice — but it is also insulting, inconvenient and an unrealistic expectation.
If I have unrestricted access to your machine, your passwords are compromised. Fine. But this is not a common or realistic scenario. It is far more likely I am using your machine with you, and then you walk out for 20 seconds to get a glass of water.
You are presuming a specific environment and an attack specific to that environment.
At first glance, it may look like adding the extra complexity of a password through the obvious user-interface path improves security. But that assumes there are no costs. In this case the cost is a false sense of security - such that all other attack vectors are still just as open and now the user is less aware of them.
The user would be better off having the 'vulnerability' rubbed in their face so that they would learn to take measures like locking the screen whenever they walk away. That way when someone gets physical access for 5 minutes instead of 20 seconds, the passwords are still just as safe.
javascript:var a=document.querySelectorAll("input[type='password']");for(var i=a.length-1;i>=0;i--){a[i].type="text"}void 0* An FBI warning, like they have on DVDs, explaining the penalties for stealing user passwords.
* Automatically generate word-search puzzles like on the backs of chain restaurant kids menus, so that 5 year olds will have a harder time recovering passwords.
* Since most of the "attackers" the master password would block are probably senior citizens, typeset the passwords in a 7 point font.
* Since all of the "attackers" who would be thwarted by a Chrome master password are computer illiterate, make users answer a basic computer literacy quiz before showing them the password. You should have to be able to explain the difference between a library function and a system call when you push the "reveal password" button.
Note to The Guardian: I have at least 10 more similar "major security flaws" in Chrome (I gave up some more, like the red-green colorblind attacker countermeasure, on Twitter --- but I assure you I have 10 more) that I'm willing to disclose to you, and I assure you that you'll be able to find someone else on the Internet to give you quotes for your article about how terrible it is that Chrome has those flaws.
And please explain how to bypass Safari password manager, or 1Password, or any password manager with a master password, if you believe it's only a cosmetic feature.
https://news.ycombinator.com/item?id=6166731
- dump all your session cookies
- grab your history
- install malicious extension to intercept all your browsing activity
- install OS user account level monitoring software
The last one could plausibly work, in combination with "grab a copy of the encrypted 1Password key file", to compromise all the 1Password stuff. The others essentially work around 1Password, or so I believe.
This is why there are certain passwords that I don't even store in 1Password. It's also an argument for two-factor auth.
The difference I see is if my spouse or boss wanted to look at my passwords they could, easily. I'm not OK with that. Now, tell me they have to install a trojan, a virus or some other software first to get access to my passwords and thats a level of safety which stops my boss. My boss won't have the technical know how to do it. My spouse could be looking just out of curiosity, the smallest roadblock would stop them. Chrome's implementation makes it easy for anyone to see passwords and that's just wrong!
The length of time anyone will have access to an unsupervised machine plays a role here. It shouldn't take 5 seconds of pointing and clicking that my gran could do to reveal all my passwords. It should take someone more effort!
And for the record, when I saw this feature 2 years ago I disagreed with it too - but it's not a flaw.
Firefox should lose the feature.
Surely they have to be reversible, or the browser wouldn't be able to use them as passwords.
- I understand the fact that the browser must be able to have the password in plaintext at the moment of logging to a website.
- I understand that if someone has access to my account on my computer then is able to access all the sensitive information that I have stored unencrypted on it, and not just my browser's passwords.
- I understand that is not something new or ground-breaking, or even something exclusively related to Chrome.
I still can't see how sensible having an option to show the passwords in plaintext, without protection, really is. Many people (non tech-savvy people in particular) for example do not lock their OS profile at all.
Requiring a Master Password by default (with the possibility of opting out in the settings) before using/showing passwords, and storing these in crypted form it would seem more sensible to me.
This is not a security flaw. Comparing browser password storage to a safe is mildly retarded.
Chrome is designed for the layman.
Does it warn you that your passwords are effortlessly stolen by anyone that can access your computer? No.
Does it warn you they're at least not encrypted? No.
Do you think the average Chrome user knows this?
Do you think the average user understands computer security like us IT professionals?
It actually is impossible for malware to instantly send off all of your saved passwords if you're using Firefox and have a (reasonably decent) master key set up. I assume Opera has a similar master key option. The keyword however is "instantly."
Now, the malware can and will still of course modify HTML on the fly and steal your passwords immediately after you login to websites, but it would probably take quite a bit of time for it to collect nearly as many passwords as there are stored in your browser's password vault, especially if you use websites that don't require you to re-login very often. And the longer that time window is, the higher the chance the malware will be detected either by odd computer behavior, or an AV detection.
They can also set up a keylogger and wait for you to input your master password at some point. It can sometimes be hard to determine what logged text is actually the master pass, due to how many keyloggers work, but this is of course a viable option.
All-in-all, master passwords do in fact hinder attackers. The first thing many malware spreaders do is dump browser and other saved credentials (often FTP, sometimes IM accounts so they can spam malicious links to contact lists); it's often a quick "in-and-out" dumping process. It's not uncommon for malware to successfully execute and exfiltrate some data as soon as it's loaded, but later as it infects other files or drops additional payloads, AV will fire and the user will try to clean up the machine.
And then there are the very simple cases of "friend/acquaintance uses computer, looks at your passwords really quickly, memorizes a few, goes home and screws with your accounts at a later time." Master passwords make that sort of situation fairly impossible.
I really do not personally see why Chrome doesn't allow master passwords as an option. It would not be a security silver bullet, but it does help.
Either it tells you that your passwords are readable (and thus you are less likely to trust it) or it makes some attempt to prevent your passwords from being read within seconds. It can't have it both ways.
Given that a user left their session unlocked (!) in the presence of someone who is not them (!!) with a password file and other sensitive data in easy reach (!!!) - why is it Google's problem that the end user violated the first three rules of computer security?
*ed Downvotes don't answer the question, guys. At what point do you stop taking extraordinary measures to protect the user from their own lack of sense?
Interesting to see the Guardian newspaper quoting someone from Hacker News.
Same is also true of Firefox - find the right path through the menu structure (different for each version) and reveal all your passwords.
Simple enough.
He isn't just some random commenter though, he is the tech lead of browser security (according to his comment, which I'm guessing The Guardian didn't actually verify :D)
Alternatively Chrome should inform the user that saved passwords are easily readable in plaintext, so that users will not trust it as much. It does not do this either.
There's a difference between browsing someone's private documents and having permanent access to their email account via their password.
Well, except that you can just dump the passwords from Keychain without the master password.
Click 'View page info'
Click 'Security'
Click 'View Cookies'
I just bypassed your Firefox/Safari/etc master password and owned your session. OH NOES, SECURITY FLAW!!!! (I also downloaded a rootkit and installed it in your user's home directory, but you probably don't find that as much of a flaw as me getting your cookies. Right?)
I will say that encrypting the passwords on-disk is a nice thing if you care about cold-rebooted disk attacks and don't implement disk encryption yourself. But the game is mostly over if they have access to your machine. If the machine is still on, a DMA or cold boot attack is probably going to net them the passwords even on a master-password-locked browser, because the browser still needs to access the passwords for forms without prompting you every time.
And enter your master password if you use that, which you should, if you're storing passwords at all.
The answer is also kinda obvious. It started it as a matter of convenience ("I'm too fking bored to type out my long-ass password" or "I have so many passwords, I can't be bothered to remember them all" or "LastPass? What's that?") and has remained so till date. In fact, it will continue to do so until a zero-day exploit appears that can uncover these plaintext passwords, which, judging by current events, doesn't seem too far away
http://raidersec.blogspot.com/2013/06/how-browsers-store-you...
Next up: Android wireless passphrases are also stored unencrypted!