[weiran]

They're not stored in plaintext, they're stored in the Keychain. The point here is Chrome provides essentially unauthenticated access to the Keychain.

For reference, here's what Safari prompts you with when you try to view your saved passwords: http://imgur.com/k2gIqtM

[garethadams]

"Unauthenticated" except for the time you told Keychain to "Always allow" requests from Chrome.

However I'll admit that there's a big difference between what I expected Chrome to be using those passwords for (logging me into websites) and how it's ended up (making those visible to anyone looking at the settings page).

[masklinn]

> "Unauthenticated" except for the time you told Keychain to "Always allow" requests from Chrome.

1. that does not make it OK to display all cleartext passwords, Keychain requires the account password before displaying the cleartext. And keychain can optionally require the master password to be entered before providing a password for form-filling as well.

2. an other user notes above that, whether you "allow" or "always allow", Chrome will copy the entry it just got to a new keychain entry which it sets to always allow.

[stephenr]

Chrome creates it's own keychain entries and sets them as "always allow from chrome" regardless of what the user does.

This is a problem entirely caused by Google

[interpol_p]

Why can't Chrome do the same thing Safari does in that image? If the user wishes to see the password in plaintext, ask for their master keychain password first.