[madsr]

Why is Chrome named as the "bad guy"? If anything, Chrome reveals the issue, by showing just how accessible browser-saved passwords are in the first place. Do you think that it's impossible for malware to retrieve passwords from IE, Firefox, Safari and Opera? Just how is it possible to import the passwords from these applications, then?

This is not a security flaw. Comparing browser password storage to a safe is mildly retarded.

[Slackwise]

Chrome is the browser that auto updates with no user interaction, checks against website blacklists to protect you, and has an entire OS built around the concept of a hassle-free, locked-down, auto-maintained, disk-encrypted, usage.

Chrome is designed for the layman.

Does it warn you that your passwords are effortlessly stolen by anyone that can access your computer? No.

Does it warn you they're at least not encrypted? No.

Do you think the average Chrome user knows this?

Do you think the average user understands computer security like us IT professionals?

[meowface]

>Do you think that it's impossible for malware to retrieve passwords from IE, Firefox, Safari and Opera? Just how is it possible to import the passwords from these applications, then?

It actually is impossible for malware to instantly send off all of your saved passwords if you're using Firefox and have a (reasonably decent) master key set up. I assume Opera has a similar master key option. The keyword however is "instantly."

Now, the malware can and will still of course modify HTML on the fly and steal your passwords immediately after you login to websites, but it would probably take quite a bit of time for it to collect nearly as many passwords as there are stored in your browser's password vault, especially if you use websites that don't require you to re-login very often. And the longer that time window is, the higher the chance the malware will be detected either by odd computer behavior, or an AV detection.

They can also set up a keylogger and wait for you to input your master password at some point. It can sometimes be hard to determine what logged text is actually the master pass, due to how many keyloggers work, but this is of course a viable option.

All-in-all, master passwords do in fact hinder attackers. The first thing many malware spreaders do is dump browser and other saved credentials (often FTP, sometimes IM accounts so they can spam malicious links to contact lists); it's often a quick "in-and-out" dumping process. It's not uncommon for malware to successfully execute and exfiltrate some data as soon as it's loaded, but later as it infects other files or drops additional payloads, AV will fire and the user will try to clean up the machine.

And then there are the very simple cases of "friend/acquaintance uses computer, looks at your passwords really quickly, memorizes a few, goes home and screws with your accounts at a later time." Master passwords make that sort of situation fairly impossible.

I really do not personally see why Chrome doesn't allow master passwords as an option. It would not be a security silver bullet, but it does help.

[tyilo]

Easier way would be to just wait for the user to enter the master key and then decrypt the passwords.

[interpol_p]

If Chrome wanted to be informative it would tell you clearly that your passwords are readable in plaintext at chrome://settings/passwords. It does not do this when it saves a password.

Either it tells you that your passwords are readable (and thus you are less likely to trust it) or it makes some attempt to prevent your passwords from being read within seconds. It can't have it both ways.