[tptacek]

This is embarrassing. What The Guardian (and, earlier, HN) is describing simply isn't a security flaw; rather, HN appears to have had a mild temper tantrum over the lack of a cosmetic "security" feature that, had Chrome implemented it, could have just as easily led to another temper tantrum over how easy it is to bypass.

[interpol_p]

I am unsure why Chrome does not ask for the master password when the user attempts to reveal the plaintext for a password. Safari does this and it works.

This is a big deal because it makes reading passwords easy to do in seconds, and easy to do inconspicuously.

If you were to modify the DOM to unmask passwords it would take longer, and it's not something you can do while a co-worker or friend lends you their laptop for a minute. This flaw presents additional opportunity to anyone who wants to read another person's passwords.

It is not merely "cosmetic." It actually presents a real problem for anyone who does not logout of their account every time someone else uses their computer. Sure, this is probably best practice — but it is also insulting, inconvenient and an unrealistic expectation.

If I have unrestricted access to your machine, your passwords are compromised. Fine. But this is not a common or realistic scenario. It is far more likely I am using your machine with you, and then you walk out for 20 seconds to get a glass of water.

[tptacek]

It does not work. It is a cosmetic security feature. If you don't log out, the next unauthorized user owns your account. You obviously know that. You're talking about a security feature based entirely off the incompetence of attackers. Why not also recommend that Chrome "Base64 encrypt" passwords? That will stop approximately the same set of attackers as the lack of a master password feature will.

[interpol_p]

It does work.

Security is about far more than preventing determined, malicious attackers. It is also about being able to use your computer in a work or family environment with a reasonable expectation that your privacy will be maintained without explicit effort on your part.

You call them "attackers" but that is not who we are discussing. We are talking about people being able to casually browse your saved passwords, perhaps without even the intent to attack (maybe they just want to see what your passwords are).

Nor is this about the "incompetence of attackers." As soon as you add an extra step — such as requiring a master password to show a particular instance of a saved password — you increase the breach of trust required for a friend to violate your privacy. And it's not simply whether you trust someone or you don't, there are levels of trust between friends.

I have some friends that I would trust not to attempt to defeat my security, but I would not trust them not to casually browse my passwords. In this instance I would be safe with Safari but not with Chrome. See the difference? Chrome could easily implement Safari's solution for this and be better for it. Why defend the inferior design?

[tptacek]

I'm sorry, but I feel like I've had this pointless, silly debate my whole career, starting with comp.security.unix, continuing through my brief time working with OpenBSD and 90's Bugtraq, and through about a decade of helping startups with software security, and I've lost a lot of my patience for it.

Security is measured in dollars; it is about the cost you confront your adversary with. Chrome has sunk many millions of dollars into blunting attacks that cost 6, 7, sometimes 8 figures. You're up in arms about a security measure that would add pennies (if that) of attacker cost. Justin and his team (rightly) observe that in return for the pennies of extra effort the feature you're demanding would add, they also incur a real risk that users will feel safer leaving their accounts unlocked. As you've already acknowledged repeatedly, if they do that, it costs pennies to get all their passwords.

There are all sorts of stupid extra steps you can add to make things harder for computer-illiterate attackers to compromise your accounts. Like I said, you could also Base64-encrypt the passwords. Or ROT14 them. Or Base64 and ROT14 them. How about you turn that into a round function and write the Base64+ROT14 Feistel network? That'll surely dissuade someone, somewhere from capturing passwords.

You will no doubt be able to come up with a 4 paragraph response to this comment. In ~20 years, I've never been able to deliver a killing blow in this stupid debate.

[teaneedz]

What are considered stupid extra steps by some, others may consider to be deciding factors for using a product or not. The user experience in this case requires a fix regardless of what you may consider a penny solution value. Ownership of the UE often means choosing penny solutions along the way.

[interpol_p]

You have completely missed the point. This issue does not relate malicious attacks. It is about the intent required for a friend or co-worker to breach your trust.

Chrome lowers the barrier and makes access casual where other systems require a stronger level of intent. That's the problem. I have no idea why you are defending this behaviour.

[tptacek]

So again: they should display an FBI warning, just like they do on DVD movies.

[Arzh]

Because no matter what, you can just go to the website and be logged in automatically. Once you let someone else use your computer you are no longer secure. This is why if you have multiple people using the same computer, you set it up to have multiple users. Once they are using YOUR instance of chrome it doesn't matter, they have everything.

[interpol_p]

There's a significant difference in the intent required between browsing someone's password settings and actually attacking their computer. This is important.

I'm not discussing malicious attackers, I'm not even discussing someone who is out to get your password. Chrome makes it possible, in seconds, for someone to reveal your passwords as a crime of opportunity.

[Amadou]

It is far more likely I am using your machine with you, and then you walk out for 20 seconds to get a glass of water.

You are presuming a specific environment and an attack specific to that environment.

At first glance, it may look like adding the extra complexity of a password through the obvious user-interface path improves security. But that assumes there are no costs. In this case the cost is a false sense of security - such that all other attack vectors are still just as open and now the user is less aware of them.

The user would be better off having the 'vulnerability' rubbed in their face so that they would learn to take measures like locking the screen whenever they walk away. That way when someone gets physical access for 5 minutes instead of 20 seconds, the passwords are still just as safe.

[interpol_p]

If Chrome was concerned about your sense of security it would inform you that all your saved passwords are clearly readable in plaintext at chrome://settings/passwords. It would do this each time it saved a password. It does not do this because you would be less likely to trust Chrome with your passwords if it did that.

So Chrome wants you to feel secure and give you convenience. Either it makes some attempt to prevent casual password access or it informs you that your passwords are casually available. It can't have it both ways.

I agree that the user would be better off having the vulnerability rubbed in their face but Chrome does not do that.

Edit: You also need to take into account intent and the emotion of the user accessing the passwords. The system currently implemented in Chrome makes it easy to peek at someone's passwords without malicious intent. If you simply had to overcome some hurdles it would make most people stop and think about what they are doing because it is a breach of trust. We're not talking about stopping determined attackers.

Edit 2: Also, I presume that specific environment because it is the environment I work and live in every day. We bring our personal laptops to work, we debug code on each others' machines, and we occasionally step out of the room. Sometimes at home I take a friend's laptop to look something up, sometimes I lend mine. I think these are common scenarios for computer users (though admittedly I have no evidence for this).

[rmc]

It would do this each time it saved a password.

And that's the logic behind Clippy. "It looks like you're saving a password? Did you know that if you to chome://indecipherable/arcane/nonsnese/ all your passwords are visible? Click [OK] to agree"

What do you think about the recent EU/UK cookie law? You're basically suggesting that for password.

[danielweber]

I've talked to my less-technical relatives who use browsers, and they've all known that saving passwords means that someone who gets access to their computer means they get access to their accounts and/or passwords.

Not everything is black magic and dark arts.

[interpol_p]

I showed two developer friends at work today the ease at which I could recover their Chrome passwords. They were both surprised that they were clearly visible on the settings page.

Both have since stopped storing passwords in Chrome.

Both developers expected their Keychain password to be needed before unmasking their stored passwords. It shocked them that this was not the case.

A better fix for this would be to require the Keychain password before showing all passwords. There is no harm in doing this.

[voyou]

When you save your passwords in Chrome, it tells you that it's saving your passwords. If you don't think that that implies that the passwords will be retrievable at a later date, I don't think you understand what the word "save" means.

[interpol_p]

Safari also tells me it is saving my passwords. Yet to explicitly unmask my passwords from the settings screen at a later date it requires my Keychain password.

They both use the word "save" to denote this functionality.

I don't think you understand why this difference in behaviour is important.

[wglb]

So do you expect the browser to prompt you for the master password each time it is about to autofill credentials on a web page?

[Amadou]

If Chrome was concerned about your sense of security it would inform you that all your saved passwords are clearly readable in plaintext

I completely agree with that, I think that would be a much more useful fix.

[interpol_p]

To rmc:

> And that's the logic behind Clippy.

No, it absolutely is not. Chrome already asks and informs you that it is saving your password. It asks each time it saves a password. It already does this. It would simply be an additional line of information in a step that you already have to confirm by clicking "Ok".

[dragonwriter]

Every additional "line of information" in a pop-up notice reduces the probability that any of it will be read.

[interpol_p]

Right. So the better option is to secure passwords slightly by default. I suggested the additional information for those that feel that securing passwords is "lulling users into a false sense of security".

Either you make some attempt to secure the passwords, or you let your users know that they are readable in plaintext. Don't do neither, like Chrome is doing.

[Hello71]

    javascript:var a=document.querySelectorAll("input[type='password']");for(var i=a.length-1;i>=0;i--){a[i].type="text"}void 0

[interpol_p]

You will have to do that for each site you want passwords for, after they have been autofilled (whereas Chrome gives you a convenient list of all saved passwords). It is also a far more technical method than most people are comfortable with. Slower and more difficult, thus less likely to happen casually.

There is also a significant difference in feeling between the two methods. Your suggestion requires far more intent than visiting the settings page. This is important.

We are not talking about defending yourself from a malicious attacker, we are talking about the moments when you pass your computer to a friend so they can look something up. They can now look up your passwords conveniently and without feeling too bad about it.

[carlosrg]

Exactly. Comparing that javascript with the Chrome situation is just ridiculous. It seems people here are too narrow-minded to understand that even my mother could get a list of all the passwords stored in a computer in 10 seconds.

[tptacek]

"Even my mother"? So what? Both Firefox and Chrome are, when left on an unlocked user account, completely exposed to the scariest classes of attackers. But Firefox has taken a cosmetic step to minimize its exposure to the least scary class of attackers. Why bother?

[astalwick]

Because the 'least scary class of attackers' represent the vast majority of potential attackers. This feature makes it trivial for a user error (not locking your desktop) to leave your passwords immediately visible to anyone that walks by.

Yes, this is cosmetic and anyone with sufficient technical knowledge can still get the passwords without the chrome:settings page, but this feature widens the pool of capable attackers to absolutely everyone.

[rmc]

Your mother knows about chrome:// URLs? Most mundane/non-technical people I know don't know about URLs at all? My mother still types "www.facebook.com" into the Google search bar on google.com.

[tptacek]

Here are other opportunities Chrome has missed:

* An FBI warning, like they have on DVDs, explaining the penalties for stealing user passwords.

* Automatically generate word-search puzzles like on the backs of chain restaurant kids menus, so that 5 year olds will have a harder time recovering passwords.

* Since most of the "attackers" the master password would block are probably senior citizens, typeset the passwords in a 7 point font.

* Since all of the "attackers" who would be thwarted by a Chrome master password are computer illiterate, make users answer a basic computer literacy quiz before showing them the password. You should have to be able to explain the difference between a library function and a system call when you push the "reveal password" button.

Note to The Guardian: I have at least 10 more similar "major security flaws" in Chrome (I gave up some more, like the red-green colorblind attacker countermeasure, on Twitter --- but I assure you I have 10 more) that I'm willing to disclose to you, and I assure you that you'll be able to find someone else on the Internet to give you quotes for your article about how terrible it is that Chrome has those flaws.

[carlosrg]

It is a security flaw, and a big one. The only embarrassing thing here is Google's employees attempts at downplaying this.

And please explain how to bypass Safari password manager, or 1Password, or any password manager with a master password, if you believe it's only a cosmetic feature.

[mechanical_fish]

Justin Schuh had a nice capsule summary of some available techniques for compromising logins:

https://news.ycombinator.com/item?id=6166731

- dump all your session cookies

- grab your history

- install malicious extension to intercept all your browsing activity

- install OS user account level monitoring software

The last one could plausibly work, in combination with "grab a copy of the encrypted 1Password key file", to compromise all the 1Password stuff. The others essentially work around 1Password, or so I believe.

This is why there are certain passwords that I don't even store in 1Password. It's also an argument for two-factor auth.

[carlosrg]

None of these are comparable to having a full-featured, user friendly GUI to grab all your passwords accessible with a simple "chrome://settings/passwords".

[tptacek]

Why, because you feel safer if the attacker is at least required to understand how computers work? That doesn't make me feel safer at all.

[shinigami]

You bypass a password manager the same way you bypass Chrome. Just open it. If someone left the PC unlocked, there is a good chance the password manager is unlocked too.

[teaneedz]

As far as I'm used too, you have to enter a password still for a PW manager.

[shinigami]

There is a timeout. Some people configure it to lock only when you lock the workspace.

If the suggestion is to lock immediatly after you use a password, then people will complain that it's too cubersome to enter the master password everytime you need to enter a password.

[carlosrg]

Nope, that's not true. Anyway, I'm done with this discussion. Google fanboys can keep using Chrome and trying to defend this bullshit, I don't care. Personally I'm done with Chrome until they fix this.

[tptacek]

How you know it's a serious, well-thought-out, easily supportable position being argued for is that it's capped off with the accusation that people who disagree are "Google fanboys".

[cliveowen]

Amen to that.