[carlosrg]

It is a security flaw, and a big one. The only embarrassing thing here is Google's employees attempts at downplaying this.

And please explain how to bypass Safari password manager, or 1Password, or any password manager with a master password, if you believe it's only a cosmetic feature.

[mechanical_fish]

Justin Schuh had a nice capsule summary of some available techniques for compromising logins:

https://news.ycombinator.com/item?id=6166731

- dump all your session cookies

- grab your history

- install malicious extension to intercept all your browsing activity

- install OS user account level monitoring software

The last one could plausibly work, in combination with "grab a copy of the encrypted 1Password key file", to compromise all the 1Password stuff. The others essentially work around 1Password, or so I believe.

This is why there are certain passwords that I don't even store in 1Password. It's also an argument for two-factor auth.

[carlosrg]

None of these are comparable to having a full-featured, user friendly GUI to grab all your passwords accessible with a simple "chrome://settings/passwords".

[tptacek]

Why, because you feel safer if the attacker is at least required to understand how computers work? That doesn't make me feel safer at all.

[shinigami]

You bypass a password manager the same way you bypass Chrome. Just open it. If someone left the PC unlocked, there is a good chance the password manager is unlocked too.

[teaneedz]

As far as I'm used too, you have to enter a password still for a PW manager.

[shinigami]

There is a timeout. Some people configure it to lock only when you lock the workspace.

If the suggestion is to lock immediatly after you use a password, then people will complain that it's too cubersome to enter the master password everytime you need to enter a password.

[carlosrg]

Nope, that's not true. Anyway, I'm done with this discussion. Google fanboys can keep using Chrome and trying to defend this bullshit, I don't care. Personally I'm done with Chrome until they fix this.

[tptacek]

How you know it's a serious, well-thought-out, easily supportable position being argued for is that it's capped off with the accusation that people who disagree are "Google fanboys".