[interpol_p]

I am unsure why Chrome does not ask for the master password when the user attempts to reveal the plaintext for a password. Safari does this and it works.

This is a big deal because it makes reading passwords easy to do in seconds, and easy to do inconspicuously.

If you were to modify the DOM to unmask passwords it would take longer, and it's not something you can do while a co-worker or friend lends you their laptop for a minute. This flaw presents additional opportunity to anyone who wants to read another person's passwords.

It is not merely "cosmetic." It actually presents a real problem for anyone who does not logout of their account every time someone else uses their computer. Sure, this is probably best practice — but it is also insulting, inconvenient and an unrealistic expectation.

If I have unrestricted access to your machine, your passwords are compromised. Fine. But this is not a common or realistic scenario. It is far more likely I am using your machine with you, and then you walk out for 20 seconds to get a glass of water.

[tptacek]

It does not work. It is a cosmetic security feature. If you don't log out, the next unauthorized user owns your account. You obviously know that. You're talking about a security feature based entirely off the incompetence of attackers. Why not also recommend that Chrome "Base64 encrypt" passwords? That will stop approximately the same set of attackers as the lack of a master password feature will.

[interpol_p]

It does work.

Security is about far more than preventing determined, malicious attackers. It is also about being able to use your computer in a work or family environment with a reasonable expectation that your privacy will be maintained without explicit effort on your part.

You call them "attackers" but that is not who we are discussing. We are talking about people being able to casually browse your saved passwords, perhaps without even the intent to attack (maybe they just want to see what your passwords are).

Nor is this about the "incompetence of attackers." As soon as you add an extra step — such as requiring a master password to show a particular instance of a saved password — you increase the breach of trust required for a friend to violate your privacy. And it's not simply whether you trust someone or you don't, there are levels of trust between friends.

I have some friends that I would trust not to attempt to defeat my security, but I would not trust them not to casually browse my passwords. In this instance I would be safe with Safari but not with Chrome. See the difference? Chrome could easily implement Safari's solution for this and be better for it. Why defend the inferior design?

[tptacek]

I'm sorry, but I feel like I've had this pointless, silly debate my whole career, starting with comp.security.unix, continuing through my brief time working with OpenBSD and 90's Bugtraq, and through about a decade of helping startups with software security, and I've lost a lot of my patience for it.

Security is measured in dollars; it is about the cost you confront your adversary with. Chrome has sunk many millions of dollars into blunting attacks that cost 6, 7, sometimes 8 figures. You're up in arms about a security measure that would add pennies (if that) of attacker cost. Justin and his team (rightly) observe that in return for the pennies of extra effort the feature you're demanding would add, they also incur a real risk that users will feel safer leaving their accounts unlocked. As you've already acknowledged repeatedly, if they do that, it costs pennies to get all their passwords.

There are all sorts of stupid extra steps you can add to make things harder for computer-illiterate attackers to compromise your accounts. Like I said, you could also Base64-encrypt the passwords. Or ROT14 them. Or Base64 and ROT14 them. How about you turn that into a round function and write the Base64+ROT14 Feistel network? That'll surely dissuade someone, somewhere from capturing passwords.

You will no doubt be able to come up with a 4 paragraph response to this comment. In ~20 years, I've never been able to deliver a killing blow in this stupid debate.

[teaneedz]

What are considered stupid extra steps by some, others may consider to be deciding factors for using a product or not. The user experience in this case requires a fix regardless of what you may consider a penny solution value. Ownership of the UE often means choosing penny solutions along the way.

[interpol_p]

You have completely missed the point. This issue does not relate malicious attacks. It is about the intent required for a friend or co-worker to breach your trust.

Chrome lowers the barrier and makes access casual where other systems require a stronger level of intent. That's the problem. I have no idea why you are defending this behaviour.

[tptacek]

So again: they should display an FBI warning, just like they do on DVD movies.

[interpol_p]

Securing the password page is not remotely similar to an FBI warning on a DVD.

One requires a bit of manual effort and thought to get over for the casual user, the other becomes ignored by the casual user.

[Arzh]

Because no matter what, you can just go to the website and be logged in automatically. Once you let someone else use your computer you are no longer secure. This is why if you have multiple people using the same computer, you set it up to have multiple users. Once they are using YOUR instance of chrome it doesn't matter, they have everything.

[interpol_p]

There's a significant difference in the intent required between browsing someone's password settings and actually attacking their computer. This is important.

I'm not discussing malicious attackers, I'm not even discussing someone who is out to get your password. Chrome makes it possible, in seconds, for someone to reveal your passwords as a crime of opportunity.

[Amadou]

It is far more likely I am using your machine with you, and then you walk out for 20 seconds to get a glass of water.

You are presuming a specific environment and an attack specific to that environment.

At first glance, it may look like adding the extra complexity of a password through the obvious user-interface path improves security. But that assumes there are no costs. In this case the cost is a false sense of security - such that all other attack vectors are still just as open and now the user is less aware of them.

The user would be better off having the 'vulnerability' rubbed in their face so that they would learn to take measures like locking the screen whenever they walk away. That way when someone gets physical access for 5 minutes instead of 20 seconds, the passwords are still just as safe.

[interpol_p]

If Chrome was concerned about your sense of security it would inform you that all your saved passwords are clearly readable in plaintext at chrome://settings/passwords. It would do this each time it saved a password. It does not do this because you would be less likely to trust Chrome with your passwords if it did that.

So Chrome wants you to feel secure and give you convenience. Either it makes some attempt to prevent casual password access or it informs you that your passwords are casually available. It can't have it both ways.

I agree that the user would be better off having the vulnerability rubbed in their face but Chrome does not do that.

Edit: You also need to take into account intent and the emotion of the user accessing the passwords. The system currently implemented in Chrome makes it easy to peek at someone's passwords without malicious intent. If you simply had to overcome some hurdles it would make most people stop and think about what they are doing because it is a breach of trust. We're not talking about stopping determined attackers.

Edit 2: Also, I presume that specific environment because it is the environment I work and live in every day. We bring our personal laptops to work, we debug code on each others' machines, and we occasionally step out of the room. Sometimes at home I take a friend's laptop to look something up, sometimes I lend mine. I think these are common scenarios for computer users (though admittedly I have no evidence for this).

[rmc]

It would do this each time it saved a password.

And that's the logic behind Clippy. "It looks like you're saving a password? Did you know that if you to chome://indecipherable/arcane/nonsnese/ all your passwords are visible? Click [OK] to agree"

What do you think about the recent EU/UK cookie law? You're basically suggesting that for password.

[danielweber]

I've talked to my less-technical relatives who use browsers, and they've all known that saving passwords means that someone who gets access to their computer means they get access to their accounts and/or passwords.

Not everything is black magic and dark arts.

[interpol_p]

I showed two developer friends at work today the ease at which I could recover their Chrome passwords. They were both surprised that they were clearly visible on the settings page.

Both have since stopped storing passwords in Chrome.

Both developers expected their Keychain password to be needed before unmasking their stored passwords. It shocked them that this was not the case.

A better fix for this would be to require the Keychain password before showing all passwords. There is no harm in doing this.

[voyou]

When you save your passwords in Chrome, it tells you that it's saving your passwords. If you don't think that that implies that the passwords will be retrievable at a later date, I don't think you understand what the word "save" means.

[interpol_p]

Safari also tells me it is saving my passwords. Yet to explicitly unmask my passwords from the settings screen at a later date it requires my Keychain password.

They both use the word "save" to denote this functionality.

I don't think you understand why this difference in behaviour is important.

[wglb]

So do you expect the browser to prompt you for the master password each time it is about to autofill credentials on a web page?

[interpol_p]

No, and that is because there is a significant difference between a user unmasking the password through DOM manipulation and browsing a settings page. Please realise that the former behaviour requires more malicious intent.

I expect some level of security to stop people browsing my passwords casually, which Chrome allows in its current design.

I am not talking about fending off determined attackers, I am talking about levels of trust that you place in friends and coworkers. Chrome lowers the barrier-to-access by design.

The simple fact is: there are people I would trust using my computer who would never actively try to circumvent my security to read my passwords, but I would not trust them not to take a peek at my Chrome settings page passwords.

[Amadou]

If Chrome was concerned about your sense of security it would inform you that all your saved passwords are clearly readable in plaintext

I completely agree with that, I think that would be a much more useful fix.

[interpol_p]

To rmc:

> And that's the logic behind Clippy.

No, it absolutely is not. Chrome already asks and informs you that it is saving your password. It asks each time it saves a password. It already does this. It would simply be an additional line of information in a step that you already have to confirm by clicking "Ok".

[dragonwriter]

Every additional "line of information" in a pop-up notice reduces the probability that any of it will be read.

[interpol_p]

Right. So the better option is to secure passwords slightly by default. I suggested the additional information for those that feel that securing passwords is "lulling users into a false sense of security".

Either you make some attempt to secure the passwords, or you let your users know that they are readable in plaintext. Don't do neither, like Chrome is doing.

[Hello71]

    javascript:var a=document.querySelectorAll("input[type='password']");for(var i=a.length-1;i>=0;i--){a[i].type="text"}void 0

[interpol_p]

You will have to do that for each site you want passwords for, after they have been autofilled (whereas Chrome gives you a convenient list of all saved passwords). It is also a far more technical method than most people are comfortable with. Slower and more difficult, thus less likely to happen casually.

There is also a significant difference in feeling between the two methods. Your suggestion requires far more intent than visiting the settings page. This is important.

We are not talking about defending yourself from a malicious attacker, we are talking about the moments when you pass your computer to a friend so they can look something up. They can now look up your passwords conveniently and without feeling too bad about it.

[carlosrg]

Exactly. Comparing that javascript with the Chrome situation is just ridiculous. It seems people here are too narrow-minded to understand that even my mother could get a list of all the passwords stored in a computer in 10 seconds.

[tptacek]

"Even my mother"? So what? Both Firefox and Chrome are, when left on an unlocked user account, completely exposed to the scariest classes of attackers. But Firefox has taken a cosmetic step to minimize its exposure to the least scary class of attackers. Why bother?

[astalwick]

Because the 'least scary class of attackers' represent the vast majority of potential attackers. This feature makes it trivial for a user error (not locking your desktop) to leave your passwords immediately visible to anyone that walks by.

Yes, this is cosmetic and anyone with sufficient technical knowledge can still get the passwords without the chrome:settings page, but this feature widens the pool of capable attackers to absolutely everyone.

[tptacek]

If you leave your machine unlocked, you have made it trivial for someone to steal your secrets no matter what Chrome does.

[rmc]

Your mother knows about chrome:// URLs? Most mundane/non-technical people I know don't know about URLs at all? My mother still types "www.facebook.com" into the Google search bar on google.com.