[Amadou]

It is far more likely I am using your machine with you, and then you walk out for 20 seconds to get a glass of water.

You are presuming a specific environment and an attack specific to that environment.

At first glance, it may look like adding the extra complexity of a password through the obvious user-interface path improves security. But that assumes there are no costs. In this case the cost is a false sense of security - such that all other attack vectors are still just as open and now the user is less aware of them.

The user would be better off having the 'vulnerability' rubbed in their face so that they would learn to take measures like locking the screen whenever they walk away. That way when someone gets physical access for 5 minutes instead of 20 seconds, the passwords are still just as safe.

[interpol_p]

If Chrome was concerned about your sense of security it would inform you that all your saved passwords are clearly readable in plaintext at chrome://settings/passwords. It would do this each time it saved a password. It does not do this because you would be less likely to trust Chrome with your passwords if it did that.

So Chrome wants you to feel secure and give you convenience. Either it makes some attempt to prevent casual password access or it informs you that your passwords are casually available. It can't have it both ways.

I agree that the user would be better off having the vulnerability rubbed in their face but Chrome does not do that.

Edit: You also need to take into account intent and the emotion of the user accessing the passwords. The system currently implemented in Chrome makes it easy to peek at someone's passwords without malicious intent. If you simply had to overcome some hurdles it would make most people stop and think about what they are doing because it is a breach of trust. We're not talking about stopping determined attackers.

Edit 2: Also, I presume that specific environment because it is the environment I work and live in every day. We bring our personal laptops to work, we debug code on each others' machines, and we occasionally step out of the room. Sometimes at home I take a friend's laptop to look something up, sometimes I lend mine. I think these are common scenarios for computer users (though admittedly I have no evidence for this).

[rmc]

It would do this each time it saved a password.

And that's the logic behind Clippy. "It looks like you're saving a password? Did you know that if you to chome://indecipherable/arcane/nonsnese/ all your passwords are visible? Click [OK] to agree"

What do you think about the recent EU/UK cookie law? You're basically suggesting that for password.

[danielweber]

I've talked to my less-technical relatives who use browsers, and they've all known that saving passwords means that someone who gets access to their computer means they get access to their accounts and/or passwords.

Not everything is black magic and dark arts.

[interpol_p]

I showed two developer friends at work today the ease at which I could recover their Chrome passwords. They were both surprised that they were clearly visible on the settings page.

Both have since stopped storing passwords in Chrome.

Both developers expected their Keychain password to be needed before unmasking their stored passwords. It shocked them that this was not the case.

A better fix for this would be to require the Keychain password before showing all passwords. There is no harm in doing this.

[voyou]

When you save your passwords in Chrome, it tells you that it's saving your passwords. If you don't think that that implies that the passwords will be retrievable at a later date, I don't think you understand what the word "save" means.

[interpol_p]

Safari also tells me it is saving my passwords. Yet to explicitly unmask my passwords from the settings screen at a later date it requires my Keychain password.

They both use the word "save" to denote this functionality.

I don't think you understand why this difference in behaviour is important.

[wglb]

So do you expect the browser to prompt you for the master password each time it is about to autofill credentials on a web page?

[interpol_p]

No, and that is because there is a significant difference between a user unmasking the password through DOM manipulation and browsing a settings page. Please realise that the former behaviour requires more malicious intent.

I expect some level of security to stop people browsing my passwords casually, which Chrome allows in its current design.

I am not talking about fending off determined attackers, I am talking about levels of trust that you place in friends and coworkers. Chrome lowers the barrier-to-access by design.

The simple fact is: there are people I would trust using my computer who would never actively try to circumvent my security to read my passwords, but I would not trust them not to take a peek at my Chrome settings page passwords.

[Amadou]

If Chrome was concerned about your sense of security it would inform you that all your saved passwords are clearly readable in plaintext

I completely agree with that, I think that would be a much more useful fix.

[interpol_p]

To rmc:

> And that's the logic behind Clippy.

No, it absolutely is not. Chrome already asks and informs you that it is saving your password. It asks each time it saves a password. It already does this. It would simply be an additional line of information in a step that you already have to confirm by clicking "Ok".

[dragonwriter]

Every additional "line of information" in a pop-up notice reduces the probability that any of it will be read.

[interpol_p]

Right. So the better option is to secure passwords slightly by default. I suggested the additional information for those that feel that securing passwords is "lulling users into a false sense of security".

Either you make some attempt to secure the passwords, or you let your users know that they are readable in plaintext. Don't do neither, like Chrome is doing.