[kapowaz]

I wholeheartedly disagree with several of the points you make here, and I think you're more or less ‘passing the buck’ on something which is most definitely your responsibility to take good care with.

On OS X, once you save a password using Safari, it is added to your login keychain. In order to then see that password* you must enter your login password again, be that via Safari's preferences dialog or the Keychain Access application. What Chrome does is it uses the same mechanism of storage as Safari (and indeed, requests access to the same encrypted keychain item) but never prompts the user for the login password to authenticate. This sets up a situation where Chrome actually circumvents and makes passwords originally stored in Safari less secure than they were initially. This is your responsibility, and no amount of theoretical grandstanding about physical access to a computer changes that.

You also talk about installing malicious browser extensions as another potential vector. I agree, and I think browser makers ought to take steps to require the current user to authenticate in order to install browser extensions. When you consider that a browser extension can act as man-in-the-middle to all your browser activity, it's astonishing that this isn't already the case. You have to prove you are the logged-in user when you change your password by providing the current password, so how is this any different?

When talking about security, there will always be holes, but they will be of differing practical value or risk depending on how they are exploited. Grabbing session cookies or internet history requires a certain level of technical proficiency, as does developing a malicious browser extension; installing said extension or typing chrome://settings/password into the address bar, on other hand, are easy enough that any kid who wants to get hold of his big sister's Facebook password can give it a go. Reducing the surface area of attack is every bit as important as ‘real’ security, here, and the stance you've set out above is that you aren't interested in that if it doesn't also provide real security. I think that's the wrong thing to do, and I urge you to reconsider.

*As people have pointed out, you can inspect the password via web inspector etc. This is another, serious security flaw and one that I think the HTML WG ought to look into.

[anologwintermut]

True, chrome circumvents safari's password security by merely querying the keychain without prompting for a password. What stops anything(or anyone) else from doing it? Absolutely nothing.

You've fallen into exactly the trap they wanted to avoid. You assumed Safari's password security mechanism was more secure than it is. If chrome can access it without a password prompt, I can too. In fact, there's probably some nice apple script one liner to do it.

[paxdickinson]

There are skeleton keys and lockpicks to open any lock on any door, so am I giving myself a false sense of security by locking my door when I leave for work?

Sometimes just having basic security that keeps a casual attempt from opening my door / accessing my password from succeeding is enough.

[dmd]

When you locked your door when you left for work, did you leave the key taped to the door in an unsealed envelope labeled "keys"?

[interpol_p]

And you have completely missed the point here.

It requires a stronger level of intent for someone to dump my Keychain passwords than it does for someone to browse my Chrome passwords.

This concerns me. I have friends that I would not trust around my computer now because I know that going to chrome://settings/passwords is too tempting for them. But I trust them not to maliciously or actively attempt to subvert the security on my computer.

[hellerbarde]

And you missed the point also. Lock your computer when you're not at it. Like any responsible user. Problem solved.

It's not hard to understand where the boundaries are. Also, it's actually up to Apple to fix the broken thing, not Chrome. There should be a settings in the preferences of the keychain to require a password even if it's been unlocked before (or however that works. I don't Mac)

[interpol_p]

Three points:

1. I do not lock my computer when my friend comes along to debug code on it. I do not lock my computer when I pass it to a friend at home so he can look something up. With Safari's password storage, I have a reasonable expectation that my passwords will not be viewed in the 30 seconds or so that I let people use my computer.

2. Keychain is not broken. Safari requires your Keychain password every time you wish to unmask a password. Chrome could easily do this too.

3. Chrome lowers the barrier-to-access for passwords. It reduces the amount of intent required. I would feel less bad going up to a friend's computer and browsing their Chrome passwords than, say, allowing Chrome to auto-fill a password on their computer and running a script to modify the DOM elements to reveal it. The latter is a more serious breach of trust, implies stronger malicious intent, and is more traceable.

Chrome would be better if it implemented this. I have yet to hear how this will make Chrome worse in any way. Why do you not want Chrome to be better?