[tptacek]

It does not work. It is a cosmetic security feature. If you don't log out, the next unauthorized user owns your account. You obviously know that. You're talking about a security feature based entirely off the incompetence of attackers. Why not also recommend that Chrome "Base64 encrypt" passwords? That will stop approximately the same set of attackers as the lack of a master password feature will.

[interpol_p]

It does work.

Security is about far more than preventing determined, malicious attackers. It is also about being able to use your computer in a work or family environment with a reasonable expectation that your privacy will be maintained without explicit effort on your part.

You call them "attackers" but that is not who we are discussing. We are talking about people being able to casually browse your saved passwords, perhaps without even the intent to attack (maybe they just want to see what your passwords are).

Nor is this about the "incompetence of attackers." As soon as you add an extra step — such as requiring a master password to show a particular instance of a saved password — you increase the breach of trust required for a friend to violate your privacy. And it's not simply whether you trust someone or you don't, there are levels of trust between friends.

I have some friends that I would trust not to attempt to defeat my security, but I would not trust them not to casually browse my passwords. In this instance I would be safe with Safari but not with Chrome. See the difference? Chrome could easily implement Safari's solution for this and be better for it. Why defend the inferior design?

[tptacek]

I'm sorry, but I feel like I've had this pointless, silly debate my whole career, starting with comp.security.unix, continuing through my brief time working with OpenBSD and 90's Bugtraq, and through about a decade of helping startups with software security, and I've lost a lot of my patience for it.

Security is measured in dollars; it is about the cost you confront your adversary with. Chrome has sunk many millions of dollars into blunting attacks that cost 6, 7, sometimes 8 figures. You're up in arms about a security measure that would add pennies (if that) of attacker cost. Justin and his team (rightly) observe that in return for the pennies of extra effort the feature you're demanding would add, they also incur a real risk that users will feel safer leaving their accounts unlocked. As you've already acknowledged repeatedly, if they do that, it costs pennies to get all their passwords.

There are all sorts of stupid extra steps you can add to make things harder for computer-illiterate attackers to compromise your accounts. Like I said, you could also Base64-encrypt the passwords. Or ROT14 them. Or Base64 and ROT14 them. How about you turn that into a round function and write the Base64+ROT14 Feistel network? That'll surely dissuade someone, somewhere from capturing passwords.

You will no doubt be able to come up with a 4 paragraph response to this comment. In ~20 years, I've never been able to deliver a killing blow in this stupid debate.

[teaneedz]

What are considered stupid extra steps by some, others may consider to be deciding factors for using a product or not. The user experience in this case requires a fix regardless of what you may consider a penny solution value. Ownership of the UE often means choosing penny solutions along the way.

[interpol_p]

You have completely missed the point. This issue does not relate malicious attacks. It is about the intent required for a friend or co-worker to breach your trust.

Chrome lowers the barrier and makes access casual where other systems require a stronger level of intent. That's the problem. I have no idea why you are defending this behaviour.

[tptacek]

So again: they should display an FBI warning, just like they do on DVD movies.

[interpol_p]

Securing the password page is not remotely similar to an FBI warning on a DVD.

One requires a bit of manual effort and thought to get over for the casual user, the other becomes ignored by the casual user.

[Arzh]

Because no matter what, you can just go to the website and be logged in automatically. Once you let someone else use your computer you are no longer secure. This is why if you have multiple people using the same computer, you set it up to have multiple users. Once they are using YOUR instance of chrome it doesn't matter, they have everything.

[interpol_p]

There's a significant difference in the intent required between browsing someone's password settings and actually attacking their computer. This is important.

I'm not discussing malicious attackers, I'm not even discussing someone who is out to get your password. Chrome makes it possible, in seconds, for someone to reveal your passwords as a crime of opportunity.