[voyou]

When you save your passwords in Chrome, it tells you that it's saving your passwords. If you don't think that that implies that the passwords will be retrievable at a later date, I don't think you understand what the word "save" means.

[interpol_p]

Safari also tells me it is saving my passwords. Yet to explicitly unmask my passwords from the settings screen at a later date it requires my Keychain password.

They both use the word "save" to denote this functionality.

I don't think you understand why this difference in behaviour is important.

[wglb]

So do you expect the browser to prompt you for the master password each time it is about to autofill credentials on a web page?

[interpol_p]

No, and that is because there is a significant difference between a user unmasking the password through DOM manipulation and browsing a settings page. Please realise that the former behaviour requires more malicious intent.

I expect some level of security to stop people browsing my passwords casually, which Chrome allows in its current design.

I am not talking about fending off determined attackers, I am talking about levels of trust that you place in friends and coworkers. Chrome lowers the barrier-to-access by design.

The simple fact is: there are people I would trust using my computer who would never actively try to circumvent my security to read my passwords, but I would not trust them not to take a peek at my Chrome settings page passwords.