[astalwick]

Because the 'least scary class of attackers' represent the vast majority of potential attackers. This feature makes it trivial for a user error (not locking your desktop) to leave your passwords immediately visible to anyone that walks by.

Yes, this is cosmetic and anyone with sufficient technical knowledge can still get the passwords without the chrome:settings page, but this feature widens the pool of capable attackers to absolutely everyone.

[tptacek]

If you leave your machine unlocked, you have made it trivial for someone to steal your secrets no matter what Chrome does.

[astalwick]

Degree of difficulty matters. The technical ability of the attacker matters.

With this feature, it's trivial for absolutely anyone to steal my secrets in seconds.

Without this feature, the time-to-compromise goes up, as does the technical knowledge required. The degree-of-difficulty (which, yes, is still low), goes up.

It is cosmetic, but INTERFACE MATTERS. If you don't want people doing something, don't have a feature that makes it trivially easy.

Hell, if chrome devs really aren't going to do anything at all about this, then a better solution here would be to bring the button to the FRONT of the interface. 'View All Passwords', right beside the 'back' button, navigates you to a raw txt file of websites and passwords. Then, at least, there would be no excuse, no naive assumption that chrome is doing SOMETHING to protect your passwords.

[tptacek]

Yes, degree of difficulty matters. We don't disagree on that. It's the fundamental rule of security.

What we disagree on is the specific degree in this case. You think it's significant. I know it's not. Chrome's security design is denominated in thousands of dollars. This is a penny feature, and one with potential liabilities; it could cost more than it benefits.

[astalwick]

With the feature, I can explain to my mom, my girlfriend, my sister how to steal passwords from any chrome browser. In a way that they will remember and be able to repeat tomorrow.

Without it, I can't.

That matters.

[tptacek]

I am not interested in security features that work only against my mom, and you shouldn't be interested in them either.

[astalwick]

So, but, really: I am interested, as are a lot of other people. Hence the gnashing of teeth.

I'm not thrilled by the security community's black-and-white stance that if it can't stop a defcon attendee, then it's not real security and it's not worth doing.

If my mom can be stopped, and it's simple to stop her, then I really don't get the resistance. 'False sense of security'? Yeah, that ship has already sailed. That's why the Guardian is writing articles like this - people are surprised to learn HOW trivial it is to steal passwords in chrome.

[interpol_p]

Can you please explain the potential liabilities for making Chrome work the same way Safari does when attempting to reveal passwords? (I.e., ask for the Keychain password before unmasking.)

To me this would be a great solution and would improve Chrome's user experience. I am unsure why the strong argument against this.

[interpol_p]

Leaving your machine unlocked for 30 seconds versus 5 minutes is a big difference to some people. Chrome makes password access within the former time limit a more distinct possibility.

Having someone able to casually browse your passwords versus intending to attack your system and breach your trust to get them is a big difference.

Can you not see that Chrome lowers social and emotional barriers to password access by presenting them in this form? That is the concern here.