[anologwintermut]

True, chrome circumvents safari's password security by merely querying the keychain without prompting for a password. What stops anything(or anyone) else from doing it? Absolutely nothing.

You've fallen into exactly the trap they wanted to avoid. You assumed Safari's password security mechanism was more secure than it is. If chrome can access it without a password prompt, I can too. In fact, there's probably some nice apple script one liner to do it.

[paxdickinson]

There are skeleton keys and lockpicks to open any lock on any door, so am I giving myself a false sense of security by locking my door when I leave for work?

Sometimes just having basic security that keeps a casual attempt from opening my door / accessing my password from succeeding is enough.

[dmd]

When you locked your door when you left for work, did you leave the key taped to the door in an unsealed envelope labeled "keys"?

[interpol_p]

And you have completely missed the point here.

It requires a stronger level of intent for someone to dump my Keychain passwords than it does for someone to browse my Chrome passwords.

This concerns me. I have friends that I would not trust around my computer now because I know that going to chrome://settings/passwords is too tempting for them. But I trust them not to maliciously or actively attempt to subvert the security on my computer.

[hellerbarde]

And you missed the point also. Lock your computer when you're not at it. Like any responsible user. Problem solved.

It's not hard to understand where the boundaries are. Also, it's actually up to Apple to fix the broken thing, not Chrome. There should be a settings in the preferences of the keychain to require a password even if it's been unlocked before (or however that works. I don't Mac)

[interpol_p]

Three points:

1. I do not lock my computer when my friend comes along to debug code on it. I do not lock my computer when I pass it to a friend at home so he can look something up. With Safari's password storage, I have a reasonable expectation that my passwords will not be viewed in the 30 seconds or so that I let people use my computer.

2. Keychain is not broken. Safari requires your Keychain password every time you wish to unmask a password. Chrome could easily do this too.

3. Chrome lowers the barrier-to-access for passwords. It reduces the amount of intent required. I would feel less bad going up to a friend's computer and browsing their Chrome passwords than, say, allowing Chrome to auto-fill a password on their computer and running a script to modify the DOM elements to reveal it. The latter is a more serious breach of trust, implies stronger malicious intent, and is more traceable.

Chrome would be better if it implemented this. I have yet to hear how this will make Chrome worse in any way. Why do you not want Chrome to be better?