Storing Passwords in Chrome Leaves Users Vulnerable, Google Says it's Not Going to Change

One of the worst things about Web security - and perhaps security in general - is that many people don't pay any attention to it. When Chrome, or another Web browser, asks you to store a password, do you happen to think about how it's stored, or how vulnerable it may leave you?

A number of years ago, when I was perusing Firefox's settings, I discovered that I could merely click "Show Passwords" to have it show every single one of the passwords I stored with the browser in plaintext. Clearly, that's a bit of a security risk. It means if someone sat down at my PC, either a family member or friend (or cat; can never trust those), they'd be able to gain access to every single password I had stored - and I had many. To make things far more secure, I created a master password, which means my group of passwords could no longer be seen without it.

Password security in Chrome

As it turns out, and as blogger Elliott Kember has noted, Chrome's mechanics are almost identical to Firefox's, except there's no option to create a master password. This means, quite simply, that if you store your passwords inside of Chrome, they can be accessed by anyone who gains access to the browser. The solution? To find another one.

The biggest problem with all of this is that Chrome (and Firefox, to my recollection) don't make it obvious to the user that their passwords are stored in plaintext, and as Elliott perfectly states, "Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click 'show' on a few of the rows. See what they have to say. I bet you it won’t be 'That’s how password management works'."

Password security in Firefox

A little upsettingly, Information Security Engineer and Tech Lead at Google, Justin Schuh, posted at Hacker News that nothing was going to be changing. He states, "I appreciate how this appears to a novice, but we've literally spent years evaluating it and have quite a bit of data to inform our position. And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior. That's just not how we approach security on Chrome."

Sheesh. In effect, Chrome is fine for being insecure in this most obvious way, and nothing apparently will change. At worst, Google and others could present the user an option of creating a master password at first start. That way, if they don't, they'll at least be aware of the fact that their passwords are exposed. This move seems common sense - at least to me.

What I'd recommend to any user is to go with another solution - don't settle for storing the passwords inside of any browser. I've come to love LastPass, which stores all of your passwords in the cloud behind strong encryption and a password - no one will be able to access your passwords easily there.