Google is getting railed against for exposing plain-text passwords with just a few clicks in its Chrome browser – a security oddity that isn’t new, but which the company hasn’t bothered to explain in any great detail, shrugging off the suggestion that it’s a security hole.
Elliott Kember, a developer at design and development studio Riot, first pointed out what he considers to be Chrome’s lax security in a blog post on Tuesday.
The feature in question is found in Chrome when a user selects Settings | Show advanced settings | Passwords and forms | Manage saved passwords.
At that point, Chrome lists saved passwords, with a highlighted “Show” button that renders a given password in plain text when selected.
“There’s no master password, no security, not even a prompt that ‘these passwords are visible’,” Kember wrote.
When he selected Chrome’s “Import bookmarks now” command, he was presented with a checklist of items to import. The third choice in the list, “Saved passwords,” was mandatory, being both checked off but greyed out.
Why have a checkbox at all, Kember mused, when it represents only the illusion of choice?
It was then that he went on to check out Chrome’s password settings and discovered that, unless he locks his screen while he’s away, anybody who sits at his computer can easily see his passwords.
Those technical-minded people to whom he’s brought up the issue have been, apparently, rather dismissive, telling him that this is simply how password management works, that he should really just be using a password manager such as 1Password, and that any computer is insecure as soon as somebody gains physical access to it.
Maybe so, Kember says, but Google’s still being clear as mud about how its security works, and the typical user just doesn’t expect passwords to be so easy to get at:
"In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market - the users. The overwhelming majority.
"They don't know it works like this. They don't expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay."
Google doesn’t seem inclined to take his criticism to heart.
Justin Schuh, head of Chrome security, weighed in on Kember’s blog post, saying that things are exactly the way Google intends them to be, and whatever Kember’s suggesting doesn’t jibe with the Google way:
"I appreciate how this appears to a novice, but we've literally spent years evaluating it and have quite a bit of data to inform our position.
"And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior. That's just not how we approach security on Chrome."
In the Hacker News thread where Schuh’s feedback is posted, people are arguing over whether Chrome is, in fact, unique among browsers in its easy accessibility to plain-text passwords.
You can get to plain-text passwords in Firefox, for example, by going to Preferences | Security | Saved passwords.
The difference being, however, that Firefox enables users to set a master password before anybody can get at that plain text list.
That’s a big “if,” though. How many users are aware of the master-password option, and how many actually set it up?
In the end, this sounds more like a gap in perspective between the technically literate and the masses than it does a security bug.
But that doesn’t mean we should tolerate Google’s dismissiveness toward the suggestion that it should more clearly communicate exactly what’s going on with security in its products.
As Sophos’ Maxim Weinstein noted on Dark Reading in late July, and as Brian Krebs wrote about in mid-July, Chrome has gained a reputation for offering protection from web exploits, as criminals have all but given up on attacking its users.
That’s a good thing. But Google doesn’t always get security right – far from it. There have, after all, been holes recently poked in Google’s security reputation.
In July, researchers exposed a gaping hole in code verification on Android due to poor coding.
One week later, well, it was déjà vu all over again.
Chinese researchers found another bug with the same side-effect – a signed-unsigned integer mismatch that once again left a gaping hole in code verification.
Now, ironically enough, we have this plain-text password security issue – not a bug, mind you, but a security weakness nonetheless – that’s done purposefully, as opposed to being a result of bad coding.
Given its missteps with Android security, it just might be time for Google to re-examine its self-image as a security paragon.
Part of that re-evaluation should include listening more closely to the input from users such as Kember.
Maybe he’s a “novice” in the eyes of a Google security guru such as Schuh, but Google’s customers include plenty of people with a lot less know-how than Kember, and their needs have to be taken into account.
Out of curiosity (I never use it, preferring Chrome), I checked how I’ve got Firefox set up. Sure enough, I didn’t have the master password option selected.
OK, that’s fixed now.
Fellow humans of the nontechnical masses, the best takeaway from this kerfuffle that I have gleaned is that we should all check our browsers, given that they all likely render passwords easily readable in various ways.
Are you allowing Google to store your passwords? I stopped a while back, preferring to leave passwords up to the LastPass password management tool.
Now, too, I’ve got a master password set up for Firefox.
Browser and password experts, where else should we be checking for access that exposes our passwords? Your input in the comments section below would be welcome indeed.
And Google, if you’re interested in keeping computing as safe as possible, I would suggest that you lose the attitude when getting input from “novices”.