Internet realizes Chrome doesn't keep passwords secure, should also realize we have apps for that!

Internet realizes Chrome doesn't keep passwords secure, should also realize we have apps for that!

The internet is in a tizzy today because reporters realized Chrome on the desktop doesn't securely store passwords, and they realized most people probably don't realize that either. What this means is that anyone who has physical access to your Mac or Windows PC, and knows where to look, can see your logins in plain text. For those familiar with Chrome's security model, that's nothing new. The same things was true last week, last month, and last year. It's a reflection of Google's philosophy, which is different than Apple's - Safari requires a login to show passwords.) The reason for the recent internet angst is Elliot Kember:

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market - the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.

Google's Chrome security lead defended the practice thusly on Hacker News:

The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.

Regardless of which side of the argument you happen to agree with, let the discussion inform you, and most importantly, if you aren't already, let it be one more thing that convinces you to start using a password manager app.

I don't store any passwords in Chrome. Or in Safari. (I stopped using Firefox and IE years ago, but I didn't store any passwords in them either.) I keep it all in my password manager. Even when iCloud Keychain launches as part of iOS 7 this fall, I'll probably avoid it entirely and stick to my password manager. When it comes to keeping stuff safe, I'd rather stick to something that only has that one job, than something that's trying to do and balance a lot of stuff at once.

Personally, I'd prefer Google secure the passwords as well, just in case. Even if I don't have a lock on my bedroom door, even a sheet of paper will prevent people seeing me in all my naked glory. Propriety has its power. It's not like Google throws up a big "WARNING: Your passwords aren't secure!" dialog the first time you save one, putting their image where their philosophy is anyway. (You can read more about it in Nick Arnott's article on Peeking inside app bundles.)

Either way, get a password manager, and enjoy the extra bonus of not having to worry about internet angst when these things keep getting rediscovered. Once you've done that come back here and let me know what you think - Should Google and Chrome be doing more to keep your passwords safe, or is it really a false sense of security?

Source: Elliot Kember, Hacker News

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Rene Ritchie

EiC of iMore, EP of Mobile Nations, Apple analyst, co-host of Debug, Iterate, Vector, Review, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts



← Previously

Media Picks of the Week: Skyfall, Planetary, Doctor Who and more

Next up →

Amazon finally launches digital game and software downloads for Mac and Windows in the UK

Reader comments

Internet realizes Chrome doesn't keep passwords secure, should also realize we have apps for that!


Storm in a teacup. If someone has physical access to your unlocked device your security is already compromised. Hoping that a malicious person on your device is more likely to look for saved passwords than install a key logger or other malware is a fool's game.

I'm not dismissing the utility of a password manager -- or implying it doesn't enhance a person's online security. I'm simply saying Google's Chrome security lead is pretty spot on and the internet is blowing this out of proportion.

Thats like saying since they can get in with a virus or other means, lets just make it EASY for them. Open the door some .. yea.. no reason to make it more difficult!

Very naive, next time.. Just walk to the doors around your house, don't just not lock them, open them and put a sign in your front yard that says, "No worries here, I trust you all!"

Then at the front door, a sign "Do not enter"

Then just inside, another sign, "No, really, do not enter!"

Hackers look for the easy get.. If they KNOW Chrome doesn't secure it, they will focus their efforts on it. Now, once they get in, they can just easy as pie read the text files with your passwords.. BRILLIANT!

Your analogy is completely broken. What I'm saying is if a thief is already in your home (physical access and past your door locks) then you've been breached. Sure. Maybe you put your wife's jewelry in a safe (passwords in a password manager). The thief is just going to take the next most valuable thing.

Hit up the source link. Even the whistleblower agrees:
"Any time I try to draw attention to this, I get the usual responses from technical people:
*Just use 1Pass
*The computer is already insecure as soon as you have physical access
*That’s just how password management works
While all of these points are valid, this doesn’t address the real problem: Google isn’t clear about its password security."

All these point are valid. Huh. This guy must leave all his doors unlocked and post signs too. /s

Wow! Just wow! You go the extra mile defending Google although you and I know this is a major problem!

I'm not sure what your point is with this article. You seem to be saying that it's a tempest in a teapot situation, yet you agree (and it's common sense to do so), that storing your passwords in an insecure manner is a bad idea.

Personally, I've always used keychain as it's built into the OS, highly secure, and does everything that a password manager does anyway. It also stores lots of things for you automatically, so even if you are not using it, you *are* actually using it if you are using a Mac at all. So it kind of behooves a user to be aware of how it works anyway.

On the other hand, if you are that kind of user that doesn't put a password on your user account on the Mac, you are going to be in almost the same situation as a Chrome user finds themselves in, because it's your user account password that unlocks your keychain.

In fact, the combination of a Mac user that isn't aware of the keychain's existence, and also has no user account password actually leaves them in a *less* secure position than this Chrome problem, because you might easily have put secure information in there without knowing, and not having a user password, it's completely open to anyone who does know and wants to look.

Rene's whole point is to address the "tizzy" that is all of a sudden coming to light as he states in the first paragraph. Apparently a lot of people didn't already know this or have been too trusting Chrome, IE or any other browser. I personally didn't know about this flaw, short fall, or whatever else you want to call it. But, then again I'm not surprised nor hurt by it because I don't trust anything to remember my passwords. Basically he is saying to the Internet, "no duh, people, but since you brought it up here is a little info on it." I would dare say that 90% of people have never even heard of a password manager or what it does.

I think Google's position is in regards to malicious intent...if someone gets your computer then encrypting the passwords in a app is not going to help. But to me that argument assumes that their encryption effort would be useless, which I think it would not, and misses the most likely scenario of unintended access. Having a friend/relative/guy-fixing-the-frig that sits down at your computer, browses Amazon or the bank link on your Favorites bar and starts snooping or worse.

Google's position seems similar to Microsoft's years ago when everyone complained about security being so bad. MS responded with wall of irritating security pop ups instead of addressing some of the fundamental causes that they had control over. Yes, most users are not security minded and are to blame...."password" is not a reliable password. Yes most systems can be compromised if you have the time, resources and access. But to not try seems...dumb or arrogant or both.

I've had a LastPass account for quite a while now, but I've only started to fully utilize it the last two years, along with Xmarks owned by the same company. The best part is being able to access all your stuff, including billing info, from the site; that's saved me so many headaches. I still let IE on Windows 8 remember my stuff since there is no way for IE Metro to pull data from the app.