The internet is in a tizzy today because reporters realized Chrome on the desktop doesn't securely store passwords, and they realized most people probably don't realize that either. What this means is that anyone who has physical access to your Mac or Windows PC, and knows where to look, can see your logins in plain text. For those familiar with Chrome's security model, that's nothing new. The same things was true last week, last month, and last year. It's a reflection of Google's philosophy, which is different than Apple's - Safari requires a login to show passwords.) The reason for the recent internet angst is Elliot Kember:
In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market - the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.
Google's Chrome security lead defended the practice thusly on Hacker News:
The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.
Regardless of which side of the argument you happen to agree with, let the discussion inform you, and most importantly, if you aren't already, let it be one more thing that convinces you to start using a password manager app.
I don't store any passwords in Chrome. Or in Safari. (I stopped using Firefox and IE years ago, but I didn't store any passwords in them either.) I keep it all in my password manager. Even when iCloud Keychain launches as part of iOS 7 this fall, I'll probably avoid it entirely and stick to my password manager. When it comes to keeping stuff safe, I'd rather stick to something that only has that one job, than something that's trying to do and balance a lot of stuff at once.
Personally, I'd prefer Google secure the passwords as well, just in case. Even if I don't have a lock on my bedroom door, even a sheet of paper will prevent people seeing me in all my naked glory. Propriety has its power. It's not like Google throws up a big "WARNING: Your passwords aren't secure!" dialog the first time you save one, putting their image where their philosophy is anyway. (You can read more about it in Nick Arnott's article on Peeking inside app bundles.)
Either way, get a password manager, and enjoy the extra bonus of not having to worry about internet angst when these things keep getting rediscovered. Once you've done that come back here and let me know what you think - Should Google and Chrome be doing more to keep your passwords safe, or is it really a false sense of security?