

Chrome: plz fix security hole that has been around too long - rynop
http://www.google.com/support/forum/p/Chrome/thread?tid=42a84be03b8fd809&hl=en

======
jwpeddle
I can understand why people would still want this fixed, but if you have saved
passwords, someone can reveal them in any browser using just javascript (for
example: [http://blog.amwmedia.com/post/3043988338/reveal-hidden-
passw...](http://blog.amwmedia.com/post/3043988338/reveal-hidden-passwords-in-
all-major-browsers)).

If you're concerned about other users stealing your passwords, don't let them
use your profile at all.

------
lomegor
A Chrome representative said that they weren't going to fix this. I can't find
the source. He/she said that they had a few arguments about this, but that
they feel that by not showing your password they are creating a false sense of
security.

Every browser has to store passwords in a way that's recoverable (as they need
to be sent to the server), so if you store them and you lose control of your
computer, you WILL most probably lose control of your passwords too, in every
browser including IE9 (something this page,
[http://www.thewindowsclub.com/chrome-firefox-show-
passwords-...](http://www.thewindowsclub.com/chrome-firefox-show-passwords-
plain-text-ie9), does not seem to understand).

------
udp
People still save passwords? I just let the cookies hang around. Haven't been
logged out of anything for months.

Anyway, it has to be possible to retrieve the password in plain text for
Chrome to be able to use it. Even if they remove the functionality to view it,
someone could just make a tool - and when someone has access to your computer
they could run said tool.

If someone malicious has access to your computer and it's not locked, you're
pretty much screwed - that's not the fault of Chrome.

------
jakubw
For those who actually let their browsers store passwords I recommend looking
for extensions that integrate the password storage with the native password
management systems such as Mac OS X's Keychain, KDE's KWallet or GNOME
Keyring. Some browsers may even support that by default. That at least ensures
the passwords are stored encrypted and the browser can't access them without
the user's reauthentication.

------
pagekalisedown
This is a pretty good read on this subject:
<http://developer.pidgin.im/wiki/PlainTextPasswords>

------
maytc
Why doesn't chrome put in a master password or a security question/answer a
user have to enter to reveal sensitive information?

------
chippy
Could someone explain how this is a security hole exactly? Being able to
access saved passwords is a feature, right?

------
yanw
Isn't that why operating systems let you make separate password protected
profiles?

Firefox does the same btw except they offer a master password, but what
happens when you misplace that password? Chrome seemingly assumes that the
profile password is that master password which seems like expected behavior to
me, I mean how many nested passwords do you need to be satisfied?

Also if you have access to the machine saved passwords can still be dug up
regardless.

------
rynop
Anyone with access to your computer can see your website passwords stored in
Google Chrome in CLEAR TEXT. Seriously this is redic. Yes, there is a
responsibility for a user to adequately protect their computer, but this is
just sets people up for identity theft and bunch of other bad stuff. My 60
year old parents use Chrome, your grandparents probably use Chrome. Help them
out, at least have a master Chrome pw to protect viewing things in clear
text...

~~~
pagekalisedown
What do you think of Firefox having the same issue?

~~~
rynop
Was not aware. I don't use FF for browsing. If they have same issue its just
as bad. If someone wants to hack your computer they can, I get it. But not
adding at least some level of security (profile level pw required to reveal
clear text) does not seem right.

Also understand Chrome needs to be able to get at the clear text at some
point, and that you can get at it with JS. Adding a session/timeout based
master/login password (like ssh keychain for example) to autofill pw, would be
one idea to plug some of the holes.

