
Never Save Passwords on Chrome or Firefox - J253
https://hackernoon.com/why-you-should-never-save-passwords-on-chrome-or-firefox-96b770cfd0d0
======
techslave
i have to admit, I have tired of this type of amateur hour, alarmist analysis.

> Well, no. If a hacker has managed to get access to your computer, whether it
> be through an unprotected port or a botnet-type trojan that you’ve managed
> to get infected with, then the hacker already has your Windows credentials
> ...

If the hacker has your Windows credentials and local access, nothing Chrome
does matters. It’s game over for you. (local 2fa aside, ie touch ID mediated
keychain access, that kind of thing.)

Had the author reported it to google before declaring his brilliance over
_GOOGLE_ ’s obviously deliberate choice here, he might have gotten some
valuable insight and not embarrassed himself with this post.

~~~
OskarS
I don't agree. Lets say someone steals your computer and is able to log in: if
you save all your passwords in Chrome this way, you're done. Every password to
every site you've ever logged into will be compromised. You've lost all
control over your online identity. However, if you had used a password manager
with the passwords encrypted with your master password at rest, it would be
fine.

This doesn't just apply to physical thefts: if you get malware on your
computer, fetching all your Chrome passwords is trivial. Fetching your
password manager passwords is not: it would only be possible to do if you
actively used the computer while it was infected (and entered your master
password), and even then it's not trivial. You'd have to either keylog every
keystroke and figure out which ones are the master password (if a master
password was even used, you can log into 1Password with TouchID and Windows
Hello) or try and go digging into the memory of the password manager to try
and fish out any passwords. Not an easy task, and one that is very difficult
to automate.

Compromising a password manager, even when the computer itself is compromised,
is difficult. It takes dedication and personal attention from the hacker.
Browser passwords, on the other hand, can be trivially harvested the second
you compromise a computer. It needs no personal attention, a bot could easily
do it on a massive scale.

The advice is correct: don't save your passwords using any system that doesn't
properly encrypt them.

EDIT: to be clear, this is not because Google's engineers are stupid. It's
because they want the Chrome password management system to be convenient, and
they don't want to require a master password. If that's the case, then there's
not much you can do to prevent this sort of thing.

------
tinus_hn
I don’t think it’s safe to post a slightly blurred image of your usercodes and
passwords.

~~~
igoose1
Moreover, if you use "Security" and "Cybersecurity" tags. I'm sure, it's
possible to find the written ML script for "unblurring".

------
Tepix
So the master password is not used to encrypt the password database? What is
it used for then?

~~~
javagram
The headline appears to be misleading.

If you use Firefox, the Master Password for the Software Security Device that
must be entered on each restart of Firefox is certainly used to encrypt the
passwords.

I believe the steps outlined in the article for Chrome are accurate but the
word “Firefox” appears only in the headline.

~~~
NikkiA
It doesn't seem to be used if you use the firefox sync feature though, from my
experiments, at least, I could sync my account and then open the passwords
without the master password.

That was about when I stopped using 'save password' and also disabled password
syncing.

~~~
javagram
[https://support.mozilla.org/en-US/kb/using-master-
password-s...](https://support.mozilla.org/en-US/kb/using-master-password-
sync)

“When using Sync, your Firefox Accounts login is stored with your saved
passwords in the password manager. Your master password must be entered so
Sync can access your Firefox Accounts login. Once the master password has been
entered, Sync can also access your other saved passwords and sync them between
your devices.”

It looks like a master password has to be enabled separately, just having
Firefox sync won’t encrypt passwords on disk from what this is saying.

~~~
NikkiA
My point is that I found I could enter my firefox sync password and my master-
pw-protected passwords were brought down from firefox without any trouble,
ergo bypassing my master-pw completely.

My _expected_ behaviour would be that the master-pw would be used to encrypt
the passwords, and this encryption would be carried to the sync'ed passwords
such that knowing my sync password would be insufficient alone to get my
cleartext passwords - which is, afaik, how almost all other (online/syncable)
password managers work.

------
AngeloAnolin
This should be reported to the Google Team and perhaps they should award the
author some compensation as part of their bug bounty program.

This is alarming.

~~~
hrktb
it’s pretty old, for instance this is a description of the same issue from
2013:

[https://www.howtogeek.com/70146/how-secure-are-your-saved-
ch...](https://www.howtogeek.com/70146/how-secure-are-your-saved-chrome-
browser-passwords/)

The link to the “why isn’t there a master password?” question is now dead, but
from memory of the disucssion at that time, it was basically said that browser
passwords are inherently unsecure as they end up in plain text in the password
field, and trying to add layers upon layers of encryption was just distracting
from that fact. That position explains a lot about how Chrome handles these
passwords.

~~~
techslave
there’s a difference between reading one password out of a password field
being actively used, and your entire archive from cold storage.

that said, as i commented otherwise, the report is still bogus.

