
Showing stored passwords – Tim Berners-Lee - jchrisa
http://lists.w3.org/Archives/Public/www-archive/2013Aug/0020.html
======
jellicle
And this is why I don't use Chrome, nor recommend it to anyone.

The dimwit Chrome developers continue their dumb insistence that penetrable
security shouldn't exist.

"Bathroom doors shouldn't have locks; someone could just kick the door in and
then where would you be!"

"Houses shouldn't have locks; you've got glass windows, don't you?! It's a
false sense of security!"

"Prisons shouldn't have 20-foot walls; Home Depot has 21 foot ladders, don't
they?! Lex Luthor escaped via helicopter! It's a false sense of security!"

"Bicycles shouldn't have locks; there are bolt cutters with five-foot handles,
aren't there?! It's a false sense of security!"

Of course in the real world, where Chrome developers do not live, we use locks
in all these cases. There's a combination of social signalling (this is mine;
do not disturb it) as well as legal signalling (locked means an affirmative
action must be taken to break the security, which is punishable; unlocked is
not punishable) as well as a substantial amount of actual security (the
reality is not everyone carries five-foot bolt cutters, even if some people
do).

Maybe I can put it another way: Android, up through 4.2, only contemplated a
single user per tablet. So if you gave your kids (or anyone) the tablet to
play with, they had FULL and unrestricted access to your Gmail account, Google
Play account, and so on. Someone, eventually, slapped some sense into the
Android developers and now Android 4.3 has restricted profiles where you can
let the kids play games without giving them access to your Google accounts.

That someone needs to get their slapping gloves and wander over to the Chrome
development team...

~~~
TeMPOraL
> _" Bathroom doors shouldn't have locks; someone could just kick the door in
> and then where would you be!"_

Nitpick:

Bathroom doors should have easy breakable locks (if any at all) because of
danger of carbon monoxide poisoning; locked doors may be the only thing that
stand between you and dragging out unconscious family member from danger.

I for one was always taught as a kid to not lock the bathroom when taking a
bath.

~~~
chmars
There's a danger of carbon monoxide poisoning in the bathroom???

~~~
jacquesm
If you have a gas fired bath water heater in there, yes.

Not as common today as they once were but there are still plenty of them.

~~~
greedo
In the US? Perhaps in other countries, but in the US, I've never seen a water
heater in a bathroom.

~~~
richardjordan
right - I live in the US nowadays and nobody has them - but back in the UK
they're all over the place - stay at someone's house and there's a good chance
they have one

~~~
manarth
I've never heard of such a thing, let alone actually seen one in a bathroom.
I've lived in the UK for all (bar a couple of years) of my life.

[edit] I found an academic paper that discusses the safety of these heaters -
dated 1973. I'd guess that they've gradually disappeared thanks to better
heating systems and improved safety regulations. The paper:
[http://hej.sagepub.com/content/32/4/120.abstract](http://hej.sagepub.com/content/32/4/120.abstract)

~~~
to3m
You presumably have central heating in your house, and hot water? If so, you
probably have a boiler. And this boiler probably runs on gas!

~~~
manarth
The comment was referring to "gas fired bath water heaters", which appears to
be a specific type of heater fitted _in bathrooms_ for heating the bath
water…hence the potential for increased CO risk in the bathroom.

My hot-water + heating system is gas-fired, but the boiler is in a utility
closet vented to the outside.

------
spinchange
The purpose of a master password is not to provide perfect security or a false
sense thereof. The purpose is to impede an _unskilled attacker_ who has only
momentary access (like the amount of time it takes to type
chrome://settings/passwords on a temporarily unattended machine) and mitigate
the severity of what can be done by an _unskilled attacker_ in the event of
such a short breach.

It might be proper security engineering practice, but it strikes me as being
totally out-of-touch with regular humans and mere mortal users to insist that
once _any_ attacker has access for _any_ duration, you're completely hosed
anyway, so why not make it easy for them.

~~~
Dylan16807
An unskilled attacker with no knowledge won't know where to go to get the
passwords.

An unskilled attacker with instructions can type in a url to get a password
dumper, and be in and out in 30 seconds plus memorization/transcription time.

~~~
Ovid
A little brother using Chrome regularly won't know about keyloggers, how to
write a clever bookmarklet, or even be allowed to be around when his big
sister is typing in her password. But there's a good chance he _does_ know
about clicking that little icon, choosing "settings", and seeing all of his
big sister's passwords when she's out on a date and forgot to lock her
computer.

Locks on your front door knob are not there to keep out burglars. They're
there to prevent opportunistic crime: someone who tries that doorknob out of
curiosity and discovers a home full of stuff and no one around. There's a
large middle ground between good guys, bad guys, and those who might, just
might, be tempted to be bad when they find that suitcase full of money. That's
what Google is missing here.

And in a condescending response[1], someone who is allegedly the Google head
of Chrome security called the original author a "novice", claimed Google has
"quite a bit of data" to back up their case (without describing the data, its
source, or how it was evaluated), and suggested that a master password would
make security worse by providing a false sense of security.

First, I would suggest that if Google really does have the data mentioned in
the claim, release it. Second, a master password isn't going to make the
computer safer from a determined black hat because physical access to the
machine means game over, but THE MASTER PASSWORD IS NOT ABOUT PROTECTION FROM
BLACK HATS.

When the colleague who hates you is standing by your unlocked computer when
you're off to get coffee and suddenly realizes that he not only can read your
email now, but at _any time he wants to in the future_ , that's a problem —
when your partner gets suspicious about your working long and you've forgotten
to log out — when your little brother realizes he can post "funny" pictures to
your Facebook page ... when, when, when ... there are so many areas where this
could cause a lot of pain. For example, this is from a blog entry I wrote a
decade ago about a young lady who was compromised because LiveJournal stored
her _username_ in the cookie and the conservative, religious parents found her
blog[2]:

    
    
        I know of a young lady who kept an online journal.  Her
        parents found it and started reading it and were
        horrified to find out that she was suffering from --
        brace yourself -- teen angst!  Her parents don't
        understand her, not enough boys like her, she's not very
        popular, etc., etc. In reading through the journal,
        there are no references to doing drugs, sex, or anything
        else that one might expect a parent to worry about, but
        this young lady's parents hit the roof. They forbid her
        to keep an online journal and they grounded her
        (naturally, I'm sure this cured the angst problem).
    

The parents had physical access to the computer and were smart enough to look
at cookie data (these parents weren't technically sophisticated, I might add).
Can you imagine what would have happened if the parents could then have read
all of their daughter's passwords? Google telling users "this isn't really
secure, so we're not going to do a damn thing to help you" doesn't help.

Google is optimizing against black hats but pretending that opportunistic
crime doesn't exist. In physical security, opportunistic criminals tend not to
be the brightest or think too deeply about what they're doing, but when the
opportunity is there, they go for. Google is happy to give them that
opportunity.

1\.
[https://news.ycombinator.com/item?id=6166953](https://news.ycombinator.com/item?id=6166953)

2\.
[http://use.perl.org/use.perl.org/_Ovid/journal/13471.html](http://use.perl.org/use.perl.org/_Ovid/journal/13471.html)

~~~
thezilch
You're confusing a browser password-keeper with a house lock, when the house
is actually synonymous to the machine. Lock the machine. Should every OS come
with only encrypted filesystems that you have to enter a password on every
read? You know, so your brother doesn't find your sexts logs?

~~~
Ovid
More and more of our data is being stored online. Many things that you might
want to keep confidential is nonetheless behind a poorly designed "firewall"
of passwords. _That 's_ the problem. Demanding that someone never forget a
manual process (locking the machine) is adding a massive point of failure.
This is bad.

~~~
thezilch
What does that have to do with a browser and poor analogies? Neither protect
important documents on disk, a shell open with root, an ssh open to your
production, etc. I'm not condoning Chrome's actions, but I'd also demand not
storing passwords in a browser at all, and do all sensitive browsing in
incognito, so your sessions can't be lifted.

------
ColinWright
This hit the news three weeks ago. Here's a submission with 305 comments,
including a reply from the Chrome browser security tech lead:

[https://news.ycombinator.com/item?id=6165708](https://news.ycombinator.com/item?id=6165708)

Here are some other submission:

[https://news.ycombinator.com/item?id=6167331](https://news.ycombinator.com/item?id=6167331)

[https://news.ycombinator.com/item?id=6171813](https://news.ycombinator.com/item?id=6171813)
(many comments)

[https://news.ycombinator.com/item?id=6171979](https://news.ycombinator.com/item?id=6171979)

[https://news.ycombinator.com/item?id=6173106](https://news.ycombinator.com/item?id=6173106)
(many comments)

[https://news.ycombinator.com/item?id=6173582](https://news.ycombinator.com/item?id=6173582)

[https://news.ycombinator.com/item?id=6175012](https://news.ycombinator.com/item?id=6175012)

[https://news.ycombinator.com/item?id=6177417](https://news.ycombinator.com/item?id=6177417)

[https://news.ycombinator.com/item?id=6180711](https://news.ycombinator.com/item?id=6180711)

------
denzil_correa
I read Justin Schuh (head of Chrome Security) comments [0] and I was a bit
taken aback. He seems to suggest that unless you get 100% security it is no
point making it tough for an attacker to steal passwords. For example, if you
are not 100% sure of your home being theft proof - please do not worry about
locking up your doors! :)

[0]
[https://news.ycombinator.com/item?id=6167146](https://news.ycombinator.com/item?id=6167146)

~~~
HCIdivision17
The response is fairly shocking. I have always felt reassured that security
gurus will argue about minutiae in encryption schemes just because someday
someone may figure out a piece of mathemagic that bypasses it.

Here we have a response from a security head that it's silly to try to be
secure if the person has physical access, or at least the Chrome team can't
trust anyone else's app.

What if you leave your desk for the bathroom and forget to lock it? Or put
chrome on a flash drive? Or have settings stored in a non-default location? Or
heaven forbid a clever virus manages to get on and all it does is try to look
at passwords?

~~~
MichaelGG
Your what if scenarios are essentially game over. "Heaven forbid a virus" \-
uh, if an attacker is running arbitrary code in your security context, you've
lost. Full stop.

Leave your desk and forget to lock it? Uh, then anyone that sits down keeps
your user sessions. Unless you've configured things to prompt for passwords
everywhere (like Vista UAC) then they have access to plaintexts you would.

Users aren't going to want to type in a password every time they open their
browser. Non-sandboxed OSes can't really enforce any security there. And users
hate re-entering passwords, this is why they are saving passwords in the first
place.

You're arguing "yeah, but just because I logged in as root doesn't mean I want
to be able to run root commands".

His response is correct.

~~~
ronaldx
Tim Berners-Lee is correct.

If I leave my desk to go to the bathroom for a few minutes then I take my
chances with any malicious actors with access to my hardware, sure, we can
call that "game over".

But that scenario doesn't make much sense in reality - if someone is that
close and has such a malicious intent, why don't they simply hit me with a 5
dollar wrench[0]?

Whoever happens to be feeling malicious in my office ought to have to act out
their malice deliberately - and not simply to be able to click a single button
to retrieve all my personal passwords.

[0] [http://xkcd.com/538/](http://xkcd.com/538/)

~~~
MichaelGG
It's not a single click. They have to go into Settings, find the passwords
section, open that up, find the password they want, and click show password
for that entry.

That's not "browsing passwords". That's clear, malicious, intent. It's like
someone in your room looking at the bottom of your underwear drawer for secret
items. Chrome is in no way popping passwords up in front of friendly
unsuspecting visitors.

~~~
chmars
A few simple clicks – or chrome://settings/passwords …

~~~
MichaelGG
Or [http://shortener.url/quickkit](http://shortener.url/quickkit) to run a
quick program to do the same thing. Which is the entire point the program
writers are trying to explain.

~~~
pyre
Every time a person gains physical access, the worst-case scenario is that
it's someone skilled at such things. The reality is that the number of people
with such skills is rather small when compared to the general population. What
are the chances that someone with momentary access will be an ultra-skilled
black hat?

Do you not lock your house at all because the worst-case scenario is that the
burglar is a master lock-picker (and you can't afford the ultra-expensive
takes-30-minutes-and-powertools-to-break locks)?

Using the worse-case scenario to guide all of your decisions makes more sense
when the threat/attack is coming form the Internet, where the likelihood of
the attacker being skilled significantly increases.

------
sirsar
It's similar to changing your ssh port: does it provide "real" security? No.
Does it prevent the majority of automated attacks? Absolutely.

As a real world analogy, what about easily-climbable fences? Those are often a
useful deterrent, and they make trespassing litigation more likely to succeed.

[1]
[http://rimuhosting.com/knowledgebase/linux/misc/preventing-b...](http://rimuhosting.com/knowledgebase/linux/misc/preventing-
brute-force-ssh-attacks)

[2] [http://serverfault.com/questions/189282/why-change-
default-s...](http://serverfault.com/questions/189282/why-change-default-ssh-
port)

~~~
MichaelGG
Automated attacks will rapidly adapt. There's zero barrier without some OS-
provided sandbox mechanism. For instance, something that verifies the signer
of the executable before providing a key. (That doesn't exist on Windows, for
example.)

~~~
joshka
I read an article recently that suggested that automated attacks of ssh on non
standard ports have already adapted, hence this already offers no extra
security.

------
abalone
Are these supposed security experts completely ignorant about how Mac OSX
Keychain works?

This is the basis of much of the argument in favor of Chrome's approach:

 _> In all cases, if you have access to the machine, all it takes is trivial
software that's widely available to snoop on anyone else using the machine._

This has been repeated elsewhere including by the Chrome security engineer in
so many words. Paraphrasing, "if you've got physical access to the machine,
everything else is just theater, so we just go ahead and make that obvious."

But.... OSX requires the admin password before installing any software. That
would seem to invalidate the above argument.

Or is there actually a way to bypass OSX Keychain.. and if so how "trivial" is
it? Certainly nothing comes up in a quick google search. You'd think it'd be
big news, that Apple's whole security framework is just "theater".

~~~
ZeroGravitas
I'm fairly sure that I've installed (and run) Mac OS X apps via drag and drop
with no admin prompt.

~~~
abalone
Hmm, maybe it's just the System and root Library folders that require
authentication. But those would be what you'd need to access to install a
keylogger or some such monitoring software, I'd guess.

------
comex
I suppose the issue here is that many of the people who might "compromise"
one's browsing session don't fit the model of an evil attacker. They might be
friendly pranksters, or unfriendly but not invested enough in the "attack" to
go to much effort to perform it. Part of the reason it makes a difference, as
noted, is most people's lack of technical knowledge, which might not be a good
thing to rely on (though it will probably continue to exist for the
foreseeable future), but even with the knowledge that alternatives exist, it
feels more evil to go after them. In computer security, it's common to look
down on security measures that are bypassable, even if they have some
deterrent effect, because hackers wise up fast, and the false sense of
security the measures tend to provide is actively harmful. But there's a
difference between hackers and the general population...

The other comment in this thread about locking doors is a good analogy. The
chance that locking my door (in a house with many ground-floor windows and no
home security system) will deter an actual burglar is nil. But it could
certainly deter some strange neighbor from sneaking in and perhaps stealing
things.

on the other hand - justinschuh mentioned that they've "literally spent years
evaluating it and have quite a bit of data to inform our position". Opinions
formed off the top of our heads don't mean that much.

------
pbreit
I'm sick of the crypto "experts" equating weak (or even "pretty strong")
security with no security.

~~~
jchrisa
Thanks. This is why I posted this. Not everyone's office is full of kernel
hackers. In real life, most security is grey.

------
laureny
Why is it so hard for the Chrome team to realize how harmful it is to see
passwords in clear text without any effort on the part of the intruder.

Baffling to me really, especially coming from Google.

They are going to turn around on this, I am certain of it, but why it's taking
them so long is beyond me.

------
rbobby
It seems that an undifferentiated threat model is being used. Within the scope
of physical access to an unlocked device all attackers are considered to be
ultimately sophisticated and absolutely untrustworthy.

This model is clearly lacking, and is not appropriate for software as widely
deployed as Chrome.

------
adsche
The tweet:
[https://twitter.com/timberners_lee/status/364839351651274752](https://twitter.com/timberners_lee/status/364839351651274752)

------
Sidnicious
I made this argument to the 1Password guys (Dave Teare, I think) when I ran
into them at Macworld a few years ago. I was used to the Mac OS's keychain
_always_ asking for a password to see or edit its contents, even when it's
unlocked and apps can get at their stuff in it at will. 1Password doesn't.

He made the same counter-argument, that if you handing over your computer over
to someone you don't trust, 1Password should be locked — his locks after a
short timeout and whenever he put his computer to sleep.

These arguments are way more eloquent than mine though.

------
cheald
Something I've found rather silly in this whole kerfluffle is a failure to
recognize that a physical-access attacker can just as easily copy your
Chrome/Firefox/whatever profile to a thumb drive, and he now has a full copy
of all of your login cookies, many of which are going to permit bypass of 2FA.

I like the idea of there being a challenge in Chrome before my passwords are
displayed, but its actual impact on actual security is pretty negligible.

~~~
bookface
I disagree. Maybe if anybody who would ever have physical access to your
computer has the technical chops of the average HN commenter, it wouldn't do
much for you. However, for somebody leaving their computer alone for a few
minutes in a coffee shop or college library, this could definitely deter many
opportunists.

~~~
cheald
I...just said that I favor Chrome having a challenge before displaying
passwords. I also said that I agree with the Chrome team's position that it
doesn't substantially improve security against a physical attacker. I'd like
Chrome to have it, but I also know that having your passwords behind a master
password doesn't actually result in your web-based accounts being secured
against a physical attacker.

A challenge dialog is going to deter the "casual" snoop. I'm all for it as a
defense-in-depth measure. My point is that you can encrypt your passwords all
you want, but _even_ in that case, physical access is game over because there
are additional attack vectors that don't require a passphrase to breach.

And honestly, if I left my computer alone in a coffee shop or library, I'd be
much more worried that someone would pick it up and walk off with it than that
someone is going to look at my Chrome passwords. Good luck memorizing those
16-character randomly-generated phrases that I can't reliably remember after
two months of repeated use.

~~~
interpol_p
> A challenge dialog is going to deter the "casual" snoop.

I think the "casual" snoop is far more likely than the determined attacker
with physical access. Which is why the Chrome team's position on this is
baffling.

There are so many cases where I hand my computer over to coworkers, friends,
family. I trust them all not to explicitly circumvent the security of my
machine, but I definitely don't trust some of them not to "casually snoop."

------
MichaelGG
News: If you have root on modern Linux distro, you can edit the sudoers file.

Requesting a password would provide a false sense of security. The passwords
are stored in an easily obtainable format. If you are leaving your laptop
around untrusted people, you're going to have problems.

Trying to draw a line around the secure point (having a workstation totally
unlocked) sounds incorrect.

~~~
dgesang

        The passwords are stored in an easily obtainable format.
    

So, why not change THAT and store them encrypted with a master key?

    
    
        If you are leaving your laptop around untrusted people, you're going to have problems.
    

True. But why make it even easier for someone unauthorized to retrieve your
passwords?

Why is it only the browser developers who come up with that arguement? I've
never read such a statement from any other team. And why aren't other software
systems do it that way if it is so insecure and "falce-security" so encrypt
user passwords in a local db? Couldn't even an OS use that argument and say
"hey, you got physical access to the system, here are all the passwords in
plain text, have fun!".

~~~
MichaelGG
>So, why not change THAT and store them encrypted with a master key?

They are; it's called your user account password.

If you mean an extra password, the answer is that most people don't want to
type in a password when they open their browser. And even if they did, then
the argument would be "well they leave their browsers open, so it should ask
for a password every time", which defeats the whole purpose of password
saving.

Think it through and try to see the issue.

~~~
dgesang

        If you mean an extra password, the answer is that most people don't want to type in a password when they open their browser. Think it through and try to see the issue.
    

I don't see your "issue", as using a master password does not "defeat the
whole purpose of password saving" at all. Many people have different login
credentials for different websites (not only passwords, also login name or
email) which are hard to remember which one you used where. Having access to
them with a single master password is convenience.

I like the way this is handled in Opera, where your passwords can never be
accessed/viewed in plain text at any time. Once your login data are stored,
you can simply use them via CTRL+ENTER on the login form and the data is
pasted into it. If you want to you can use a master password to restrict
access to that data. And you can even set a time after which the the browser
will forget that password and then asks for it again after e.g. 15 minutes.

~~~
cbr
I sit down at your computer and Opera is open. I go to facebook.com, click on
the password field, press ctrl+enter. I then use the dom editor to change the
field to text. Will I see the password?

~~~
dgesang
You will not, because that domain is blocked in every OSI layer possible in my
local setup. ;)

But seriously: Yes, of course you would. They have to be pasted in clear text.
There is no other way to do this.

But that's not the point. The point is that you do not get to use CTRL+ENTER
in the first place! Unless, of course, you type in the master password, which
Opera will forget after x minutes (zero if you want it to be forgotten
instantly). So you have a windows of x minutes after I've used the password
manager for the last time to do your "DOM hack".

------
kefs
Relevant reading:

[http://raidersec.blogspot.in/2013/06/how-browsers-store-
your...](http://raidersec.blogspot.in/2013/06/how-browsers-store-your-
passwords-and.html)

Also, if you're on FF, do yourself a favour and turn on a master password
before it's too late (Tools > Settings > Security).

------
eli
Sounds like the debate over running SSH on a nonstandard port. Sure, it
provides only a little protection and only against opportunistic, drive-by
attacks... but it's easy to do and it can't hurt. So why not?

------
revelation
Looks and feels like a bikeshed. This kind of obfuscation will only lead to
more Linus rants of how his kids need root access to install a printer.

------
7952
If the password submission was handled in javascript couldn't the website
rewrite the password field with a one time password. This would let people use
password storage, but give the ability to revoke later on. The only difference
between a stored password and a cookie, is that cookies are trusted less. Both
can give password equivalent access.

------
CoryG89
I've often thought that it was strange that these passwords were stored in
plain text. Although. At least with the version of Firefox my old workplace
had on their machines, I was able to view all the passwords stored in it as
well. Not sure if this has been fixed, but at least it's not always been
_just_ Chrome guilty of this.

~~~
johnpowell
Just checked with latest FF on OS 10.8.4. Click a button and you can see all
of them. Safari will prompt for a password.

~~~
neilparikh
Firefox allows you set a master password, which will hide stored passwords and
not allow you to access them until you enter the master password.

I think this also encrypts the stored passwords, but I'm not sure about that.

------
CamperBob2
I don't get the controversy. There are very few reasons to have multiple user
accounts on a home PC, but this sounds like one of them. If you want to lend
your PC to someone or allow other friends/family members to access it at will,
you need to create separate user accounts for those people. Problem solved.

------
bonaldi
Not sure why "you can just use the DOM inspector" is so often accepted without
question. _Why_ does the DOM inspector happily show you a password?

Shouldn't the browser be keeping track of those it has autofilled and
prompting for a password before exposing them there, too?

