I understand this very well. Here's one scenario: Busy office. Hundreds of computers. Open environment (no doors, just a bunch of desks/tables). Everyone using Chrome.
The current version of Chrome would allow someone to, within a few clicks, grab a pile of passwords.
Here's another scenario: Your mother takes her laptop to be repaired/updated. She uses Chrome. The entire repair shop has easy, unencumbered access to all of her passwords and logins.
Similar scenario: Computer goes to IT guy where you work for repairs/updates. He now has any and all of your passwords and logins with no effort.
My point is that for all this talk about security it seems really dumb for a prominent player (any prominent player) to not take extra steps to ensure that our valuable data is secure within reason. With LinkedIn the problem is, at the very least, the lack of anything beyond SHA-1 to protect passwords. Bad idea. In the browser case, it seems to me that, unless the intent is to provide a browser used only by those like us who understand and are very aware of security issues, it might just be a good idea to put in a few things that will make it harder for curious eyes or the 16 year old at the repair shop to grab all of your login data.
I don't propose nor do I expect perfection or absolute security, but what Chrome does today is, in my opinion, at the very least irresponsible. The uninformed user has NO IDEA WHATSOEVER that a huge security hole exists in their browser. Maybe we need to stop thinking in our terms and focus on mom, dad, uncle or grandma. When you first install Chrome you should, at the very least, see a screen telling you about security and the options you might have. I think that a master passwords would most-definitely serve a purpose in the case of "innocent" peeking. Yes, with pro's all bets are off. It's only a matter of time until someone tracks identity theft to the lack of browser security and they sue the fuck out of the browser publisher.
> The current version of Chrome would allow someone to, within a few clicks, grab a pile of passwords
With a USB stick and one click anyone can install malware that would give complete control of the computer to the user remotely.
> Computer goes to IT guy where you work for repairs/updates.
IT repair guys generally need admin access to the computer and will have all the time in the world to install any number of malware for remote access.
> but what Chrome does today is, in my opinion, at the very least irresponsible
For Chrome to add a master password would be irresponsible because it would give users the illusion of security they don't have. All OSes already have password protection against innocent peeking with user accounts and the ability to lock your computer when you walk away.
If Chrome were to hide them in the UI, you could still get to them one way or another (like grabbing a memory dump). If someone has physical access to your computer when you're logged on, you've lost the security game. There's no point in adding a layer of obscurity on top.
The current version of Chrome would allow someone to, within a few clicks, grab a pile of passwords.
Here's another scenario: Your mother takes her laptop to be repaired/updated. She uses Chrome. The entire repair shop has easy, unencumbered access to all of her passwords and logins.
Similar scenario: Computer goes to IT guy where you work for repairs/updates. He now has any and all of your passwords and logins with no effort.
My point is that for all this talk about security it seems really dumb for a prominent player (any prominent player) to not take extra steps to ensure that our valuable data is secure within reason. With LinkedIn the problem is, at the very least, the lack of anything beyond SHA-1 to protect passwords. Bad idea. In the browser case, it seems to me that, unless the intent is to provide a browser used only by those like us who understand and are very aware of security issues, it might just be a good idea to put in a few things that will make it harder for curious eyes or the 16 year old at the repair shop to grab all of your login data.
I don't propose nor do I expect perfection or absolute security, but what Chrome does today is, in my opinion, at the very least irresponsible. The uninformed user has NO IDEA WHATSOEVER that a huge security hole exists in their browser. Maybe we need to stop thinking in our terms and focus on mom, dad, uncle or grandma. When you first install Chrome you should, at the very least, see a screen telling you about security and the options you might have. I think that a master passwords would most-definitely serve a purpose in the case of "innocent" peeking. Yes, with pro's all bets are off. It's only a matter of time until someone tracks identity theft to the lack of browser security and they sue the fuck out of the browser publisher.