Hacker Newsnew | comments | show | ask | jobs | submitlogin
elliottkember 341 days ago | link | parent

Hey Justin, I'm the author. I appreciate your sentiments, but I feel like they may be out of touch with the way real people are using computers in the wild.

My suggestion is to seriously re-evaluate this approach in light of the actual use-case of how people perceive these passwords.

It appears as though many, many users don't expect these passwords to be visible. This is an important thing to take into consideration.



justinschuh 341 days ago | link

I appreciate how this appears to a novice, but we've literally spent years evaluating it and have quite a bit of data to inform our position. And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior. That's just not how we approach security on Chrome.

-----

dspillett 340 days ago | link

Before I start my reponse proper, I should point out that I know most other browsers, and most add-ons for them that perform the task of storing credentials, do much the same thing and are therefor no less insecure. This is why I recommend everyone avoid most credential storing products and turn off their browser's built-in facility (whichever browser they use).

> I appreciate how this appears to a novice

As you are in the process of defending storing passwords in plain form (or at least in a manner that allows them to be accessed in plain form so easily), without any warning that this is happening, I am of the opinion that you have no right to be so condescending as to publicly call someone else a novice.

> but we've literally spent years evaluating it

Some creationists have spent decades evaluating their position too. That does not make my any more inclined to agree with their assessment of the way the universe works, nor does it make me feel inclined to recommend that position to others.

> and have quite a bit of data to inform our position.

Please provide said data so that we can evaluate it, otherwise what you are saying here is simply "I'm right because I know that I'm right".

> what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior. That's just not how we approach security on Chrome.

That is EXACTLY how you are approaching security in Chrome it would seem.

If the criticism of the way Chrome currently does these things is wrong for this reason then Chrome's behaviour is wrong for the same reason. Users will assume that the passwords are stored securely, or will be blissfully unaware that they even need to be, and will think they are safe when they are not. This argument may not make the alternate suggestion being made correct, you certainly believe that it is not, but your argument doesn't make Chrome's current position any less incorrect either.

While here we all know that locking out workstations provides much better security (as mentioned in your earlier post) than a master password on the browser's credentials store would, the general public do not tend to have much concept of that in my experience (while it very much should be, it is not something most people give any thought to unless explicitly prompted). Letting them take their ignorance of the matter one step further is lulling them further into a false sense of security.

You are not wrong in stating that users should lock their workstations when leaving them, and should have them set to auto-lock after a time in case they forget. Likewise we are not wrong in stating that any key store should be locked after use, and automatically locked after a period of inactivity (requireing the master password to be requested again).

Essentially you are silently opting in (on the user's behalf) to exchanging security for convenience. This brings us full circle, back to the word "novice".

With regard to my earlier acknowledgement that other vendors do the same thing, while I'm taking cheap shots like the "novice" thing above: "other people are doing it" is no more a valid excuse for irresponsable behaviour here than it was in the school playgound when we were five.

We (by "we" I'm including developers, DBAs, technical managers, security experts, and other members of the technical "community") should be trying to teach users to take better care of their credentials and their information security more generally, making it inconvenient for them not to if neccessary rather than making it easy for them to continue to be blissfully ignorant of the situation.

-----

elliottkember 341 days ago | link

Novice? I'm sorry, but whether I'm a novice has absolutely nothing to do with this.

What I'm proposing is that you just don't show our passwords, all in one window, in plain text. I agree that this won't solve the problem, but would be a good first step. And I don't see how that would be dangerous.

Alternatively, Chrome should make this more obvious so that users don't make assumptions about its security.

How on earth can I convince you that many, many, many people are surprised and concerned about this? Can I direct them to you on Twitter?

-----

justinschuh 341 days ago | link

It matters that you don't seem to understand the threat model here. You think your passwords are protected somehow in other applications, but they're simply not. The fact is that they're still trivially recoverable, and if the bad guy can read them at all than he already has access to fully compromise your entire OS user account. So, you're arguing that we take measures to make users think they're safe when they've already surrendered any pretense of security. Effectively, you're asking that we lull our users into a false sense of security.

I've enumerated this multiple times now, so I'm not sure how else to explain it. The simple fact is that you need to lock your user account if you want to protect your information. If you don't do that, nothing else really matters because it's all just theater and won't actually stop anyone willing to invest minimal effort.

-----

cyansmoker 341 days ago | link

I am a tad shocked by your reply, and this for several reasons. Let's not even talk about how you inferred Eliott's credentials, or lack thereof, based on his disagreeing with your approach.

You write about "lulling your users into a false sense of security." If that is true, then how do you explain that the 'show' button only appears when clicking a password? In the name of full disclosure, shouldn't you make that option immediately visible?

Furthermore, contrary to what was posted here, I believe that you encrypt passwords when storing them. On Windows, you would use the user's password as a "master password" in fact. So, kudos for that. But, wait, isn't this a case of using a master password to lull the user... etc? (because, you know, things such as Ophcrak do not exist?)

I am not going to re-iterate what was already written about the cable guy being able to lift your password in 10 seconds, it's simply a scenario you cannot dismiss and it seems strange to me as I would expect you guys to do some persona-based design rather than deal in hypotheticals (cf. "trivially recoverable")

So, yes, Chrome is an excellent product. And yes, from an absolute standpoint, you make valid points. I simply do not believe that you are the only one here doing so, and if you are willing to post comment on HN, then hopefully you are also ready to acknowledge that things are not as clearcut as you make them to be.

-----

elliottkember 341 days ago | link

You're right, locking the operating system will secure it. But people aren't doing that. And people lend their computers to friends sometimes. It happens. I think the actual situation is that you don't understand how people are using computers, and how people expect them to behave - which is very important.

Your software allows me to open up one application and see all passwords. It's likely the single most-used application, and the easiest attack vector on the machine. If I wanted your password, I'd try Chrome first. It's very widely-used, and therefore a huge vector. That is the problem here.

Either change it, or better communicate the need to lock your system. Because to an average user on the street, this is a scary thing to be able to do so easily.

Is there a public point of contact that I can speak to about this?

-----

Throwadev 341 days ago | link

Elliottkmember is right here. Chrome's approach to this is absurd. What if you simply don't want friends, coworkers, significant others browsing your passwords? At least tell users that if they choose to save passwords in Chrome, that everyone who uses their computer, even pretty non-technical people, will be able to access those passwords. Tell them that storing their passwords in Chrome is unsafe.

Justin, can you tell us the real reason Chrome does it this way? Because the reasons you list so far don't make sense.

-----

brown9-2 341 days ago | link

Please don't invent motivations for the statements people make when you don't like what they've stated so far.

If you don't want people browsing your passwords, you can't ever give them access to your user account or your unlocked desktop. That's it, that is the entire solution. Any other method of protecting the passwords is vulnerable as long as the potential attacker has physical access to the unlocked desktop.

Now, perhaps some of this is mitigated by the fact that most of those friends, coworkers, significant others won't know how to install a keylogger or install extensions - but some small percentage will anyway, and those users who were lulled into a false sense of security will have been just as exploited anyway.

-----

mullingitover 341 days ago | link

>If you don't want people browsing your passwords, you can't ever give them access to your user account or your unlocked desktop. That's it, that is the entire solution.

Nope.

Just don't use Chrome. That's an even better solution.

-----

thisusername 340 days ago | link

Hahahahahhhh.

Let me teach you a neat trick (I'll use firefox as an example, but this can be done in any browser because it's a "feature" of HTML).

>Open firefox and navigate to a login page where your password is saved

>Right click on password box and click inspect element

>In the console, change type="password" to type=""

>Move your eyes back to the password field

Oh dear, what's this?!

Protip: Don't store your passwords in your browsers if you let other people use your computer. End of story.

-----

papacity 340 days ago | link

Ha... The people complaining really are novices, looking for something to get outraged over. Every operating system allows multiple user accounts. I recommend people start learning how to use them.

-----

mullingitover 340 days ago | link

I'm not a novice, but I would prefer that it wasn't trivial for a novice to access my passwords if I'm away from the keyboard for 30 seconds. A novice is going to have not a single clue of what to do with a console, but they can get at passwords in plaintext with four clicks with Chrome. No other browser makes it this easy to get at passwords in plaintext.

-----

papacity 340 days ago | link

> No other browser makes it this easy to get at passwords in plaintext.

In Firefox you can go to preferences, security, and saved passwords. And News Flash: If you leave your wallet unattended for 30 seconds, someone could take your money. I guess wallet makers should include a warning too?

-----

mullingitover 339 days ago | link

> In Firefox you can go to preferences, security, and saved passwords.

Incorrect if you set a master password, which Firefox allows you to do and is the reason why everyone's saying 'wtf, chrome?' and leaving firefox alone.

-----

papacity 339 days ago | link

IF you set a master password... But how many people do that? By the way, you can set up user profiles in Chrome.

-----

mullingitover 338 days ago | link

That's not the point. The point is that Chrome lacks this option, which, again, is why nobody's heckling Firefox right now. This isn't a thread about people failing to configure their software, it's a thread about a popular piece of software that's bungling some trivial security features.

-----

teeja 339 days ago | link

How many? ALL the smart people.

As for the dumb ones, they're storing their passwords on a sticky-post. Or using Chrome.

-----

marshray 338 days ago | link

Thanks. By chance, I needed to recover a password (one of my own of course) today and I remembered that trick.

-----

Throwadev 341 days ago | link

Right, I'm not arguing against any of that. The point is if it's going to be that insecure, Chrome should make more of an effort to make it clear. They could do this by displaying a warning alongside the prompt to save a password.

Also, just because some people will be able to access the passwords with physical access doesn't mean it's not worth doing basic/unsecure locking. I'd rather use a system where people need to have the know how to use keyloggers in order to break, over one where Joe Schmoe can walk in and take everything.

In the end I have always known the security issues with saving passwords so I don't save any banking passwords or email account passwords in any browser.

-----

boklm0 338 days ago | link

"The point is if it's going to be that insecure, Chrome should make more of an effort to make it clear"

And what's a better way to make it clear than actually showing the passwords ?

-----

Throwadev 338 days ago | link

A better way (than showing the passwords) to make it clear that storing the passwords is insecure was in the very next sentence after the snippet you quoted.

Read this: https://en.wikipedia.org/wiki/Principle_of_least_astonishmen...

Then tell me what's better:

- Asking users to store password, and having a menu hidden in the guts of Chrome's settings that most users will never look at.

OR

- Asking users to store password, and prompting them at the same time that doing so is insecure.

Keeping in mind that the vast majority of users of this software are average, non-techies.

-----

shipofgold 340 days ago | link

What about the situation where I drop my computer off for service. While I may remember to delete all the passwords, I doubt my dad will...Now we have the possibility that a service tech who I will never meet can harvest credentials and sell them on the black market.

-----

TheloniousMong 340 days ago | link

The real reason is simple. Get people to fear their real life circles so that, by contrast, they'll be more inclined to share their private information on the Internet.

After all, google's business model depends directly on how much private information is shared over much of the internet.

-----

DrPizza 341 days ago | link

1) Chrome doesn't show "all passwords". It only shows passwords that Chrome knows about. The two categories might overlap, but they're not actually the same.

2) Either the browser demands an unlock password every single time it queries the password store--which is probably not an acceptable experience for most users--or the browser can arbitrarily read the password store when left unattended. There's no meaningful middle ground here. An option to demand a credential before unlocking the store might be nice for nerds, but nerds don't need it anyway, because they can use 1Password (or similar) to do this for them. It's simply not tenable for normals. Good grief, just look at the wailing and moaning that the UAC prompts in Windows Vista generated. Those prompts by default didn't even demand credentials, just a click through.

-----

greyman 340 days ago | link

Hm, I agree with the author of the article on this. I think, the default should be, that the user will be prompted to define a master password, which unlocks the password store. User might choose not wanting to set this password, but then he should be warned that all his stored passwords will be accessible by anyone using his computer with his credentials.

-----

lgladdy 340 days ago | link

"his stored passwords will be accessible by anyone using his computer with his credentials."

But this is EXACTLY Justin's point: EVEN with a master password, they'd be accessible in other ways by anyone using his computer, because it's just stored in the keychain - and if they add a master password, people will think that makes it more secure.

The solution here is to remove the show button - don't add any kind of master password - because that's just snake oil.

-----

whyoh 340 days ago | link

>EVEN with a master password, they'd be accessible in other ways by anyone using his computer

Maybe (there are simple but very effective prevention methods against keyloggers etc.), but the main point is: it's not all black and white. There are varying levels of security (and varying levels of "hacker skills"). Passwords encrypted with a master password are at least a couple of levels safer than those displayed in plain text.

-----

euyyn 340 days ago | link

If they're autofilled, which is the very reason to store them, then it doesn't matter how deep you store them. The browser will dig it for you automatically.

-----

greyman 338 days ago | link

But only after the password store was decrypted after providing the master password, or not? And that is good enough for me. If I let someone to use my computer, of course I will close the browser before. So he can use my computer, launch the browser, but will not be able to access my passwords, since he doesn't know the master password.

-----

aboodman 340 days ago | link

If you actually _want_ someone's password and you have access to their account, there are many things you can do, all equally easy.

The more interesting argument here is the "crime of convenience" - where someone didn't want the passwords, but just saw them laying around in plain sight. But that isn't actually the case in Chrome: it's like four clicks. You have to actually be trying to find them.

-----

nazbot 340 days ago | link

The point is that 4 clicks is a LOT more convenient than most people would expect.

Not to mention this doesn't seem to be an oversight by the Chrome team - it seems this is 'as designed'.

-----

aboodman 340 days ago | link

Isn't a more likely crime of convenience that you hand your friend your computer, he types "gmail.com" to login to his mail, but he automatically logs in to your gmail, and then he realizes he can do pretty much anything on your computer as you now (including changing all passwords linked to your gmail account)?

Why are you more concerned about something he has to go digging through settings purposely to find, than something he is almost guaranteed to stumble across?

-----

d0x720 340 days ago | link

Wrong. Who cares if chrome shows the password? If someone has access to the browser with saved passwords they can easily just go to a site that's been saved and login and change said password so having chrome not show the PW would do ABSOLUTELY NOTHING

-----

heavymark 340 days ago | link

The use case people are talking about such as a jealous partner/spouse, or coworker, or only has access to a computer for about 30 seconds while your in the bathroom, does not have enough time to search through all of your gmail or accounts, nor would they want to change your password since then clearly you would know. What they would want to do is see your password, and then later on when there alone they could login to your account on their own computer and casually browse your accounts without your knowledge. Yes Gmail in tiny letters in the footer says if your logged in at two locations but once again this is in regards to non technical users like your parents.

-----

captainmuon 340 days ago | link

The threat model hiding the passwords wants to address is not about thieves, criminals, 'bad guys' etc.. Instead it's about protecting your password from jealous boy/girlfriends, friends who want to prank you, curious kids, etc., while you leave the room for a couple of minutes.

In many situations its cumbersome or not socially acceptable to log out if someone just wants to use your browser for a second, because that implies you mistrust the other person. On the other hand, you wouldn't necessarily give the other person your passwords, of course.

I guess what many people expect is that passwords you save in the browser should be really hard to get out. There should be a function to recover them, because it can really be a life saver, and because it would give a false sense of security otherwise. But this function should be in a separate tool, and it could be really cumbersome to use (only runs in safe mode, is a command line tool, displays a full screen warning in red on black, plays a loud fanfare :-), etc.). It should be the equivalent of taking a bolt cutter to your bicycle lock, when you lost the key.

What people want here is not more security in a strict technical sense. Most people understand that you should log out, and if necessary enable disc encryption and/or physically secure your computer, to be safe against "bad guys". What people want in addition to this is a layer of obscurity, a social speed bump. Something that makes it inconvenient for nosey people to see your passwords, that adds friction and shows them they are doing something wrong.

(Oh, and having a master password (that is forgotten after a few minutes) does offer perfect protection against anybody who doesn't know how to install a keylogger etc.. I guess I and many other people are mainly worried about "foes" that are not so technically adept.)

-----

noivad 340 days ago | link

I take it that you are unaware of the concept of defense in-depth, because your argument is essentially: well if they can come in the front door, then they can open the garage & steal my car too easy, so putting lock on the doors would make people think their car was secure. To enable a person to lock the car door would be silly because once a person has access to your house, they own everything in it. While no security measure is perfect, and with enough motivation & resources anything can be cracked, making things a bit more difficult with master password locking, etc. will stop casual security breaches: I.e. a boyfriend/girlfriend finds out their SO uses Chrome, so he/she steals their SO’s passwords from Chrome in seconds to later use against them after a break up, or to monitor them, etc. This happened (to a friend of mine BTW) and had Chrome had a master password, the SO would never have been able to do it because most people do not have the resources available to do it, an those people are the most irresponsible with having access. This thought that by making something less secure, you are in fact helping the user from having a false belief—that they are secure—is an ignorant decision at best because nothing is secure, but things can be more secure. & from I have learned balancing convenience & security usually falls somewhere between. a 5 second to breach to breach security policy (Chrome) is no where near (the standard) 5 seconds to unlock by typing in a master pass with a default 10 minute idle lock.

Basically, you are fighting ignorance with even greater ignorant decisions.

-----

ginobean 340 days ago | link

I'm a professional programmer with more than 20 years of experience and I think noivad makes an excellent point here. If you apply Justin Schuh's argument to door locks, the conclusion would be that door locks are insecure so don't even bother having them in the first place. How are they insecure ? Take an axe and break the door down. That should probably bypass almost any kind of residential door. Alternatively, break a window.

The reason to have a master password to protect Chrome passwords, for most people and in 99.9% of cases, is that not that we fear we'll get hacked by some random jerk. It's to prevent a casual acquaintance from discovering our passwords easily.

At this point, I think what may have happened is that, at some point, the Google Chrome Security made a decision based on logic that had numerous merits, but doesn't work too well in practice. Now that they've committed themselves over and over by defending this practice, they're so vested in this decision, that they'll defend it, even to their professional demise.

Again, I think their original decision not to have a master password was a smart decision, but not a wise one. As an analogy to door locks again, the smart decision is not to have door locks because they're very insecure (think breaking down a door or window with an axe).

It sounds like this Google Chrome security policy will most likely not change until some significant leadership changes are made over there..

-----

nomel 340 days ago | link

> It sounds like this Google Chrome security policy will most likely not change until some significant leadership changes are made over there..

If someone starts their first sentence with name calling, you know they're not mature enough to have a real discussion.

-----

mstroeck 341 days ago | link

You might have noticed (from her screenshots) that she is using Mac OS X.

Simply gaining physical access to the machine should ABSOLUTELY NOT enable an attacker to extract practically all web passwords in something like 15 seconds, without any special tools.

Are you completely ignorant of how the OS X Keychain works and should be implemented application-side, or are you just willfully ignoring it?

-----

dash2481 340 days ago | link

Whoa, whoa, whoa. Let's all take a step back and try to see the forest for the trees. I read Mr. Kember's article (as well as numerous others linking to it around the web today) and what I read made me concerned enough to delete all of my passwords from Chrome until I understand a little more about the issue.

justinschuh seems to have a deep technical understanding of programming and program security so I will defer to his greater understanding and make sure that I secure access to my computer when I am not physically present.

With all of that, my concern is that justinschuh seems to believe that anyone who has physical access to my computer and wants to do something malicious will have a deep understanding of programming, and that is silly. What about my druggie cousin who comes to my birthday party. He has no programming skills, but if he knew one simple URL he now has passwords to my bank account, my Amazon account and a ton of other accounts that he can use to transfer money or otherwise feed his habit at my expense. Or how about my ex-wife who gains access to my laptop because my daughter needed it for a school project. Now my ex, who has zero programming knowledge, nor does she understand what "threat model" even means, has passwords to all of my accounts including Facebook and Twitter that she can use to seriously harm my social/professional life.

So, you see, I get that you understand the programmatic "threat model," my problem is that you seem to be too smart to see that not all threats come from tech savvy "hackers." Some threats just come from opportunistic malfeasors, and I don't need to add any new opportunities to the seemingly unending list of ways people can screw up my life.

-----

nazbot 340 days ago | link

This is exactly my feeling too. Justin seems too smart by half.

His attitude is very much like an ivory tower academic who is befuddled that people don't follow best practices.

I also get the feeling he's not used to having to admit he's wrong. I guess you don't make it to 'head of security' at Google by having a little humility but his responses are really not very encouraging.

-----

riprova 339 days ago | link

maybe he wanted to say that malevolent people have always enough skills to stole your password, even if you have a master password like firefox.

-----

the_hangman 340 days ago | link

You should probably direct your anger to the author of the article for exposing this to people like your druggie cousin who comes over for your birthday party if that's your main concern.

As long as your password keychain is unsecured, EVERY browser does this -- it's just a matter of knowing where the passwords are stored in the browser as plaintext. If you don't want people to access your accounts, then secure them. You can't have your cake and eat it too. Either your passwords are conveniently stored in plaintext so you can login easier, or you take actions to secure your account and add a step to the login process.

-----

nazbot 340 days ago | link

This is really, really narrowminded.

You're thinking of security in the sense of some hacker or someone who has technical abilities.

What about the jealous ex-bf? He asked to use the gf's computer when they were dating, easily grabbed ALL of her password info and now she has to change everything when they break up. You're giving complete technophiles the ability to nab passwords. The question is WHY - what utility is there to make these show up in plain text over just prompting for a master password? What's the use case that you NEED to make these visible so easily?

It's also a terrible, terrible excuse to say 'well, there are other ways to get that info so our security flaw isn't an issue since it's already trivial'.

The fact of the matter is that you should at the very least require the master password to make these other passwords visible. There should be SOME authentication being done here.

What would this conversation be like if we were talking about gmail.com? You think it'd be OK to show in plan text a person's gmail password in the Settings page. I mean, if you logged in then of course you are the only person who should be looking at it.

-----

sstarr 341 days ago | link

I don't think that saying if someone has access to your computer then you're screwed anyway is really an excuse.

You talk about lulling users into a false sense of security but do you have any idea how many Chrome users assume that their saved passwords can't just be viewed in plain text with a couple of clicks? I had no idea until I read Elliott's article and I immediately turned the feature off and deleted all my saved passwords.

-----

markjs 341 days ago | link

If a technical person with a bit of knowledge and a few minutes has access to your computer then yes, you're a bit screwed.

If the broadband engineer comes round to investigate your connectivity issues and you (sensibly) watch over their shoulder while they fiddle with your browser settings, looking away for 10 seconds shouldn't result in them having ALL your passwords.

It's about ease & simplicity of breaching the "security" for non-technical people as well as techies.

-----

spidy 340 days ago | link

Let us use Google's web approach to various services to better explain this. When I login to my gmail, and open up google docs, or youtube on a different tab, I am logged in by default. However, when I go to edit my Google Account Settings, I am again prompted for a password, right?

If what you said about studying threat models and securing your computers and users accounts before handing over the system to friends or family is true and valid, why am I being asked a password to edit my Google Account settings. By extension of your claim, I should never have been handing over my system with a logged in user to anybody else. And definitely, the other claim that providing an extra layer of security is a false pretense must be valid in that Google is just providing us a false pretense of security when we want to edit our Google Account Settings which it does not require when we try to edit settings of the individual services?

Why is this distinction between Google's web services and your browser security?

-----

jmcentire 341 days ago | link

Forgive me for not looking at Chrome's source code on this, but I'm going to go ahead and assume that Chrome doesn't encrypt the passwords on the disk. You can easily do better than this while maintaining all of your current functionality.

On my system, I have installed scrypt and use it as a password management tool. When I need a password, I simply run a shell script I created, type my master password, and the password I'm searching for is placed in my clipboard.

Sure, I could write an extension to do this and I really should be concerned with the security of the clipboard implementation... but, those are fairly trivial (I do flush my clipboard buffer when I'm done).

This would be a simple solution for Chrome, actually. You already have all of the works for managing passwords implemented. All you need to do is add in the decryption process and simply not log the master password.

In this way, even the root user wouldn't have access to a user's passwords (as is currently the case with Chrome).

-----

Elusive 341 days ago | link

Apparently, Chrome does encrypt passwords, using the Windows cryptography APIs: http://raidersec.blogspot.in/2013/06/how-browsers-store-your...

It's not secure against any attacks running under the user, though.

-----

arpruss 340 days ago | link

I would worry that after the copy and paste into the browser, copies of the password are found decrypted all over the place in RAM, and then if you don't have whole disc encryption it may creep in plain-text into swap.

-----

amdavies 341 days ago | link

justin: other applications offer an added layer of security through a master password, which chrome does not, are you saying that this has 0 affect of the level of security surrounding the stored passwords?

Or are you saying chrome(ium?) uses the same technique but hidden to the user?

-----

cawoodfield 341 days ago | link

Not just other applications - MacOS's own Keychain application requires the user to re-enter their login password in order to see passwords that were saved in their user keychain. This is to ensure that while you might be able to make use of those passwords if you have physical access, you won't be able to easily copy them off somewhere else.

Please Justin, explain the real reason that Chrome does this, or admit that it's a bug and get it fixed. The reasons you mention are just stupid.

-----

avidpreatorain 341 days ago | link

There is a simple fix for this and FireFox uses it. Simply, allow users to create a master password to view stored passwords. They don't need to be asked to enter it every time they log into sites so the ease of use remains. But, if a stranger gets a hold of their machine, they will be one giant step farther from retrieving their passcodes.

PS. This was always an issue with Chrome, and it is why I don't use Chrome on my mobile machine. Safari has a similar problem. So I recommend 1Password for mobile computing if those are your browsers of choice.

-----

SonicHedgehog 341 days ago | link

May I ask what similar problem Safari has?

As far as I know, Safari uses OS X’s keychain which means you practically have a master password (very likely your user account password, although you could use a different keychain). If I try to retrieve a password (either through Keychain Access or Safari’s Preferences) I get asked for my “master password”.

-----

peth19 341 days ago | link

How does palming the problem off onto the OS help? At least the OS provides the choice to lock/leave open.

Smacks of laziness, especially in a world where it often takes very little to deter people.

-----

LauRoman 340 days ago | link

That's not a good idea, delegating, and when the OS gets compromised, the browser is to blame.

-----

DFloro 340 days ago | link

>> it's all just theater and won't actually stop anyone willing to invest minimal effort. <<

So are all the policies and procedures of the TSA, if not the entire agency itself, but nobody is suggesting that making it a tiny bit harder to get weapons onto planes isn't a worthwhile goal. We argue over implementation details.

I read in a Tom Peters book years ago that if a flyer sees a coffee-stained tray table, they assume the airline doesn't maintain its aircraft. That's an utterly irrational conclusion -- and a typically human one. The solution is trivial: clean the tray tables! SO back to software.

Make it a tiny bit harder for ANY user to view the plain-text versions of the passwords stored in a web browser.

-----

dragonwriter 340 days ago | link

>> it's all just theater and won't actually stop anyone willing to invest minimal effort.

> So are all the policies and procedures of the TSA, if not the entire agency itself, but nobody is suggesting that making it a tiny bit harder to get weapons onto planes isn't a worthwhile goal.

Very large number of people have been, in fact, suggesting since day one of the TSA that the restrictions imposed on travel in the name of advancing security theater are not worth the costs that come with them, in some cases in some states (particularly Texas, but I think other states had started the process) going so far as moving to criminalize some of the TSA actions, until the TSA escalated by threatening to retaliate against Texas (who was the State where this had progressed farthest in the legislature) by shutting down all commercial air travel in/to/from the State if the bill was passed.

So, the basic premise of the analogy you are trying to use here is rather critically flawed.

-----

brentsota 341 days ago | link

A solid argument if the average Chrome user is a regular HN reader.

-----

JohnHaugeland 340 days ago | link

> It matters that you don't seem to understand the threat model here.

Respectfully, a fairly common real world circumstance under which this is exactly the wrong choice was described, then ignored.

In response we got "you don't get it, we're staying where we are."

Is it possible that the reason people think you're doing the wrong thing is that you have made literally no attempt whatsoever to explain why you're flying against the best practices everyone else uses?

Saying "we have data" doesn't count, because we didn't see it, and everyone says that while justifying obviously incorrect stuff. I've had people mail my password back to me plaintext then insist that because they're (random important sounding thing) I should just trust their judgment.

And yes, this includes directors of security at first class software organizations with backgrounds in research security and the CIA.

Even if it turned out that you were correct, your current standoffish non-explanation is directly and severely undermining our trust in you. Do you just not care?

Sometimes you're a lot better off explaining than saying "you're too naive to understand."

.

> I've enumerated this multiple times now

Where?

.

> so I'm not sure how else to explain it

You give the very strong impression that you believe that saying "you're an amateur and we have data" is a kind of an explanation.

.

> The simple fact is that you need to lock your user account

"The simple fact is that you need to secure your server, and if you don't do that it doesn't matter that you salt and hash your passwords, and if you do do that then you don't need to salt and hash your passwords."

Yes, that's cute, LinkedIn. Back here in the real world, multiple layers of redundant, superficially weak, superficially unnecessary security have actual productive results.

.

> nothing else really matters because it's all just theater

The only theater I see here is "I've enumerated this and I don't know how else to explain it."

Unless you're talking about some other site, you haven't explained it at all, and what you're really saying is "I don't know how to explain it."

Maybe hire a communications person. You're making what appear to be by all basic security books and protocols dire security errors, then saying "I have data to support this decision and you're too dumb to understand what's going on."

Really?

Try us, sir. Closing the door in our faces is not a form of doing a good job here. If you're going to take liberties with our data, please be willing to give at least one good faith attempt to explain yourself. It's not a lot to ask.

.

> won't actually stop anyone willing to invest minimal effort.

I think you've confused wanting to stop blackhats with wanting to stop real world situations.

An angry significant other can pull this off. You're not just opening the door; you're opening it ridiculously wide, to the point that the average non-technical user can figure out how to penetrate your "security."

And then you're justifying it in terms of not wanting, through an unknown mechanism, to justify bad behavior, by leaving a vulnerability few technical people know about in place.

I just don't know how to respond to this.

Please share the data you keep talking about. The reason you don't know how to explain this better is that you haven't even begun to try.

Saying "I'm right and you're an outsider" isn't an explanation. It's a dodge.

-----

RonEvil 341 days ago | link

You're assuming your users will go to that place, see their passwords are showing and say to themselves, 'ok, this stuff isn't secure, I better be careful'. But that doesn't happen. People don't generally go there. They don't know about it. But someone else, using their computer, might know about it, or might stumble upon it. If you stop this happening, people aren't going to be lulled into a false sense of security, as you suggest. They aren't even going to know it happened. But their passwords will be more secure against casual discovery.

-----

bryanbroussard9 340 days ago | link

Give a knowledgeable person physical access to a computer, and all of the clear text views in the browser do not matter. Just crack the user's password and you have access to any stored passwords. The password paradigm is not perfect. There is no perfect solution. Personally I like being able to check passwords easily, while being intelligent enough to put barriers in the path of the 'general snooper.'

-----

nomel 340 days ago | link

> Give a knowledgeable person physical access to a computer

Or in this case, give anyone physical access to your computer, and they have all of your passwords.

Security through obscurity is not security, but it still has practical uses. You could say that hiding the passwords behind the few clicks it takes is not real security, but it's still more useful than having the passwords displayed plaintext on a sidebar at all times.

-----

papacity 340 days ago | link

You sound like an angry OS X / iOS developer trying to make a name for himself. This is old news, and I find it odd how you've decided to focus all of the attention on Chrome even though other browsers operate in a similar way. And frankly, if you’re dumb enough to let someone use your computer, after you've knowingly saved your passwords on it, you deserved to get hacked. Operating system profiles should be common knowledge by now.

-----

bashinator 341 days ago | link

If you don't want to lull your users into a false sense of security, then why doesn't the "save password?" dialog have a disclaimer reading, "All saved passwords can be viewed at chrome://settings/passwords". This simple notification would go a long way towards raising the level of awareness you seem to assume the average person already has.

-----

euyyn 340 days ago | link

Then they might chose to use IE instead, which doesn't show that disclaimer yet is no different. The teaching that needs to be done is that letting a bad guy access your computer unlocked is game over.

-----

Jayku1 340 days ago | link

Are you on XP with IE6 or something? IE uses the Windows credential store nowadays, which requires you to reenter your logon password before it will expose your password....

-----

nphsmith 340 days ago | link

So,the Google response is - "a) You're stupid and don't understand. b) If a techie had access to your PC for half an hour he can get your passwords anyway, so letting an amateur get it in 5 seconds is OK, c) We're Google. We don't do evil. And you're stupid.

-----

randomstep 341 days ago | link

So why store passwords then? Doesn't that also lull users into a false sense of security?

It seems to me you won't make token efforts to protect a user's password because that protection would be an illusion. So you would rather tell them the truth, so to speak, by letting them discover that their passwords are all easily visible by anyone who sits down at their machine. But if that's really the best you can do (I'm accepting this claim for the sake of argument), why store the passwords at all? Just by offering to store the passwords you are lying to the user, and lulling them into dangerous behavior.

Do you have data that users expect the passwords to be shown, or that storing them and making them so easy to see has any positive effect on users' password hygiene or security behavior? As for me, I know never to ever allow Chrome to store any password. Has that made me more secure? And is that representative at all of the standard user? I highly doubt it, but don't have any evidence either way.

-----

tewha 341 days ago | link

Elliot's right: Chrome's way of storing and presenting passwords is unacceptable and less than fully sane.

-----

thekevan 341 days ago | link

That fact that you tell him he is wrong and never really explain the "why" makes me not believe you. What little explanation you do give is the abstinence argument. It sounds great but it is not what people are doing.

Also, I think someone like a thief, jealous spouse, unscrupulous roommate or coworker or the like is much more likely to try and get someone's password to do evil with. The way Chrome is now, all a person needs is 4 or 5 minutes alone with the computer to get the user's passwords.

-----

zestyping 340 days ago | link

Seeing the data would be pretty convincing. Could you please share the data that leads you believe that:

- Showing passwords in this fashion is consistent with most users' expectations about how their passwords can be accessed.

- Requiring authentication before showing passwords has the effect of encouraging people to leave their computers unlocked in a potentially hostile environment.

-----

Jayku1 340 days ago | link

I think the data in question is more likely to be feature usage statistics of the sort that show that when a browser does has a master password option, something less than 2% of users set it, and half of those unset it after they realize they're going to be prompted for it over and over and over all day.

-----

simeyla 340 days ago | link

I realized this several years ago and was pretty dumbfounded, and quite surprised I've never read about this until now. Can you explain how the Chrome passphrase works in more detail and why it isn't used in this situation. If I sync my google account to another computer I need to enter a passphrase to sync passwords. Why isn't this asked for when clicking 'Show'? It seems like a perfect additional place. Even if its still 'trivial' to recover passwords you're still going to 'fool' a significant amount of people that it is secure and with Chrome's userbase that is a significant amount of people saved from themselves. And if you're still stubborn and arrogant enough to still make an argument against this then why not just put a damn 'Print my passwords' button on the main toolbar?

-----

hokkos 340 days ago | link

Exactly what I was thinking, why don't they use it ?

-----

hobbes300 340 days ago | link

Your logic doesn't follow. According to your rules we shouldn't have doors on houses as all they do is provide a false sense of security.

Don't forget, all security, regardless of how good it is, is just a delay mechanism. It's perfectly valid to delay the easy attacks as well as the hard ones.

-----

JohnHaugeland 340 days ago | link

(Edit: said "yahoo to reissue passwords" instead of "email addresses" initially, because I'm a derp.)

-----

"I appreciate how this appears to a novice"

Respectfully, I don't think this is a valid answer. This is the same sort of "I know better than you because I'm in the industry" thing that has led Yahoo! to believe that it's okay to re-issue email addresses: "we've done a study that we won't show you, we decline to address your criticisms, and we're right. We wanted to talk to you in public to create the illusion of interactivity and contact, but in reality we're ignoring your statements, refusing to explain ourselves, and declining to adjust."

LinkedIn said literally exactly the same thing about their password strategy right before their plaintext password database got owned.

It turns out that working at Google and saying nuh-uh isn't actually a valid form of explaining the security choices you're making in a way that almost nobody else is aware of. Having worked at IBM Security and the CIA doesn't change that. Whereas you may call the people pointing out the obvious problems in your approach amateurs, your ability to actually interpret what they say seems to be very, very limited.

I would note that your own past employers agree. What you're doing is a violation of FIPS 140-3, which your former employers helped the NIST craft.

No other browser does this. There's a good reason that everyone else does something different.

.

"[we] have quite a bit of data to inform our position"

You have quite a bit of data to support that it is not a critical security defect to allow people to pull passwords out of a little known browser dialog?

I find this unlikely, on grounds that I can't even imagine what sort of data would be used to support this.

Am I correct in suspecting that you will absolutely refuse to explain this claim, yet still expect it to be taken seriously?

.

"what you're proposing is that that we make users less safe than they are today by providing them a false sense of security"

No, eliminating a hidden attack vector does not create a false sense of security: nobody will know. In the meantime, an extant vulnerability will go away. This is the exact opposite of correct, and honestly fairly transparently so.

.

"And while you're certainly well intentioned, what you're proposing is that that we make users less safe"

And while you're certainly well intentioned to suggest that a car should have seatbelts, what you're proposing is that we make users less safe by encouraging them to drive over fifteen miles an hour.

The disconnect between your theory of how people use browsers and how people actually use browsers, as the head of security, making choices like these, is genuinely alarming.

But you have data. Which, conveniently, nobody can see, or point out your misunderstandings within.

Because that's how science works, or something, probably.

.

"encouraging dangerous behavior."

Taking away a little known mechanism for people to extract saved passwords from the browser does not in any way encourage dangerous behavior.

.

"That's just not how we approach security on Chrome."

It appears that how you do approach security on Chrome is with transparently false anecdotal claims backed up by no measurements, unprovided claims of difficult to guess about data, and no willingness to look at other peoples' points of view.

In the whole of human security history, this has never gone well.

Unfortunately, you have the provenance, and in unweildly large security organizations, that's often quite a bit more highly valued than actually hearing what other people say.

It is absolutely fascinating that Google's browser's head of security thinks it's a good idea, backed by mystery data, to be able to pull saved passwords out.

Of curiosity, do you honestly expect to be taken seriously when you fly in the face of every best practiced, based on data you won't provide, while just calling other people amateurs?

You realize how this sounds, right? Like denial?

Good lord. "We make your passwords recoverable from a dialog you don't know about because if we didn't you'd be encouraged into unsafe behavior."

What unsafe behavior is that? Saving passwords?

Seriously, you're intentionally leaving it weak so that nobody will use it for important things, but then not actually making them aware of that?

Just take it out, then.

Mind-boggling.

Truly, these are the situations over which we abuse the phrase "stockholming."

-----

dmaclay 340 days ago | link

This prevents Chrome from ever being my primary browser.

-----

papacity 340 days ago | link

Too bad every other browser works the same way...

-----

tewha 340 days ago | link

They don't.

-----

papacity 340 days ago | link

Yeah they do. In Firefox go to preferences, security, and saved passwords. I don't know about Safari or Internet Explorer because they're shit and I don't use them.

-----

kumarharsh 339 days ago | link

Well, Firefox does also offer a "Master Password" if you haven't notice.

-----

matthewww 340 days ago | link

Sometimes you get glimpses into the inner sanctums of Google that make it seem like it's a culture of robots.

Their first responses to outrage over the Google Maps cars they'd sent out to hoover people's wi-fi information were similarly obtuse about the mysterious ways of the non-machines: It's all information that was freely available to anyone who happened to have a fleet of packet-sniffing vehicles anyway, so what's the big deal?

With Google Glass they seem clueless on both sides of the equation: Never mind the role that facial symmetry plays in beauty or the billion-dollars industries that have sprung up to relieve people of their despised eyeglasses, more data is always better, affirmative? And why would even silly water-machines mind being always photographed everywhere? In many senses they already are! Jeepers can extermination day not come quickly enough.

And now this, here. Yes a given all-knowing cyborg entity could steal a "novice's" passwords with or without Chrome's help. But the easier you make it, the more it will happen. Meanwhile Google doesn't help its case with the clearly deceptive wording within the menus that make this possible. But mainly, our being from Google here seems genuinely baffled as to why this skeeves humans out so much. It just. Does. Not. Compute!

It is their seeming contempt for their customers coupled with a bizarre tin-eared bafflement about aspects of human nature the rest of the world seemingly grasps intuitively that often make for... well, entertainment at any rate; this story is presently top-of-fold on Techmeme. But it also is a window into a massive blind spot that could hobble the company.

-----

eclipxe 340 days ago | link

You're reading way too much into this. But I kinda like it, so proceed.

-----

filipmares 341 days ago | link

I think Justin's arguments are fair.

The reality is that you're using the browser under a certain user profile. If you want to really separate your data from other users using your computer i would suggest icognito sessions or creating different user profiles. If you share your user profile (active user) you expose all this data (bookmarks, extensions, passwords).

Seems logical to me

https://www.dropbox.com/s/kgrrtil2s7hi43j/Screenshot%202013-...

-----

lvs 339 days ago | link

Average people do not have the time, knowledge, or interest to do what you and Justin propose. Chrome is exposing what is arguably the very (very!) large majority of users who will never have the wherewithal to individually concoct an infosec strategy for their machines.

-----

mikelabatt 340 days ago | link

Agreed. Normal non-technical people let friends have a look at their computer, and it is often a surprise for both that passwords can so easily be seen. Theory is one thing, but there is IMHO also a practical "don't make it too easy" factor that should be considered. As the saying goes, sometimes "opportunity makes a thief".

-----

nomel 340 days ago | link

According to his logic, something like a post it note stuck to my monitor, containing all my passwords, is just as easy to read as Google chromes password file, so there's no benefit in trying to hide the post it note.

-----

neilk 341 days ago | link

If I have access to your browser, I can get your credentials for Amazon by just going to Amazon.com. Either you already have a session open, and then I can do what I want (including changing your password), or the browser (or your password manager) is going to fill in the password automatically, and with a trivial knowledge of how the browser works I can copy the password.

I use LastPass, and it is possible to set it so that a master password is required before any password is automatically entered, but in practice no ordinary user can suffer the loss of usability there.

Passwords are not actually the thing we are trying to protect. We're trying to protect against a user being able to use your credentials. If they have access to your browser, they have that already.

Maybe requiring you to re-enter your login session password, as a pseudo master password, would slow down a really naive attacker. But it will probably also annoy people who just need to get their passwords for some other reason. I would like to hear more from the Chrome team here on their reasoning but I would not be surprised if a 'master' password just leads to more users storing passwords on post-it notes.

-----

manicdee 340 days ago | link

My house has a front door which can be locked. I often leave it unlocked when I am out in the yard (and thus need access through the door on a minute-by-minute basis) or when I have guests over.

I side my house I have safes, medicine cabinets and a gun rack. Those things are locked all the time, and I only unlock the cabinet when I need to use the items inside the secure container.

So, too, I have a use account login. Sometimes I will hand my computer to a friend (or they sit at the computer, same thing) so they can do stuff. At no point does my friend's physical access to the computer imply that they need access to my bank account details. So those credentials are locked up in 1password to prevent casual theft.

Keychain Access and 1password both require a master password to unlock the ability to see stored passwords.

The argument about "having physical access negates security" is missing the point: there are different forms of physical access. I won't let visitors plug in random USB, FireWire or Thunderbolt devices for example. They have use of the machine, they have physical access. But if any of them made moves to dunk my computer in liquid nitrogen before removing the RAM, I would shoot them.

If the computer is locked, my password safe is locked. If someone steals the computer (or an NSA agent inades my house to freeze and steal the RAM), the key material is encrypted and thus still not accessible to casual inspection.

The attitude of "the NSA can break the encryption so it is not even worth hiding things from the visitor casually using your computer" is defeatist.

Rethink your assumptions. What are you protecting against? Do I need to switch to a guest account to prevent casual guests from seeing my credentials? How does that aid convenience?

-----

kumarharsh 339 days ago | link

Thanks for the precise and lucid argument.

I'm so angry right now that I can't even string together my sentences properly :)

-----

eirikir 340 days ago | link

Yes, thank you for explaining this so clearly. Of course I wouldn't knowingly give physical access of my computer to a malicious hacker, but if my friend asks to use it for 60 seconds while I take care of something else, I'd like to be able to do that without logging out and back in as a guest user. Convenience does matter in these kinds of situations, and deleting these "Show" buttons will make it more difficult for the untrained user to pull a prank or worse.

-----

elliottkember 340 days ago | link

If I see your password, I can write it down and use it later without you even knowing I was there. That's why we never send passwords in emails.

> Maybe requiring you to re-enter your login session password, as a pseudo master password, would slow down a really naive attacker.

That's exactly what I'm trying to achieve. It's a real concern for many people. Please show this to a non-technical person and see what they say.

-----

sepinkham 340 days ago | link

Did you test your assertion?

Go to amazon right now and try to change your password without having to enter your password first.

-----

neilk 340 days ago | link

My browser fills in that password for me. My guess is that would be the same for most people.

-----

mbessey 340 days ago | link

Your browser fills in the "current password" when you try to change your password on amazon.com? How'd you manage that? I have my password saved for amazon, and I don't have to type it to log in, but it doesn't get filled in automatically on the "change password" form (because that'd be stupid).

-----

sequoia 341 days ago | link

fwiw Pidgin takes this same approach for the same reasons. https://developer.pidgin.im/wiki/PlainTextPasswords

"locking" the passwords would require intermittent master-pass entry like `sudo`, this would come off as an inconvenience to many users.

I think people here miss the fact that many users, even if they say they want more security, are unwilling to give up convenience and will switch platforms (i.e. browsers) if that's what it takes to get a smoother experience. In many ways (in this particular instance) security vs. convenience is more or less 0 sum- chrome team has decided users would prefer more convenience which means less security. Chrome team is giving users what they want: ease of use.

-----

SonicHedgehog 341 days ago | link

However, Pidgin “would encourage integration with keyrings” [0]. At least on OS X Chrome uses the integrated keychain and as Elusive mentioned [1] it apparently does encrypt passwords on Windows too.

So, I think Pidgin’s situation is a bit different and if they would have keychain integration they may solve this differently than Chrome does right now.

[0]: https://developer.pidgin.im/wiki/PlainTextPasswords#Isthatth... [1]: https://news.ycombinator.com/item?id=6168039

-----

interpol_p 340 days ago | link

On OS X Chrome pulls the passwords out of the keychain and then makes them completely accessibly in plaintext through the settings/passwords page. I have no idea why it does this.

-----

LauRoman 340 days ago | link

How open of a platform is that keychain, and can Apple reserve the right to lock any aplication out?

-----

interpol_p 340 days ago | link

Keychain is accessible through standard system API calls.

Apple does not require any sort of approval or valid developer certificate to use the Keychain. Any app that attempts to access the Keychain will trigger a system-level notification to the user informing them of what the app wants to access, and allowing the user to "Allow", "Deny" or "Always Allow" the request.

-----

asveikau 339 days ago | link

I was floored that they let such an ignorant comment into the first paragraph:

> This is somewhat controversial in Windows, due to its weak file protections, but that's the way things are.

I read this as: we haven't bothered to look into the APIs for this... The Windows file permission model is a lot more granular than the "uid/gid/other" that most people are familiar with from Unix. Maybe this is a problem if you install to FAT32, which Windows disallowed since 2006.

Edit:

Apparently the text used to be:

> This is somewhat controversial in Windows, especially Windows 98 due to its weak file protections, but that's the way things are.

A user MarkDoliner then wrote:

> We no longer support Windows 98, so don't mention it.

But somehow in his editing neglected to make it a true statement.

-----

More



Guidelines | FAQ | Lists | Bookmarklet | DMCA | News News | Bugs and Feature Requests | Y Combinator | Apply | Library | Contact

Search: