Hacker News new | comments | show | ask | jobs | submit login

I understand that a master password would just lead the user into a false sense of security. However, I feel that it should be make as hard as possible to find the user's password.

A good safe is judged by the time required to break it. There is no safe that is unbreakable, you just need to put enough time, effort and noise to open it. Same thing could be applied here. Installing software, dump the cookies and so on requires time. Right now with this security a person could get my password in a couple of clicks with almost no technical knowledge. I'm not talking about a clever hacker, but rather a random person in a cafe with wifi asking someone if she could check her emails and steal the password while staying in Chrome. Again, it's not about making it impossible to retrieve, it's about making it a bit harder than just clicking the "show me the password" button.

Of course I would never give physical access to my machine to anyone I don't trust. I always lock my computer when leaving it unattended... but I really doubt that anyone acts like that. It's a pretty geeky thing to do and the mainstream crowd isn't as worried by security.

Let's say the master password solution isn't good because of the feeling of security it brings. Instead why not never show the password? Just say to the users it's stored on your system, but don't show it in plain text in Chrome.

My point here is that there is little to no value (unless I'm missing something) to display the password in plain text, but there are some drawbacks (easy to see for semi-technical people). So why have this feature in the first place?

"My point here is that there is little to no value" Personally speaking I've had plenty of occasions where I've logged into a site and saved the password then later Chrome doesn't recognise where to put the credentials on another page on the site (e.g. a header login vs a separate login page) - In those cases I'd rather just look to see what the password is and re-enter it than go through a password reset process.

Someone who can access your computer, unlocked, can login to your Facebook account (the password is saved), change the password, verify the email, re-save the new password, and it's just as easily "game over". You would never know what happened. Justin is absolutely right. His group is doing users a service by making these things more transparent. Folks who make exceptions based on this "security through obscurity" model should not be security tech leads.

Surely you see the difference between someone copying all of your passwords without your knowledge, and someone resetting your password for a single website that you would immediately notice when you check your email? They are two completely different types of attacks.

Changing the password is a fair point that I hadn't considered

I think that most people on here haven't considered this. In fact, I arrived at your comment by searching the page for "reset". The majority of folks seem too focused on trying to outclass Justin and/or getting in the last word. They're not thinking. Just for fun, I went to see how many licks it actually does take to get to the center of a tootsie roll pop i.e., clicks to reveal a password using the passwords dialog box in Chrome? There are about 27 keyboard button presses for the URL, then a mouse click for the Show button. Fair enough. Too bad I can get to the password reset field in Facebook in 3 mouse clicks, using my bookmarks bar. I'm pretty sure that I won't need 25 more clicks for the verification email. So if we're all just gauging security by how difficult you can make getting at a password, then I beat Justin. And my "exploit" is platform independent.

I'm not trying to outclass anyone, I'm simply not sure that this is the right solution and so far I'm fully convinced by what he said. I'm sure he's way smarter than I and I'm probably missing something. Take everything I say as it is: a comment on the internet.

This being said, security through obscurity is never an optimal solution, but again going back to my "safe" analogy (not unbreakable, just hard to break). If a hacker wants to change the password, it takes a few clicks to locate a site where the user could be logged in. Then the clicks required to get a new password. Add the delay of email reception and so on... It takes more time and effort to do that than just click "show me all the passwords" and take a photo with a smartphone. Plus doing so will give you 1 password only.

About the keyboard presses count, let's say I use both mouse and keyboard.

ctrl+, (shortcut to settings) click to advanced click to manage click show

It's 4 operations. In my opinion, it's way shorter to do that and get ALL the passwords of a given user than try to change the Facebook password. Again, and I'm really stressing this out, it's not about making an unbreakable system. It's just making it a bit harder to break.

Don't most sites require that you enter your old password before you can change it?

Indeed, I guess this is a +1 against storing passwords plaintext (well, obtainable in any case) - as a person could change your password and take over the account completely

Not if you use the "reset" option. Which... you have their email account. So...

Heh. I wasn't even thinking about the "Forgot your password" feature. Better still.

I tend to have ways to remember passwords, so I never need this, but ok your use case makes sense. Thanks for sharing!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact