The passwords are stored in an easily obtainable format.
So, why not change THAT and store them encrypted with a master key?
If you are leaving your laptop around untrusted people, you're going to have problems.
True. But why make it even easier for someone unauthorized to retrieve your passwords?
Why is it only the browser developers who come up with that arguement? I've never read such a statement from any other team. And why aren't other software systems do it that way if it is so insecure and "falce-security" so encrypt user passwords in a local db? Couldn't even an OS use that argument and say "hey, you got physical access to the system, here are all the passwords in plain text, have fun!".
>So, why not change THAT and store them encrypted with a master key?
They are; it's called your user account password.
If you mean an extra password, the answer is that most people don't want to type in a password when they open their browser. And even if they did, then the argument would be "well they leave their browsers open, so it should ask for a password every time", which defeats the whole purpose of password saving.
If you mean an extra password, the answer is that most people don't want to type in a password when they open their browser. Think it through and try to see the issue.
I don't see your "issue", as using a master password does not "defeat the whole purpose of password saving" at all. Many people have different login credentials for different websites (not only passwords, also login name or email) which are hard to remember which one you used where. Having access to them with a single master password is convenience.
I like the way this is handled in Opera, where your passwords can never be accessed/viewed in plain text at any time. Once your login data are stored, you can simply use them via CTRL+ENTER on the login form and the data is pasted into it. If you want to you can use a master password to restrict access to that data. And you can even set a time after which the the browser will forget that password and then asks for it again after e.g. 15 minutes.
I sit down at your computer and Opera is open. I go to facebook.com, click on the password field, press ctrl+enter. I then use the dom editor to change the field to text. Will I see the password?
You will not, because that domain is blocked in every OSI layer possible in my local setup. ;)
But seriously: Yes, of course you would. They have to be pasted in clear text. There is no other way to do this.
But that's not the point. The point is that you do not get to use CTRL+ENTER in the first place! Unless, of course, you type in the master password, which Opera will forget after x minutes (zero if you want it to be forgotten instantly). So you have a windows of x minutes after I've used the password manager for the last time to do your "DOM hack".
You drew an analogy with having root and being able to edit the sudoers file, but note that in that case the attacker is not able to see any passwords, only change them. I think it provides a useful level of security if the browser would encrypt stored passwords with a master key, using an OS-provided keychain. As with Safari, it could then ask for the master password before showing any passwords, while remembering the same password for normal logins for convenience. This is under the assumption that revealing your password is worse than somebody being able to use your accounts.
Please explain the exact algorithm that the browser stores encrypted passwords and needs a master password before showing, but can "remember for convenience".
Or do you mean that it'll prompt people for a master password for uncommonly used sites? Because that's just going to lead to people forgetting the master password and having to do a password reset.
My suggestion would be to use the OS keychain facilities, so the master password would be the same as the one used to log in. The master password is only needed once to decrypt the passwords, but I'm suggesting that for the 'show passwords' functionality the browser should insist on asking the password again. The advantage is that on disk, passwords are not stored in plaintext, and the browser doesn't reveal passwords trivially. A determined attacker could still extract the encryption key from a memory dump, but that's on a completely different level from a "show passwords" button.
Chrome already uses the OS keychain facilities. People are complaining that this is insecure because unauthorized people can look at the saved passwords if the user leaves their computer logged in and unlocked. They want Chrome to adopt the Firefox approach of storing them directly on disk optionally encrypted with a master password.
Or the Safari approach, where even though it could show you the passwords directly, its policy is to ask for your password before doing so. Note that while Chrome uses the keychain, it actually circumvents the point of the keychain by decrypting all keys at startup, before they're needed.
Why is it only the browser developers who come up with that arguement? I've never read such a statement from any other team. And why aren't other software systems do it that way if it is so insecure and "falce-security" so encrypt user passwords in a local db? Couldn't even an OS use that argument and say "hey, you got physical access to the system, here are all the passwords in plain text, have fun!".