I think it's interesting how Google Chrome security lead Justin Schuh has been actively explaining Chrome's decision. I think the design is wrong, but it's not an uninformed position or a silly oversight. It's deliberate.
posted by Nelson at 7:03 PM on August 7, 2013 [5 favorites]

Also time for my obligatory rant: passwords are a stupid way to authenticate ourselves, and expecting users to remember or store hundreds of strong passwords, one for each site, is ridiculous. I recommend a password agent like LastPass or 1Password, although more for usability than the thin veneer of extra security they have over the Chrome password agent.
posted by Nelson at 7:04 PM on August 7, 2013 [8 favorites]

On the one hand, this is going to surprise a lot of people.

On the other hand, any saved passwords are going to work this way, and the only difference is whether someone cares to take ten minutes to find how to get at your passwords. So it shouldn't surprise a lot of people.
posted by 23 at 7:05 PM on August 7, 2013 [4 favorites]

Today, go up to somebody non-technical. Ask to borrow their computer. Visitchrome://settings/passwords and click “show” on a few of the rows. See what they have to say.

So for the cryptologically-impaired such as I, is this the only way this information could be gathered (physically using my computer/browser) or is it possible for someone to remotely gain access to this info?
posted by mannequito at 7:11 PM on August 7, 2013

On the other hand, any saved passwords are going to work this way

Huh? Why not store them encrypted under an unsaved master password, and require that master password to be entered immediately before showing any of them?
posted by Flunkie at 7:14 PM on August 7, 2013 [3 favorites]

23: On the other hand, any saved passwords are going to work this way

Not in Firefox, where there is an option to set a master password for looking at stored passwords. Not to say that provides great security, but it's what Chrome should be doing, too.
posted by christopherious at 7:19 PM on August 7, 2013 [1 favorite]

MeFi's own hombrequeso argues that every browser does it this way and they have to.
posted by mathowie at 7:19 PM on August 7, 2013 [2 favorites]

Dear Internet,

Can we agree that "insecure" is what gawky adolescents are, and that we all feel awkward using it when talking about passwords and such? "Unsecure" may not be a proper word, but it would be very good for this purpose. Cool? Thanks, Internet, I knew you'd understand.
posted by etc. at 7:20 PM on August 7, 2013 [11 favorites]

How is it that they won't allow me to download PDFs without displaying a useless warning every single time (http://code.google.com/p/chromium/issues/detail?id=9044), but they will happily share my passwords. Strange.
posted by houshuang at 7:21 PM on August 7, 2013 [4 favorites]

I mean, I understand someone with access to Chrome on a computer could install a keylogger or whatever to get the master password, and could then use the master password to get the other passwords, but to use that as an excuse for "we might as well just let anybody easily see any password" seems totally inane.
posted by Flunkie at 7:22 PM on August 7, 2013 [7 favorites]

Gizmodo are being a bunch of idiots.

Protip: you can get a saved password by using chrome's built-in developer tools: just focus on the password field and change the type attribute from password to text.
posted by Foci for Analysis at 7:25 PM on August 7, 2013 [10 favorites]

So for the cryptologically-impaired such as I, is this the only way this information could be gathered (physically using my computer/browser) or is it possible for someone to remotely gain access to this info?

It should be safe from remote access. Or rather, it is no more exposed to remote access than any other method of storing passwords that does not require a password to decrypt.

However, I do think Chrome's system is more susceptible to casual hacking-- someone who might look at your passwords might be less tempted if it required them to download and install something to see them.
posted by justkevin at 7:26 PM on August 7, 2013 [1 favorite]

Foci: Same with Safari or Firefox. Saved passwords are very very insecure. Having a "master password" like that is just security theater. You know, like removing your shoes for the TSA?
posted by aspo at 7:27 PM on August 7, 2013 [12 favorites]

passwords are a stupid way to authenticate ourselves

as compared to what, exactly?
posted by Mars Saxman at 7:27 PM on August 7, 2013 [1 favorite]

Huh? Why not store them encrypted under an unsaved master password, and require that master password to be entered immediately before showing any of them?

My understanding is most people save passwords so they don't have to enter a password every time they need one. Unless you actually enter the master password every time you need one and nothing is saved, the unencrypted passwords are available at least while the process is running.
posted by 23 at 7:29 PM on August 7, 2013

Why is a master password use to decrypt a encrypted password store "security theater"?
posted by crayz at 7:29 PM on August 7, 2013 [1 favorite]

The "security theater" argument is sound, but all the same, if you walk away from your computer for a minute or two and don't lock your session, it'd be nice if it weren't quite that easy to obtain an arbitrary password using the browser app that's actually sitting open on your desktop.

That said, I simply do not use browser-saved passwords for the five or six accounts which would expose me to serious harm if they were compromised. I can remember five or six passwords.

On preview:
Why is a master password use to decrypt a encrypted password store "security theater"?

Because Chrome using a master password wouldn't affect the basic problem, it would only prevent Chrome itself from being used that way. The platform API still grants access to any program that asks. (Hence my first paragraph above.)
posted by George_Spiggott at 7:32 PM on August 7, 2013 [1 favorite]

Having a "master password" like that is just security theater. You know, like removing your shoes for the TSA?

Oh, baloney, it's not like removing your shoes for the TSA. It's to prevent casual, trivial access. The fact that a determined and knowledgeable individual can get at saved passwords in other ways does not change the fact that it's to prevent casual, trivial access.

And there's no reason why a saved password would have to be displayed as asterisks (or anything) in a password field on a form; the "change the type attribute" thing shouldn't matter.

My understanding is most people save passwords so they don't have to enter a password every time they need one. Unless you actually enter the master password every time you need one and nothing is saved, the unencrypted passwords are available at least while the process is running.

I'm not suggesting that the master password be required every time you log on to a website; I'm suggesting that the master password be required every time you click on a "Show me the password for this website" button.
posted by Flunkie at 7:33 PM on August 7, 2013 [11 favorites]

It's not a determined individual. It takes 5 seconds to do, it's really easy, and I could show someone who knows almost nothing about how computers work how to do it in a minute.

Who do you think is stealing your passwords? Your younger sibling? They can do this. A jealous SO? Same. A friend who is an ass who you should stop calling a friend? Yup, once again.
posted by aspo at 7:38 PM on August 7, 2013 [3 favorites]

You can do that, but then someone who wants the password can just go to the website in question, fill in the boxes, and fire up the Web Inspector. Unless you make them enter the master password to fill out the login form.
posted by 23 at 7:39 PM on August 7, 2013

I don't know anything about this "Web Inspector", but does it show decrypted HTTPS traffic?
posted by Flunkie at 7:40 PM on August 7, 2013

But again, in any case, the whole argument boils down to "there are other ways to get at it". So what? That's no excuse.
posted by Flunkie at 7:41 PM on August 7, 2013

I'm suggesting that the master password be required every time you click on a "Show me the password for this website" button.

Chrome has more than 750 million active users. Is that really better? Think.
posted by tracert at 7:43 PM on August 7, 2013

You shouldn't save passwords on a computer. Hell, you shouldn't even type them in.
posted by RobotVoodooPower at 7:44 PM on August 7, 2013 [5 favorites]

Chrome has more than 750 million active users. Is that really better? Think.

Firefox has a whole bunch of users too, and I believe does what I've described. I've thought, and I've been unable to understand what you're getting at.
posted by Flunkie at 7:45 PM on August 7, 2013 [5 favorites]

So my complaint with Chrome's choice is that they have the wrong threat model. My threat model is my little sister sneaking in to my room and using my computer. She doesn't have keyloggers, she's not particularly persistent, but she's snooping around a bit. A master password on a timeout would help prevent that attack. That's how LastPass works and I think its better for protection against a lot of real world threats. The Chrome team is right that a master password is not protection against an Advanced Persistent Threat, but honestly the Chinese Army or the Ameriacn NSA aren't my primary concern.

passwords are a stupid way to authenticate ourselves ... as compared to what, exactly?

We should end passwords and replace it with a federated login system like OpenID, Mozilla Persona, Facebook Connect, Log in with Twitter, Log in with Google+, etc. One password I use to log into the authentication agent that I've delegated authority to. That agent then authenticates me to other websites. Ideally the one master password has a second factor for login, too. With a federated login system, users only need to memorize one strong password. Federated login has a lot of advantages but a sorry history of product adoption, mostly because of business concerns.
posted by Nelson at 7:46 PM on August 7, 2013 [9 favorites]

This is worrying about the wrong thing. People's passwords generally aren't stolen through physical access to the hardware, they are stolen by a never-ending stream of websites getting hacked. I could keep all my passwords written down and post-it-noted to my monitor and it wouldn't change the relative risk much.
posted by Justinian at 7:46 PM on August 7, 2013 [14 favorites]

I don't know anything about this "Web Inspector", but does it show decrypted HTTPS traffic?

It's the souped-up "View Source" option in every Webkit browser; HTTPS doesn't come into it. Right-click, "Inspect Element". Use it on a password box, double-click type="password" and change password to "text". Look, no dots!
posted by 23 at 7:46 PM on August 7, 2013 [5 favorites]

Today, go up to somebody non-technical. Ask to borrow their computer. Visitchrome://settings/passwords and click “show” on a few of the rows. See what they have to say.

First thing they'd say is "What is Chrome? Is that like Explorer/Safari?"

Second thing they'd say if they were a friend or relative of mine is "If it's online it's public. Yeah, we got that. Go away now."
posted by Tell Me No Lies at 7:46 PM on August 7, 2013

It's the souped-up "View Source" option in every Webkit browser; HTTPS doesn't come into it. Right-click, "Inspect Element". Use it on a password box, double-click type="password" and change password to "text". Look, no dots!

Ah, then I've already responded to this: There is no reason why the dots have to be shown in the first place.
posted by Flunkie at 7:47 PM on August 7, 2013

Ah, then I've already responded to this: There is no reason why the dots have to be shown in the first place.

Yes, you don't have to show dots, but as long as the password is an input field you can change the type and show the value it contains. Or do you suggest the browser force form submission when it uses a password?

Just to be clear, I don't think there's a compelling reason for Chrome to show passwords like this, but I haven't read their hate mail (maybe people really want it) and I don't think it's a huge security problem, even from the little sister angle.
posted by 23 at 7:51 PM on August 7, 2013

Flunkie: "Why not store them encrypted under an unsaved master password, and require that master password to be entered immediately before showing any of them?"

Because the pain to users when they inevitably forget their rarely used master password is going to occur way more often than someone sitting at their computer and browsing passwords.
posted by Mitheral at 7:53 PM on August 7, 2013 [12 favorites]

you can change the type and show the value it contains

Perhaps I should be more explicit: There is no reason why the field has to contain any data whatsoever. All that needs to be done is that the password be sent to the server, not that the display has to contain the data for the field.

But anyway, once again, the argument is "there are other ways", and I still feel "so what, that's no excuse". And when the other ways are also trivial (such as changing "password" to "text"), and there's no reason why those other trivial ways have to work either (such as is the case for "password" to "text"), I feel "so what, fix those too". And I think I'm just going to keep getting essentially the same "there are other ways" response anyway, so good night.
posted by Flunkie at 7:57 PM on August 7, 2013 [3 favorites]

I'm one of the "technical" people who knows that passwords on browsers are inherently insecure, and I think that this is a short-sighted, and frankly ignorant decision.

Yes, obscuring the browser password doesn't protect against anyone with any degree of sophistication, but it does protect against most people - and it also protects against people with a small amount of technical sophistication checking out your passwords "just on a whim" - now I know that I can just look at your passwords in, literally, 10 seconds when I'm on your Chrome, it's a slight temptation to do it - for some people, a slight temptation like this is not a good thing...

I anticipate the number of passwords stolen through this method by jealous spouses, snooping parents and asshole roommates to be very large.

And the arrogance of the man! "Well, you're insecure once someone's on your machine, so fuck you." My door lock might be broken, but I really don't appreciate it if you force me to leave the door wide open until I fix it.
posted by lupus_yonderboy at 7:59 PM on August 7, 2013 [25 favorites]

For what it's worth, the Firefox master password is optional, and like most optional browser features has an extremely low uptake.
posted by lantius at 7:59 PM on August 7, 2013 [6 favorites]

Why even allow passwords to be saved at all? As a rule I never let a browser store my password, and even so, most sites have cookie lifetimes that scarcely ever require me to re-enter one, given moderately frequent activity.
posted by hwestiii at 8:01 PM on August 7, 2013 [2 favorites]

If you are hip to this, please use your hipness for good, and create a teaching moment for a colleague, friend, or sex buddy.
posted by sandettie light vessel automatic at 8:06 PM on August 7, 2013 [1 favorite]

Listen, guys, the Chrome security lead is right, a determined attacker will be able to get around the master password. It's the same reason none of us lock our front doors when we leave the house; anyone with an axe can chop right through it in a matter of minutes. A deadbolt is security theatre.
posted by mullingitover at 8:07 PM on August 7, 2013 [44 favorites]

I'm not worried about my wife or my sons or whoever stealing my password. I'm worried about someone else, out on the Internet, stealing my passwords.

I thought with Chrome, "user profiles" (in my case, synced to my main Google account) provide a reasonable amount of security for a scenario like mine, as long as I enable 2FA.

Once again, I'm not particularly worried about someone in my home stealing my passwords. I don't think Google Chrome is responsible for a lack of Trust in my own home environment. That's obtuse. If I don't trust my wife the solution of course is to change the password on my Chrome profile frequently.
posted by KokuRyu at 8:07 PM on August 7, 2013 [3 favorites]

i've seen some freaking out about this (and chrome specifically) - but i just don't get it. sure, you can set a master password in firefox, but as has been pointed out, it's optional. so that same Today, go up to somebody non-technical. thing would be the exact same for most with firefox too (except, options/security/saved passwords). you pretty much have the same nosy coworker/roommate/sister problem. if your computer isn't secure, don't save passwords. and if it's mostly secure, lock it when it's not. it really seems to me like people are saying "did you know when you tell your browser to save your passwords, it saves your passwords??"
posted by nadawi at 8:08 PM on August 7, 2013 [1 favorite]

There is no reason why the field has to contain any data whatsoever.

I wish that were true. It is not.

Ideally the browser could just automatically log in to the server without user interaction. If HTTP Basic auth was used this would be trivial; however, HTML forms are the way logins are almost always implemented, to the extent that Basic auth looks untrustworthy. Though you can get it right 99% of the time by looking for a field called "password", it won't always work, so sometimes you have to copy the password to another field because the browser can't guess correctly. Even if you can save the settings for the field on one visit, the site might change it later (say changing the name attribute). And maybe there are options besides the password you need to enter that change on each session.

So, because there's no standard for where the password goes, and because sometimes you need to add to the form, the browser puts the password into the active page in an accessible manner so the user can address the edge cases. This should not be the case, but it is. And this means you can copy the password - you have to be able to copy the password in order to fix things. And Chrome's decision here seems less problematic than that whole mess.
posted by 23 at 8:10 PM on August 7, 2013

The responsible thing for the Chrome team to do, if this is their sincere belief, is to thoroughly warn users, in large red font, that their passwords are available in plaintext at the time they store the password in the browser. Show them where they are. Explain that storing them in Chrome is only marginally safer than taping them to the monitor.
posted by mullingitover at 8:11 PM on August 7, 2013 [7 favorites]

Listen, guys, the Chrome security lead is right, a determined attacker will be able to get around the master password. It's the same reason none of us lock our front doors when we leave the house; anyone with an axe can chop right through it in a matter of minutes. A deadbolt is security theatre.

You know, you're right. My landlord said he wouldn't pay for a deadbolt on the door next to my screened picture window, but he's an idiot.
posted by 23 at 8:12 PM on August 7, 2013 [3 favorites]

It's the same reason none of us lock our front doors when we leave the house; anyone with an axe can chop right through it in a matter of minutes.

No it's the same reason if you had two front doors and only one had a lock there's really no reason to lock the one lockable one.
posted by aspo at 8:13 PM on August 7, 2013 [3 favorites]

i've been trying to hack into my own passwords just now, and i'm noticing that most website don't have anything in the password box, even after i change the input type/class.

my workflow, when i need to log into a website, is open up firefox preferences, click view saved passwords, enter my master password, search for the website, click view passwords, enter master password again, then copy the password.

so, it seems like if a website isn't auto-populating that field it could be kind of hard to get at the saved passwords, or am i missing something? are the passwords not encrypted well? am i just doing it wrong?
posted by cupcake1337 at 8:14 PM on August 7, 2013

Their justification is, there are too many vectors, so let's add another Really Big Vector? I don't understand this yet.
posted by polymodus at 8:19 PM on August 7, 2013 [5 favorites]

Flunkie: Why not store them encrypted under an unsaved master password, and require that master password to be entered immediately before showing any of them?

In the discussion at Hacker News, Chrome security tech lead Justin Schuh says that Chrome effectively does work this way. Chrome does store passwords in encrypted form -- but it delegates the job to the OS. The "master password" is therefore your OS login password. Which is why you don't have to enter it again when Chrome starts up. The fact that you are logged in to the local machine is what grants you permission to use and view that encrypted data.

Chrome's position is: If you want to keep your passwords secure, use a good OS login password and set up a guest account on your machine for people who want to borrow it. This works against "little sister" type attacks, too.

I can see Schuh's point, although I think Joe Average isn't really ready for such a move. I suppose Joe Average isn't going to get himself ready without a push. If we could get Joe Average to actually use accounts and logins, there would be fewer viruses, less spam, etc. But that's been true for many years, and it's never taken off for all sorts of reasons, and I'm not hopeful.
posted by Western Infidels at 8:25 PM on August 7, 2013 [4 favorites]

cupcake1337, I haven't used saved passwords in a while, but my understanding of the flow is that the browser either auto-fills the form or you push a button in the browser and the form is auto-filled. I think that is a much more worrying problem, but one somewhat necessitated by current circumstances.
posted by 23 at 8:27 PM on August 7, 2013

Why even allow passwords to be saved at all?

Because we have to have 350 of them, and every single one has to be different and a random string like iVO73FdN7cQm. It's a tradeoff between the risk of my passwords being stolen from Chrome or users just using crappy passwords they can remember and type easily.
posted by Nelson at 8:33 PM on August 7, 2013

"so, it seems like if a website isn't auto-populating that field it could be kind of hard to get at the saved passwords, or am i missing something?"

The browser is populating the field, not the website. And the browser knows to do this because the fields have been defined as login/password types in the form. If they've been saved, then they're available for a form without a master-password being entered, and they'll be auto-entered into the form. Once that's done, and the password entry is obfuscated because it's the "password" type, you can use inspect to change the type to null and it will be un-obfuscated. All without a master password entered on any browser that saves website login credentials.

Flunkie's suggestion (don't make the password field data visible at all) won't work because the browser only knows that it's a password because the form says it is. So you could use the inspector to change the type to something else and if the field has been populated by the browser, then when the type is changed to something else, those characters will be made visible. There are other possibilities, but the underlying principle will always be true: the browser only knows to hide saved passwords because it knows they are passwords in the first place, and so saved passwords can be revealed by changing what the browser thinks the field type is.

So the developer is obviously correct about the problem from a general sense.

However, I think he's wrong in this specific case — that of making all the saved login credentials available to the user via the settings interface. That should be secured with a password for the simple reason that it shouldn't be that easy for one person to see all your saved password with a few clicks.
posted by Ivan Fyodorovich at 8:39 PM on August 7, 2013

It's telling that Chrome and Firefox have similar password storage schemes, and nobody is giving Firefox a hard time. Now why is that?
posted by mullingitover at 8:39 PM on August 7, 2013 [5 favorites]

It's the same reason none of us lock our front doors when we leave the house; anyone with an axe can chop right through it in a matter of minutes. A deadbolt is security theatre

In point of fact I don't lock my car doors because a friend of mine in college had his window smashed in three times in one year. I make other arrangements for things I don't want taken and let would-be thieves knock themselves out.

Locks and their digital cousins passwords are the hammer for every proverbial nail that a "security expert" sees. For the rest of us they're not always automatically the right tool.
posted by Tell Me No Lies at 8:40 PM on August 7, 2013 [3 favorites]

I don't think people here really appreciate the amount Google cares about security. Their entire business model depends on browsing the web being a safe, enjoyable way to spend money. They've developed fully compliant flash and pdf viewers for their browser, as they were large, demonstrated attack vectors. They pay out bug bounties on exploitable bugs. They actively fuzz, push auto updates, and embrace newer technologies like certificate pinning and a sandboxed model. Security wise, they're practically a poster child for doing things correctly.

When reading Mr Schuh's comments it's important to realize he's making two points.

1) Encrypting the password storage doesn't really provide the level of safety we might hope for. He's entirely correct that there are practically endless amount of attack vectors against such a password storage system, even if it were encrypted. You have a program that has to be able to read passwords in the clear, and send them over the wire (hopefully with some transport encryption). There are a bunch of ways to recover this information, so the question is: do we want to add a layer of complexity to the attack to filter out the low hanging fruit?

2) The part where he references novices is this: Google has a huge mountain of data on how people actually use computers, how accounts actually get compromised, and what effect those compromises have. Looking at this data, Google has determined that someone using your computer to steal your passwords is not a significant attack that actually happens. In other words, they could add this barrier to viewing passwords but it wouldn't prevent enough real world attacks to outweigh the usability constraints it would entail.

Considering Google's track record (specifically on software security), I don't doubt him at all on this. I think this is a case of people knowing enough to be dangerous. As a security conscious user, I'd be happier if Chrome encrypted my passwords, but I also have good local security so I really don't worry about it. If you are worried about it, install 1Pass or LastPass or any of the other password managers. If you're worried about it on behalf of the ignorant, unwashed masses, don't be. Google's mountain of data indicates that it's not a real problem and we shouldn't worry about it.
posted by yeahwhatever at 8:46 PM on August 7, 2013 [19 favorites]

Flunkie's suggestion (don't make the password field data visible at all) won't work because the browser only knows that it's a password because the form says it is.

The browser has to know which field to put the saved password in, or it couldn't put the password into the field. So, if you have a saved password, why can't you just leave it blank until the form is submitted and then auto-add the text to the submission? You might even be able to insert it as part of the SSL connection so that it's never not encrypted, but I'm not sure of the fine points for how the browser handles SSL or whether the browser having the ability to insert the password like that is an even worse security problem.

I have a guest account for little sisters, and I don't store really need to be secure passwords in the browser, but I still think it's a really poor choice not to have a master password available in Chrome. I don't understand the benefit of not having it other than the stated we don't want the user to be lulled into a false sense of security, which just seem asinine to me.
posted by willnot at 8:49 PM on August 7, 2013

It's kinda true.

A concerted attacker isn't going to be stopped by one more password, as long as your hard drive isn't encrypted I'll just mount it in another machine and run a dictionary attack. If just one file is encrypted its slightly harder but not much. It the attacker is logged in as you the browser will just autofill.
posted by Ad hominem at 8:49 PM on August 7, 2013

No it's the same reason if you had two front doors and only one had a lock there's really no reason to lock the one lockable one.

It's more along the lines of... if you're gonna hide your key somewhere around your yard, you might as well tape it to the front door with a sign that says "Key!" Which is kind of ridiculous. There's easy, and there's too easy.

If functioning in this manner is such an obvious solution, educating the end user as to how it works shouldn't be that hard either. Much in the same way websites with a "remember me" checkbox on their login will usually have some sort of "Don't check this if you're on a shared or public computer" warning.
posted by billyfleetwood at 8:49 PM on August 7, 2013 [2 favorites]

Chrome allowing this vulnerability really doesn't make much sense. Security isn't all-or-nothing — it's layered. Just because it's possible for someone to install a keylogger on your machine if they have 10 minutes with it doesn't mean it should be possible for someone to copy all your passwords if they have 5 minutes with it. It's the same reason passwords are masked with asterisks or dots so that people looking over your shoulder can't just watch it being entered and remember it.

To the point about "misleading" users into thinking their passwords are secure: This is already done. Most users have no idea you can right click and change elements at will; they think, when they tell Chrome to save their passwords, that their passwords are already being stored in a safe manner. In fact, to continue with this logic, you would have to warn users each and every time they save a password that it isn't safe to let the browser store it so they aren't continuously mislead.

To turn this into an analogy (that someone will no doubt nitpick and miss my overall point), Chrome's chrome://settings/passwords page is akin to someone creating a device that lets you detect every car in a mile radius with its doors unlocked. "But they're already unlocked, so it's not like someone with more time on their hands couldn't do the same thing!" you may contest; however, it makes breaking into cars more accessible to the average person, who is very unlikely to spend all night in a parking lot wiggling door handles, but would be more inclined to break into someone's car if they hold a widget in the air and find the one that's unlocked. Just like how Chrome's chrome://settings/passwords makes an already available vulnerability much more accessible to anyone who happens to stroll by an open computer.
posted by ceol at 8:52 PM on August 7, 2013 [12 favorites]

Looking at this data, Google has determined that someone using your computer to steal your passwords is not a significant attack that actually happens.

I agree with you on Google's commendable track record on security, but I can't imagine their data says a lot about people looking at a password in the Password Manager without sending anything over a wire, writing it down/taking a picture/memorizing it, and using it later on a non-Google website. Even if you stole someone's Google Accounts password this way, all they'd see is a login from a different IP address, nothing to indicate that it's not the account owner.
posted by jason_steakums at 8:55 PM on August 7, 2013 [2 favorites]

passwords are a stupid way to authenticate ourselves

as compared to what, exactly?

Five-family-member authentication.

(not available for orphans)
posted by grog at 8:55 PM on August 7, 2013 [1 favorite]

Could you make it work like sudo (or, for that matter, like 1password)?

- Pretend to display a saved password upon page load.
- When you try to submit the form, you have to enter a master password.
- This master password gives you access to all your passwords for 30m.

Seems pretty seamless and far more secure than storing passwords in plaintext.
posted by yaymukund at 8:56 PM on August 7, 2013

Google could also have Chrome just text you or email you whenever someone looks at the Password Manager so you're aware if someone else is doing it.
posted by jason_steakums at 8:58 PM on August 7, 2013 [3 favorites]

billyfleetwood:...if you're gonna hide your key somewhere around your yard, you might as well tape it to the front door with a sign that says "Key!" Which is kind of ridiculous.

Oh.

Well maybe I'll change my sign to say "Not A Key."
posted by Western Infidels at 9:01 PM on August 7, 2013 [3 favorites]

Shuh is absolutely right, but he's forgetting one thing: it won't do any harm to hide the passwords. He's worried about providing a false sense of security among non-experts, but since that already exists (as evidenced by this very kerfuffle), best give them the theater that they want. It's not like google is actively educating its users about security, so this is a pretty pointless step in that direction. Besides, I think some of the people here have a good point that there is value is discouraging casual attackers.
posted by Edgewise at 9:02 PM on August 7, 2013 [1 favorite]

We should end passwords and replace it with a federated login system

Given the security track record of most outfits, I really can't imagine trusting every part of my online identity to any one service. As it is, if one site I use gets hacked, even in a worst-case scenario of a full list of plaintext passwords, the damage is localized. I can roll up a new password in two seconds, and nothing else I use gets touched. Compare that to the absolute shitstorm if some central identity server got hacked.
posted by echo target at 9:03 PM on August 7, 2013

Yes, you guys are talking about "levels of intent". Not everyone is some kind of corporate spy who will just take your hard drive or install kernel level key loggers. At the very least they should get rid of the "show" button to stop "casual hackers" from getting your plaintext password.
posted by Ad hominem at 9:04 PM on August 7, 2013 [1 favorite]

Showing passwords as dots or asterisks is supposed to prevent people reading them over your shoulder as you type them in (e.g. in an office or Internet cafe) i.e. people who don't necessarily have physical access to the computer to change the text field properties in the browser or whatever while logged in with your OS account.
posted by L.P. Hatecraft at 9:07 PM on August 7, 2013 [2 favorites]

it won't do any harm to hide the passwords.

Just the hassle of people having to reset a master password, and Google having to put into place some mechanism and infrastructure for them to do so. They, Schuh, have clearly decided, based on their data, that this effort isn't worth the appearance of protection that would offer.

Also, they don't appear to want to lie to their user-base about the strength of that protection.
posted by bonehead at 9:09 PM on August 7, 2013 [1 favorite]

> If I don't trust my wife the solution of course is to change--

Oh, for a second I thought you were going to say "change my wife".
posted by Weltschmerz at 9:14 PM on August 7, 2013 [2 favorites]

Yeah I'm mostly talking about the "Kid sister attack". I let people play YouTube videos while I'm not watching, and I don't set up their own account on my machine. I don't want the clicking "show" in the password manager cuz they saw it on the web.

For an IT professional I am really lax thought. Most people I work with lock thier machines even at home, like someone is going to break in to their apartment and change their Facebook status.
posted by Ad hominem at 9:14 PM on August 7, 2013 [2 favorites]

At the very least they should get rid of the "show" button to stop "casual hackers" from getting your plaintext password.

Who are these "casual hackers"?
posted by KokuRyu at 9:22 PM on August 7, 2013

People who want to fuck with your Facebook because they think it is cool maybe.

You think people who will steal your passwords because they can and it's easy don't exist?
posted by Ad hominem at 9:25 PM on August 7, 2013

I think the correct answer here is to stop using Chrome, if you don't like it. Which is something I am now considering.
posted by empath at 9:27 PM on August 7, 2013 [3 favorites]

my passwords are definably stored in firefox, yet, when i log out of facebook, it won't auto fill the password field. so, i still don't think it's susceptible to just using inspection.
posted by cupcake1337 at 9:29 PM on August 7, 2013

If it really bothers you, look at a dedicated password manager, like Lastpass or 1Pass. These use independent security models more flexible than any browser, and, so are not vulnerable to many of the casual snooping attacks.
posted by bonehead at 9:31 PM on August 7, 2013 [1 favorite]

on firefox i have passwords stored and it autofills the password field after my username is selected from the autofill dropdown. not sure why yours doesn't...
posted by nadawi at 9:37 PM on August 7, 2013

and it works the same on almost all sites, except for the local electric company and rent paying pages.
posted by nadawi at 9:39 PM on August 7, 2013

Even if you stole someone's Google Accounts password this way, all they'd see is a login from a different IP address, nothing to indicate that it's not the account owner.

Two-step verification for your Google account. Google will either text your phone with a verification code if this happens, or provide a list of one-time numbers for verification. It's not on by default, but it's there if you want it. Facebook and Dropbox (among others) can do it too. Warning: it's a pain in the ass in practice.
posted by bonehead at 9:47 PM on August 7, 2013 [2 favorites]

This is why I don't use computers, only mouth-breathers use them.
posted by Brocktoon at 9:47 PM on August 7, 2013

Showing passwords as dots or asterisks is supposed to prevent people reading them over your shoulder as you type them in

<story>

Early on at cisco we used to keep the administrative password unencrypted in the config file. There were some complaints about this, mainly down the line of not wanting people to happen to glance at a sysadmin's screen and compromise the password unintentionally.

Bill Westfield solved this with a simple two way hash of the password against a fixed key. It obfuscated the password but it was encoded, not encrypted. Reversing it was easy. (I don't have the key handy but it was created by Bill's two year old daughter dancing on his keyboard)

Flash-forward eight years and in one of my favorite ill-advised schemes a "hacker" actually attempted to blackmail Cisco by threatening to release the key to the general public. The FBI got involved, jail got involved, it wasn't pretty for the guy. I seem to recall that Cisco released the key publicly as a demonstration of how useless it was to an attacker, but I've always kinda wished they kept the whole thing private as an ongoing honeypot.

If there's a moral to this I guess it would be that people can make very strange assumptions about what is secure, what is supposed to be secure, and what they can reasonably blackmail multi-billion dollar companies over.

</story>
posted by Tell Me No Lies at 9:48 PM on August 7, 2013 [5 favorites]

Twitter just upgraded their two factor authentication with an app that works as an RSA soft token.

That way nobody can social engineer their way into getting your SMSs and getting through your two factor authentication.
posted by Ad hominem at 9:59 PM on August 7, 2013

I don't think people here really appreciate the amount Google cares about security.

I don’t. I appreciate less and less about Google as time goes on.
posted by bongo_x at 10:03 PM on August 7, 2013 [5 favorites]

Authentication on the web is all "security theater", if you want to get down to the nitty-gritties of it. Every single website that you connect to securely uses public key encryption with SSL, which requires that each site acquire a certificate (either from a company like GoDaddy or Verisign, or if you're a megagiant corporation like Google you can sign your own certs). Supposedly these certificate distributors verify that when Bob Phisher applies for an SSL cert for MyAwesomeWebsite.com, Bob Phisher is indeed the owner of said domain. Browsers are programmed to automatically trust these certificates, but there is absolutely no guarantee that the traffic from MyAwesomeWebsite.com to your browser is actually coming from a legitimate company and not, say, a phishing group. Bob Phisher could be routing traffic through the network somewhere, for instance (i.e., a MITM attack). And that's not even including anything about "bad" passwords or encryption algorithms. The system is just... not that rigorous. Verisign's verification process actually involves just calling the phone number listed for the domain owner and checking that someone answered the phone and said, "Yup, we signed up for that." Rigorous, I guess, but not flawless. And Verisign is one of the expensive certs. GoDaddy doesn't even check that you're not a bot. So when it comes to security on the web, it's all relative. There's no guarantee that the server you're sending your secure traffic to is even who they say they are – but it would be hard to pull of this sort of MITM attack, and that's why they happen so rarely.

Even the lock on your front door is "theater". You can buy yourself the fanciest deadbolt in the world, but a guy with a big enough foot can still kick the door off the frame if he really wants to get inside. Making anything "secure" is really about making it extremely inconvenient to break into, not making it 100% impenetrable, at least in the civilian world.
posted by deathpanels at 10:08 PM on August 7, 2013 [4 favorites]

You think people who will steal your passwords because they can and it's easy don't exist?

I suppose, but how would they get access to my computer? I guess they could steal it, and I suppose the OS password could be cracked easily enough, but generally speaking, outside of social engineering the real danger is some Russian hacker doing a brute-force attack on my seldom-used Yahoo! Mail account.

As I mentioned above, if you can't "Trust" your own family members with your computer, you have a bigger problem than passwords being stored in cleartext in a browser. And if you don't change your mission-critical passwords on a regular basis (once a month, say, or after using a public machine), then how can Google protect against that?
posted by KokuRyu at 10:08 PM on August 7, 2013

And of course there is always 2FA, which with the adoption by Facebook and Twitter (following Google) is going to become the standard anyway.
posted by KokuRyu at 10:10 PM on August 7, 2013

Two-step verification for your Google account. Google will either text your phone with a verification code if this happens, or provide a list of one-time numbers for verification. It's not on by default, but it's there if you want it. Facebook and Dropbox (among others) can do it too. Warning: it's a pain in the ass in practice.

Yeah, 2-step is great and I'm glad Google pushed it so hard since it's taking off elsewhere! I like what they do with the Google Authenticator app to allow other services to use it, too - LastPass uses that and it's excellent. And another mefite pointed out to me by memail that Google will send you a warning email when an IP address not associated with your account tries to log in - I've been lucky enough never to have that tripped, but it's a good move on their part.

I'm more thinking about low-hanging-fruit attacks on users who don't know how to protect themselves, the people most vulnerable to Password Manager snooping. Kids and significant others and family members and coworkers swiping Facebook passwords ("[x] hacked my Facebook!" is super common teen drama), bank account passwords, that kind of thing - Google's got protection in place against your Google account being accessed by someone else via the Password Manager, but other sites are wide open to it. Google's even vulnerable if it's someone behind the same IP address, they'd never know it was unauthorized. And those people behind the same IP are the people who would have physical access to a computer to snoop on the Password Manager in the first place.
posted by jason_steakums at 10:10 PM on August 7, 2013 [1 favorite]

As I mentioned above, if you can't "Trust" your own family members with your computer, you have a bigger problem than passwords being stored in cleartext in a browser

You never had anyone play pranks on you?

Believe me, most of my life I would have stolen someones password so I could subtly change their Facebook or something to mess with them.

Or better yet, send emails to them, from them and make them think they were doing it in their sleep.

Whatever, it's a useless button and they can leave it or remove it as they see fit.
posted by Ad hominem at 10:13 PM on August 7, 2013 [1 favorite]

And of course there is always 2FA, which with the adoption by Facebook and Twitter (following Google) is going to become the standard anyway.

Yeah I know a little about computer security.
posted by Ad hominem at 10:16 PM on August 7, 2013

You never had anyone play pranks on you?

Believe me, most of my life I would have stolen someones password so I could subtly change their Facebook or something to mess with them.

Or better yet, send emails to them, from them and make them think they were doing it in their sleep.

I'm going to go out on a limb and guess that the lack of having their passwords did not stop you from other types of mischief. So in their case it was kind of a wash.
posted by Tell Me No Lies at 10:16 PM on August 7, 2013

Seriously... A "master password" will do nothing to stop a prank. With one and physical access to your browser (Firefox, Chrome or Safari) with a saved password I can get that password in 10 seconds. And you would never know. That is why this is so stupid. It isn't like someone smashing your window or breaking down your door. It is like your door being locked if you turn the handle clockwise, but not if you turn it counterclockwise.
posted by aspo at 10:20 PM on August 7, 2013 [1 favorite]

Yep. I know. You can change the password field for a text field using the element inspector. You can get a stored password no matter what .Worst case scenario you can yank the hard drive and mount it somewhere else, as long as the hard drive isn't encrypted.

None of this convinces me why a "show plaintext password" button in the password manager is a good idea. Does it serve any purpose that a big red warning doesn't?

It is like a lock manufacturer making a point that your windows are insecure by putting a bypass lock button. Sure, they are right but it really makes no sense.

I'm going to go out on a limb and guess that the lack of having their passwords did not stop you from other types of mischief. So in their case it was kind of a wash.

That's true without any kind of SMTP auth I can telnet to port 25 and spoof any email I want. So yeah
posted by Ad hominem at 10:27 PM on August 7, 2013 [2 favorites]

Seriously, don't you get it? I can turn on your coffee maker with a trick that I call "thumb in butt".
posted by Brocktoon at 10:27 PM on August 7, 2013

Ok guys , this has been fun.
posted by Ad hominem at 10:28 PM on August 7, 2013

Actually, I'm pretty sure the passwords are encrypted on disk, so stealing the hard drive doesn't actually work.
posted by aspo at 10:30 PM on August 7, 2013

Meh. The program has to decrypt them somehow. I would first check with a kernel level debugger or hex editor for a hard coded password failing that run some kind of dictionary attack.
posted by Ad hominem at 10:33 PM on August 7, 2013

Yeah, thinking about it more I'm definitely with Ad hominem on this one. That button is replicating a function served by the "Forgot password?" links on all the sites with saved passwords anyways.
posted by jason_steakums at 10:43 PM on August 7, 2013

Not only that it is a list of all the sites I have saved passwords for.

Like I said before it is a very very minimal barrier to casual attackers to remove the button, but people put up picket fences too. I could just kick that shit over and steal your newspaper, or reach over and unlatch it.
posted by Ad hominem at 10:48 PM on August 7, 2013

The button's providing an edge case convenience at the cost of edge case security.
posted by jason_steakums at 10:49 PM on August 7, 2013 [1 favorite]

No, making someone break shit is actually a pretty big barrier...
posted by aspo at 10:50 PM on August 7, 2013

Also, they don't appear to want to lie to their user-base about the strength of that protection.

Who said anything about lying? By all means, they should publish the truth of their security model. For those who give a damn, it will be plain as day. And as I said, it may serve a purpose by deterring casual "kid brother" attacks. It may be of marginal value, but the only lying is by some users to themselves.
posted by Edgewise at 10:51 PM on August 7, 2013

No, making someone break shit is actually a pretty big barrier

About the same as making someone use a DOM inspector to change the field or some other trick instead of just clicking a button to see the plaintext password.

Even if they leave the button, I'm not going to be super pissed or anything.
posted by Ad hominem at 10:55 PM on August 7, 2013

Honestly though, I wouldn't care if they added a master password or whatever, but I think this freakout about how insecure Chrome is without a master password is silly.
posted by aspo at 10:55 PM on August 7, 2013

The dev console trick is fixable to guard against easy pickings without a master password, too - turn off autofilling saved passwords and blank the password field when the console is opened.
posted by jason_steakums at 10:55 PM on August 7, 2013

Okay, fine fine fine. I was holding on to this until I got time to make a fully flushed out FPP, but realistically I'll never get around to it. So here. Bad passwords are a shitty idea.
posted by Tell Me No Lies at 10:57 PM on August 7, 2013

You can also reveal password fields with a bookmarklet, of course.
posted by jason_steakums at 11:03 PM on August 7, 2013 [2 favorites]

Yeah, I agree. I'm not freaking out at all.

You guys know the website Seamlessweb.com ? It is a food delivery service. They make users enter the password before ordering even if already logged in. I noticed one day they gave bad password feedback after typing one letter. I checked the page source and they did a password check in javascript. They sent your password, which they knew because you are already logged in, hardoced in the page and just compared it to the contents of the password field.

Now that is insecure. Since changed I hope.
posted by Ad hominem at 11:04 PM on August 7, 2013 [4 favorites]

They are encrypted to some extent using your Windows credentials/tokens/whatever and are only decrypted when you open Chrome, so the lesson for users is to behave like they're in a HIPAA/SOX type environment and constantly lock their workstation, using separate accounts for each users, etc. It would be nice to have gotten people moved to this phase long ago but it's not happening.

I think Google is looking at a bigger picture and doing that thing Apple does where they refuse to budge on something because they have some grand vision it conflicts with. I cringe at all revelations of clear-text passwords on-screen and would prefer to have an option for a master password (with no way of retrieving it, sorry) or even a timeout period where you have to re-authenticate with Windows to re-decrypt the passwords.

I would settle for a loud glass-breaking sound sent to all of your mobile devices and computer speakers, an SMS notification to any cell numbers associated with Google/Google Voice, and an email notification.

I understand the security by obscurity argument, but it's not an absolute (don't tell people you're going on vacation unless you have to!) any more than "physical access = all bets are off." That argument is more about beefing up physical access and not doing pointless exercises in the other layers, but it does not mean that your servers shouldn't require passwords to log in, shouldn't be locked (via the operating system), your data shouldn't be encrypted at rest, etc. The only really absolutes are that users are the greatest threat and education is the biggest challenge, and defense in depth should always be applied to layers where a risk analysis merits it, weighed against usability and pushed as far as possible without putting the user in highly inconvenient scenarios that encourage them to circumvent the security model entirely (like post-it notes for passwords because they change too often and the user isn't educated about other options). The problem is there's a shitload of wiggle-room in there on risk analysis, what "inconvenient" means, how smart your users are expected to be, etc.
posted by lordaych at 11:06 PM on August 7, 2013

my workflow, when i need to log into a website, is open up firefox preferences, click view saved passwords, enter my master password, search for the website, click view passwords, enter master password again, then copy the password.

This actually seems pretty secure, or at least as good as it can get, although awfully painful for you. I believe the complaints here are all about this workflow: enter master password, browser now auto-fills all login forums until whenever.

I mean.. Maybe Firefox allows you to set auto-fill without entering the master password, and then your extra steps would be "useless", but the principle is definitely better than the issue being debated here.

I don't feel like I have any handle at all on what you guys think best practice is..
posted by Chuckles at 11:06 PM on August 7, 2013

This is just plain stupid. At least make me attach a debugger or something to read the passwords out of memory, or get root, or something. It absolutely doesn't have to work this way. The password boxes are already treated specially, and there's no reason that the actual password has to be put in the password field, just substitute during form submission.

Not sure how there's a defense for printing them on the screen. Don't even need a master password, that's kind of unrelated.

That the Google Chrome security lead would go in public and make comments like that gives me great pause. They're not designing a crypto system; there is no all or nothing absolutism here. A computer system should have layers of risk. Equating having access to some valid session cookies to having the full password for everything is particularly stupid.

In short, not sure how that guy got the job unless nobody else wanted to deal with it and he was the only one to volunteer. Or perhaps Google is experiencing the bozo explosion.
posted by Llama-Lime at 11:10 PM on August 7, 2013 [1 favorite]

You realize that the builtin devtools on all major browsers also let you see the contents of a request by design, and those login requests will have your password in obvious plain text. That's almost as simple as changing the input type.

You worry about this being insecure? DON'T YOU SAVE PASSWORD OPTIONS IN YOUR BROWSER, AND YOU TWO FACTOR AUTHENTICATION WHERE AVAILABLE. Saved passwords are inherently insecure if the attacker is on your machine. End of story.
posted by aspo at 11:19 PM on August 7, 2013 [1 favorite]

I don't think anyone here's worried about the insecurity of this on their own machines.
posted by jason_steakums at 11:23 PM on August 7, 2013

What's with IT types and the whole "end of story" absolute ways of thinking? I am in the field myself, and actually worked with a guy who badgered me to no end about saying "unsecure" instead of "insecure," because WORDS MATTER! Was hard not to troll him in the name of establishing a new word with usage :)

I see the arms-crossed attitude sometimes when a change is involved that will be difficult for someone to implement, so they take the all-or-nothing tack. Usually there is a wholesome good-faith purism behind it, but all sorts of practical compromises have been made, the system as a whole is not perfect, and we have to live in the real world of these compromises and make little practical tweaks along the way to make it less easy for people to hang themselves. The absolute "all bets are off" attitude is common but I don't see it as much with hardcore security experts who are concerned with the end user part of the equation. You could say "people are stupid, all bets are off" and leave it at that but shit has to get done with a reasonable amount of risk mitigation along the way.

I've also observed that the "no no no why bother" IT guys often get tied up in little pet projects that make no sense in the larger context of the organization's needs and often have poor understanding of how encryption works, and will shoot things down as being "overly complicated" if they don't understand them. Obviously I'm a little to close to the subject :)
posted by lordaych at 11:37 PM on August 7, 2013 [3 favorites]

Saved passwords are inherently insecure if the attacker is on your machine. End of story.

This is so ridiculous. Everything is insecure. There is no security that cannot be defeated by an attacker. None.

Any security measure you take is just a speed bump that will stop or slow some attackers, but not others. All you can do is try to guess what are the possible attacks you're at risk for and then consider how big or what kinds of speed bumps you might need, how much they cost, and which risks are so unlikely it's not worth trying to defend against them.

The fact is that a master password is a big enough speed bump to stop some attackers, and I'm in a much better position than Google is to decide whether or not that's sufficient for my purposes. Which is one of the reasons I use Firefox instead of Chrome.
posted by straight at 1:11 AM on August 8, 2013 [5 favorites]

Google doesn't want you to have passwords. Google wants to store your authentication, so it can...what? Read all that data too? Hand it to the NSA?

See, that's the lovely thing about this. You "prove" your you to Google, and then Google say "Oh, it's him, he's ok." Which means, well, Google can *be* you.
posted by eriko at 1:56 AM on August 8, 2013

Well, yeah: if you're running Google Chrome on your computer, then Google gets to represent you to websites. That's what a browser does. Any program you run which has access to the network gets to "be" you in this sense.

If you give Google Chrome access to your keychain, then Chrome has access to the encrypted passwords therein. It saves this access instead of saving your passwords.

Remember in Windows Vista, when the operating system would popup every time you tried to do anything and ask your permission? That's the alternative to what Chrome is doing here. There already is a master password, but you just aren't required to enter it every time Chrome wants to fill in a password or a website form.
posted by cotterpin at 2:07 AM on August 8, 2013 [1 favorite]

To me, this is an interesting crossover of ways of looking at the situation. I'm not really that technically capable, and it really felt to me like it made at least some difference to have the master password in Firefox. I already knew that 'some' meant that it wouldn't deter someone intent on getting in, but I thought it would 'de-casualise' the process to some degree.

But I also agree with the more-informed insight that there really isn't any such thing as password-based security, and that from this perspective, a master password is just security theatre. I think on balance the notion of 'speed bumps' above is about right. It works in the real world too; there probably isn't any absolute security about anything, anywhere, but (e.g.) putting even a simple lock on your door prevents passersby from simply walking right in. (This has some value even if you left the back door wide open.)

Also, I will use 'unsecure' if everyone will stop using 'disinterested' to mean 'uninterested. 'Disinterested' is what you hope the judge is going to be when she reviews your heinous vocab-krime. (I am already in trouble for starting sentences with 'but'.)
posted by aesop at 2:17 AM on August 8, 2013

This is so ridiculous. Everything is insecure. There is no security that cannot be defeated by an attacker. None.

Let's imagine they hide the passwords but still keep a list of sites with saved passwords. All you have to do as an attacker is load the site up. It's actually easier than knowing where their list of passwords is.
posted by empath at 2:20 AM on August 8, 2013

According to data from Mozilla, the master password feature is used by 0.0085% of Firefox users. If you were a producer of security speed bumps, and looked at that data, would you want to work on master passwords, or would you want to work on something that is likely to have more impact?

Chrome's process model, for example, is a speed bump that helps pretty much all of Chrome's 750 million users, vs 0.0085 * 750 million = 63,750. (1 / 0.0085%) = 11,765. One could plausibly argue that a Chrome developer, who spent 20 minutes of the last year working on a master password feature, and the rest of the year on the renderer sandbox, has allocated way too much time to master passwords.

(Disclaimer: I work on Chrome. Sometimes I make speed bumps, and argue with people about the best places to put them, but that's not my main job.)
posted by Courage is going from failure to failure at 2:25 AM on August 8, 2013 [12 favorites]

I think people are forgetting that anyone that are likely to save their passwords in their web browser is doing it because they don't want to enter a password every time and/or they don't want to remember it. A mandatory master password directly contradicts those two desires.
posted by ymgve at 2:30 AM on August 8, 2013

Or they don't want to remember 400 passwords but can handle one. Another example of how "all or nothing" is a bad way to think about people.
posted by jacalata at 2:52 AM on August 8, 2013 [6 favorites]

As mentioned upthread, something like a fraction of a percent uses the Firefox master password feature. It's clearly a feature that's not very much in demand.
posted by ymgve at 3:25 AM on August 8, 2013 [3 favorites]

First thing they'd say is "What is Chrome? Is that like Explorer/Safari?"

As far as I can tell, more people use Chrome than use Safari and Explorer put together.
posted by Elementary Penguin at 3:46 AM on August 8, 2013 [1 favorite]

Theory: Google is encouraging a controversy through ease of password access to move the industry in a new direction (say, biometric technology, like fingerprints) and away from passwords. They are flaunting the problem in a brazen way to "prove" that it's all just theater anyway, and are sitting on technology that they want the industry to adopt, they just need more momentum to get it there. Get the average unknowledgeable person irritated about security issues after their siblings log into their Facebook account, and they'll flock to the new technology that Google has already purchased or developed and will be unveiled in future Chromebooks.

That's the only way I can make sense of how dismissive Justin Schuh's responses have been thus far.
posted by SpacemanStix at 4:59 AM on August 8, 2013 [3 favorites]

Okay, here we go. I'm telling you, the brazenness in making it so easy to access passwords is being used to force this technology issue in the industry.
posted by SpacemanStix at 5:07 AM on August 8, 2013 [1 favorite]

Google could make it unlock based on one's Google password, of course.
posted by jaduncan at 5:20 AM on August 8, 2013

Ah, nostalgia. I remember people freaking out about this years ago in GAIM (now Pidgin). As somebody mentioned above, there already is a master password in place, it's your user account password.

And I'm still trying to figure out just who these "casual attackers" are that have physical access to your machine but like, 30 seconds at a time or something.
posted by kmz at 5:21 AM on August 8, 2013

Cats. They have really short attention spans.
posted by bonehead at 5:36 AM on August 8, 2013 [3 favorites]

Date on your laptop in the den while you freshen up.

Put it on TV in one of those crime shows - as a major plot point, and Mythbusters. USA informed.
posted by tilde at 5:38 AM on August 8, 2013

It's telling that Chrome and Firefox have similar password storage schemes, and nobody is giving Firefox a hard time. Now why is that?

Mozilla is power to the people and Google is The Man, or something like that.

As far as I can tell, more people use Chrome than use Safari and Explorer put together.

Do they actually use it, or do they just install accidentally it by not unchecking the box when they do one of the nagging security upgrades for (I think it is) Flash?

I'm telling you, the brazenness in making it so easy to access passwords is being used to force this technology issue in the industry.

This was my first reaction too.
posted by aught at 5:39 AM on August 8, 2013

SpacemanSix: That article specifies using a USB device in conjunction with a password so it's not really eliminating the password per se. Maybe Justin Schuh was simply drunk.
posted by enamon at 5:40 AM on August 8, 2013

Do they actually use it, or do they just install accidentally it by not unchecking the box when they do one of the nagging security upgrades for (I think it is) Flash?

Statcounter uses website hits, so actual use.
posted by Elementary Penguin at 5:47 AM on August 8, 2013

as compared to what, exactly?

This is a very important question that's being glossed over here. Passwords are unsustainable security model, and everyone doing systems design knows it.

OK. Problem the first. Password strength. Passwords must be remembered by human beings - this means they are easy for machines to figure out, and to automatically check popular sites to see if the login works there, and to fingerprint user activity to see if the password will work at those sites as well. It probably will, as passwords must be remembered by human beings - we'll re-use our not-strong-enough password everywhere. We generally don't have the mental horsepower to remember dozens of random collections of characters.

So if a hacker* gets one of your passwords, he can typically grab the passwords to pretty much everything in your life.

To make things a little better, there are password management tools - these generate long-ass passwords made entirely of garbage characters and nonsense. Strong stuff, not easily guessed. You don't have to remember it, that's the tool's job - it will even enter it for you automatically, and in some cases, change it to a new one on a regular basis.

This is still not ideal, but it is BETTER. Lightyears better. But there are still issues.

For one, there's the way you identify yourself to your password management software. It's usually... another password! This one the human has to remember. So it's possible to guess it or steal it. (There's proof-of-concept malware that listens to you type and can guess the password by the sound of your keyclicks! No lie!)

Worse, there are automated password reset tools for all these sites and services, and these can be scammed with a number of attacks, from social engineering to email spoofing.

So, right now there's some push for two-factor authentication. Two factor generally means something you know (a password) combined with something you have (a RSA token or cellphone).

Bioinformatics is one avenue of two-factor authentication. My phone unlocks when it sees my face, for instance, and I had a laptop with a fingerprint reader at my last gig. These seem cool, but they can be defeated by a picture of my face or a signal being sent to the laptop after the fingerprint reader was pried out and a device pretending to be a fingerprint reader with a copy of my fingerprint soldered in... but still, way, way better than entering and saving "sw0rdfishLOL" on every site and service you use.

A better idea is an encrypted token, which is a piece of hardware that has software that has to have a conversation with other software - you can't copy it like you can a fingerprint or iris scan - but it's also got drawbacks. These are vanishingly small compared to ol' fashioned passwords.

Ideally, your password manager would rely on a biometric scanner and a hardware token. Hell, a token with a biometric scanner. Never remember a password again! Except - these solutions don't exist for the average user yet. They are a pain in the ass to set up and use. Large companies usually have an entire team dedicated to user authentication, and getting this stuff to run reliably gives them constant headaches.

And, still, websites and online services depend on passwords and email accounts or SMS messages to reset them, making them very vulnerable to takeover, which can be devastating even if the attackers only have access for a few minutes.

It's still Not Good that Chrome stores its passwords in plaintext - it's depending on your OS's security and you using your OS's locking and login facilities properly which may not be the most super idea - but passwords themselves are a crummy idea, implemented terribly.

(*YES, I'm using the term hacker for malicious computer expert. Go cry in your beer, nerd)
posted by Slap*Happy at 5:47 AM on August 8, 2013

If you are concerned about "casual hacking" by your friends / SOs / siblings / whatevers, lock your screen when you walk away from the computer. You should not depend on the browser to protect you, and I'm sure that if you are concerned about password theft from your browser's autosave feature that there are lots of other things that someone could do to your computer.

This is not Chrome's problem to solve.
posted by Kadin2048 at 5:53 AM on August 8, 2013 [3 favorites]

nobody is giving Firefox a hard time. Now why is that?

In part, among a certain set of users, it's because Firefox lets you set a master password. Chrome does not.

...or, phrased differently, Firefox says "if you want to do that, sure, I'll help"

Chrome says "You're stupid for wanting that. Do what I tell you, because I'm smarter."

Which is the problem some folks have with Google generally, in fact. Hence the kerfluffle.
posted by aramaic at 5:57 AM on August 8, 2013 [4 favorites]

TIL Computer nerds turn into libertarians about things that effect people at a lower user experience level than they are.
posted by Uther Bentrazor at 5:58 AM on August 8, 2013 [1 favorite]

or, put a nicer way, chrome says "barely anyone uses the master password function so we're going to spend our time on something else and go another way. if you don't like it, go be one on the 0.0085% over at firefox."

regardless, for casual users, the result is exactly the same - passwords saved in plain text that can be accessed with a few clicks or keystrokes.
posted by nadawi at 6:02 AM on August 8, 2013

From another point of view it's security homeopathy. One pharmacist is happy to sell what ever you want to buy, one is refusing to on principle.
posted by bonehead at 6:02 AM on August 8, 2013

In case anybody is wondering about the title.

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

posted by DreamerFi at 6:04 AM on August 8, 2013 [11 favorites]

I think the answer is going to ultimately be biometrics. I think with the iphone coming out with a thumbprint reader, the answer will be openauth to apple servers. Google will have to follow suit with thumbprint readers on their own devices.
posted by empath at 6:04 AM on August 8, 2013

biometrics seems like a nightmare for handicap accessibility.
posted by nadawi at 6:09 AM on August 8, 2013

Lots of devices have had fingerprint readers, but they still haven't caught on. I'm not necessarily convinced that anything is going to change.

I think that people are going to continue doing what they're doing, which is using passwords, poorly. Accounts will from time to time get hijacked. People who care about such things will use password-keeper programs. A very small number of sites will offer additional security features (like Google's 2FA) but the sort of people who turn them on will also be the sort of people who use password managers and aren't at risk of casual snooping anyway.

I don't think that there's really going to be a "solution". The problem is that most people really don't care that much. Passwords, even stored in cleartext on your PC, solve the problem that most people are afraid of: some random "hacker" on the far side of the planet stealing their identity and somehow ruining their life. Most people are not as fearful of people they know stealing their passwords, presumably because they can readily punch said people in the face (or subject them to some other social sanction, if you prefer).

The only reason why unified logon systems have caught on and may continue to spread are because it relieves site developers of the problem of safely storing passwords, and it takes away some of the friction related to getting new users to sign up for a service. The security benefit to the end user is basically a side effect.
posted by Kadin2048 at 6:22 AM on August 8, 2013 [1 favorite]

And if you don't change your mission-critical passwords on a regular basis (once a month, say, or after using a public machine), then how can Google protect against that?

Changing your password after using an untrusted machine is not a bad idea, but there's no real advantage to changing your password once a month no matter what.
posted by one more dead town's last parade at 6:29 AM on August 8, 2013

I'm confused about how some of the people here are using Firefox. I use a master password on my saved passwords. When I need to log into a web site whose password I have saved, I have to enter my master password. I don't have to type the actual password. It may not be super-secure, but it's better than nothing.

Add to that fact that I need to log into my computer to begin with, and that I also don't save really important passwords in Firefox (I keep my banking passwords, etc., in a password-protected Keepass file), and I'm pretty confident that the casual-password-snooping problem is pretty well dealt with.
posted by Benny Andajetz at 6:30 AM on August 8, 2013

Thumbprint readers are a horrible idea. First off, people leave their fingerprints everywhere so it's relatively easy for a determined attacker to make a copy. After they have a copy, barring surgery, you really have no way of changing your thumbprint. It's like a password that you leave written down everywhere and that you can never ever change.
posted by enamon at 6:47 AM on August 8, 2013 [3 favorites]

You could just use your big toe instead though.
posted by elizardbits at 7:07 AM on August 8, 2013 [2 favorites]

barely anyone uses the master password function so we're going to spend our time on something else and go another way. if you don't like it, go be one on the 0.0085% over at firefox.

We are the 99.9915 percent!
posted by Garm at 7:42 AM on August 8, 2013 [1 favorite]

There are a bunch of ways to recover this information, so the question is: do we want to add a layer of complexity to the attack to filter out the low hanging fruit?

Yes, because some people can only do low-hanging fruit. Don't leave your valuables on show in your car, right? There's nothing more secure about it … except that it offers less temptation to other people.

Looking at this data, Google has determined that someone using your computer to steal your passwords is not a significant attack that actually happens

In other words, it's the typical Google idiocy of only looking at scale. It's a seriously significant attack for the person it actually happens to, and there is no reason they should make that attack any easier than it already is.

There's no justification for it! It can't even be an education exercise, because they ever don't warn you they are making efforts to make your system's secure password storage insecure.

About the same as making someone use a DOM inspector to change the field or some other trick instead of just clicking a button to see the plaintext password.

People, especially aspo, are talking about the DOM inspector as if this is just how things should be and not a security hole in its own right. Why isn't the browser just putting a placeholder in there, that it replaces on form submission? If I change the password field type I should just see {com.google.chrome.passwords.facebook} or some other gibberish.

so the lesson for users is to behave like they're in a HIPAA/SOX type environment and constantly lock their workstation, using separate accounts for each users, etc. It would be nice to have gotten people moved to this phase long ago but it's not happening.

Users are actually in the real world. The world where you use your laptop as a jukebox for a party. Does that mean you have to lock the laptop every time you go take a leak?

Ugh, it is incredible and ironic the massive security holes engendered by a butt-headed obstinate employee at Google who knows too much about "security" and not enough about humans.
posted by bonaldi at 7:57 AM on August 8, 2013 [3 favorites]

Does that mean you have to lock the laptop every time you go take a leak?

I would think twice if that was the laptop that had my bank's login information stored on it. I wouldn't leave my bank card sitting around with the PIN on a post-it note either.
posted by bonehead at 8:04 AM on August 8, 2013

Users are actually in the real world. The world where you use your laptop as a jukebox for a party. Does that mean you have to lock the laptop every time you go take a leak?

I fail to see the distinction between the world where you can view the passwords through an obscure Chrome settings page and the world where you have to do five seconds of googling to download a 5KB view_chrome_passwords.exe executable to get at the passwords.

If the browser can get at your passwords to send them to a website, it needs to access them in clear text at some point. Anyone who has the same level of access to your computer as your browser can get at the passwords the same way the browser does. Even if the browser obfuscates your passwords to the best of its ability, it only takes one person to reverse that obfuscation and post a tool on the internet for the barn door to be opened.
posted by zixyer at 8:07 AM on August 8, 2013

People should probably not be using browsers to store any passwords that they care about.

Then, you could potty all the time, as it were.
posted by sandettie light vessel automatic at 8:08 AM on August 8, 2013

federated login system ... Given the security track record of most outfits, I really can't imagine trusting every part of my online identity to any one service

Yeah, that's the downside of federated login; you have to trust your login provider. But I think that's a better option now; the current password world has proven itself to be entirely awful. I'd trust a company like Google building a focussed authentication login product more than I'd trust a casual computer user to manage password hygiene. And federated login protocols allow a lot more options for security than the current password ad-hoc protocol we use. Time limited login cookies, centralized view of attacks against an account, meaningful revocation, one-time use logins, restricted capability logins.. There's a lot of we can do with a proper authentication protocol that we can't with passwords.

And if the centralization of authentication worries you, there's no reason (in theory) you can't have a widely federated login system. That was the core idea of OpenID actually, that a user could choose their own identity provider(s). It works, but most consumer websites have decided it's a bad user experience, too complicated. "Click here to log in with Facebook!" really does work for a lot of users.

You can also federate login all the way to the individual computer. Client-side SSL certificates have provided all the tools necessary for a secure alternative to passwords and have existed as a working standard since at least 1997. Unfortunately the early Netscape implementations were a terrible user experience. And managing SSL certs is a level of complexity I wouldn't want to saddle on casual consumers. But even that awkward tech is better than "I'll just use my dog's name on all these websites, what could possibly go wrong?"

Mozilla Persona is the most interesting consumer product I've seen trying to solve this problem in awhile. For some reason it's not getting much traction, but the product design seems solid to me.
posted by Nelson at 8:15 AM on August 8, 2013

I wouldn't leave my bank card sitting around with the PIN on a post-it note either.
Yeah, except in this case your bank card has a feature it doesn't advertise where you just touch it in a special place and it reads your PIN aloud. So you don't think it has a post-it note on it … but it does. That's a failing on the bank's part, right?

I fail to see the distinction between the world where you can view the passwords through an obscure Chrome settings page and the world where you have to do five seconds of googling to download a 5KB view_chrome_passwords.exe executable to get at the passwords.

Because people have different limits on how much bad they're going to do. It's about temptation. If your email is open on the screen, say 10 or 20 in 100 passersby are going to read it. If they have to actively go to gmail.com and use your saved password to log in, I'd bet that's going to drop to more like 2 in 100. If they have to download and install something to get your gmail password so they can snoop on you later, that's down to less than 1 in a 100.

All these figures are made up, but hopefully you see what I mean: the amount of work you have to put someone to in order for them to do something bad matters.

Can you protect your physical computer from a determined bad guy? Nope. Can you make it so a drunk friend of a friend will feel too guilty about what they're doing to carry on? Yep. Security in depth.
posted by bonaldi at 8:18 AM on August 8, 2013 [5 favorites]

If you are concerned about "casual hacking" by your friends / SOs / siblings / whatevers, lock your screen when you walk away from the computer. You should not depend on the browser to protect you.

If you are concerned about "casual hacking" by your friends / SOs / siblings / whatevers, you should pick up your laptop and physically lock it in a safe when you walk away from the computer. You should not depend on locking your screen to protect you!

If you are concerned about "casual hacking" by your friends / SOs / siblings / whatevers, you should securely wipe your hard drive when you get up to go use the bathroom. You should not depend on a single physical lock on a a safe to protect you!
posted by straight at 8:26 AM on August 8, 2013 [4 favorites]

If you are concerned about "casual hacking" by your friends / SOs / siblings / whatevers, you should melt your hard drive's platters into a shiny ingot when you leave your house. You should not depend on a secure wipe algorithm to protect you!
posted by one more dead town's last parade at 8:31 AM on August 8, 2013 [1 favorite]

If you are concerned about "casual hacking" by your friends / SOs / siblings / whatevers, lock your screen when you walk away from the computer. You should not depend on the browser to protect you.

I don't think that was the point as much as it is a security hole that people really don't now much about, brought about by the default behavior of the browser and Google not giving you a head's up (which is a related but different question to whether Google should be creating the risk in the first place). There's no ability to make wise and informed decisions about your behavior when you don't know a risk exists. So sure, you shouldn't depend on it. But if there's a default behavior that puts people unknowingly at risk, perhaps they should at least let you know about it, so you can know that you shouldn't depend on it.
posted by SpacemanStix at 8:32 AM on August 8, 2013

Because people have different limits on how much bad they're going to do. It's about temptation. If your email is open on the screen, say 10 or 20 in 100 passersby are going to read it. If they have to actively go to gmail.com and use your saved password to log in, I'd bet that's going to drop to more like 2 in 100. If they have to download and install something to get your gmail password so they can snoop on you later, that's down to less than 1 in a 100.

I can accept that argument, but you have to keep in mind that you're comparing whatever mechanism that exposes your passwords to five seconds of googling to get a password tool. I can accept that memorizing a special URI and typing it in to the browser to access a settings page is slightly less friction than downloading a password tool, but I don't think that visiting a page and fiddling with the password field the DOM inspector is.
posted by zixyer at 8:33 AM on August 8, 2013

According to data from Mozilla, the master password feature is used by 0.0085% of Firefox users.

From that link: The population for this study is approximately 12000 users who are on the Aurora and Beta channels, and a relatively small number of users who have opted-in by installing Test Pilot on the release channel. In other words, this population is not representative of the Firefox user base, since nearly all Firefox users are on the release channel.

(In the next sentence, she claims that the study group "is probably much more likely to change settings" than the Firefox user base, but offers no evidence of this assertion, particularly in reference to a setting that power users are likely to view with the same skepticism as Google.)
posted by straight at 8:35 AM on August 8, 2013

> I can accept that memorizing a special URI

No "special URI" needed. You can get there from the menu in a couple of seconds: Preferences/Advanced Settings/Manage Saved Passwords.
posted by lupus_yonderboy at 8:48 AM on August 8, 2013

I can accept that memorizing a special URI and typing it in to the browser to access a settings page is slightly less friction than downloading a password tool, but I don't think that visiting a page and fiddling with the password field the DOM inspector is.

You don't even need to memorize the URI. Just go to Settings and click "Advanced" and it's right there.

And the difference with this list-o'-passwords and all the other options else is that one is a feature while the rest are arguably security holes. There's no need for the DOM inspector to make this so trivial; there's no reason extensions should get access to passwords; the downloadable exe should be prevented from installation by the OS, etc, etc.

That's what makes it so confusing, to me. Why offer this up for free? What's the justification?
posted by bonaldi at 8:49 AM on August 8, 2013

As far as I can tell, more people use Chrome than use Safari and Explorer put together.


I gotta say those numbers look spectacularly unlikely to me. Between Chrome and Firefox it would mean that 53% of Internet users installed and use an alternative browser. This does not reflect what the non-technical Web users I know are even capable of.
posted by Tell Me No Lies at 9:05 AM on August 8, 2013

Ah, I see. They're measuring hits, not unique visitors. That seems a little more likely.
posted by Tell Me No Lies at 9:08 AM on August 8, 2013

> I gotta say those numbers look spectacularly unlikely to me.

Well, here's the source. The methodology is discussed in detail at the top of the article.

EDIT: oops, we posted at the same second!
posted by lupus_yonderboy at 9:09 AM on August 8, 2013

Thumbprint readers are a horrible idea. First off, people leave their fingerprints everywhere so it's relatively easy for a determined attacker to make a copy.

Real Life is not like Mission Impossible. No-one is going to sneak into your apartment in the dead of night to run a gummy bear hack to get your credit card numbers.

Also, modern readers have countermeasures in place - technology has not stood still since the gummy bear hack made all the headlines.
posted by Slap*Happy at 9:23 AM on August 8, 2013

Ah, I see. They're measuring hits, not unique visitors. That seems a little more likely.

Yeah, on reflection, the most likely explanation is that the non-technically savvy computer owner doesn't install a new web browser because they basically don't use the web in more than a cursory way. So while most users only have the default browser installed (I found other stats that suggest IE has a 53% share, frex), those users don't actually count for a lot of web traffic. So you are ultimately right in the way that matters.
posted by Elementary Penguin at 10:26 AM on August 8, 2013

Ha, speaking of Persona: Persona makes signing in easy for Gmail users. If you use Firefox you can now log into Persona-enabled websites using your Google credentials. "Gmail users can sign into sites with Persona, but Google can’t track which sites they sign into".
posted by Nelson at 10:37 AM on August 8, 2013

Why offer this up for free? What's the justification?

Ease of use, I think.

The arguments come down to: is it worth it to Google to support independent password encryption. Google contends that it's not worth implementing and supporting, given apparently very small use of those features and and their relatively minor marginal benefits.

Clearly there are many here who don't believe that, but I'd argue that those folks would be better served not trusting Google (or Firefox or Apple or Microsoft) with their passwords at all, and using a third party product that doesn't require trusting anyone.

A laptop with Lastpass set to a 10 minute time out could be left out when you're not in the room with little risk. The FF system isn't that flexible. If you've left a browser open, that isn't going to stop your friends from logging into Facebook and changing your status to reflect a romantic attraction to barnyard animals. Third party solutions are always going to offer better options.

Google's argument is that either you care about this, or you don't. In their view, half measures increase costs without measurable benefits, based on the data they have. Google's approach seems to be that if you don't care about it, they'll make things as convenient for the user as possible, because why not? If you do care, your best option is not to trust anyone at all and use one of the password managers, for which there are several good choices.
posted by bonehead at 10:50 AM on August 8, 2013 [1 favorite]

I want to be Chie.
posted by kmz at 10:50 AM on August 8, 2013

The arguments come down to: is it worth it to Google to support independent password encryption. Google contends that it's not worth implementing and supporting, given apparently very small use of those features and and their relatively minor marginal benefits.

Thing is Google is actively subverting the OS password encryption here, at least on Mac. The keychain goes to some lengths to prevent the plaintext of the password being viewable, while Chrome then serves that up on a plate.

And when you talk about costs, that's when it gets really weird: they had to do extra work to implement this, they had to spend money to make their security worse. There's no benefits for the users, because they could already read their passwords in a secure way from the Keychain app, there are only drawbacks.

As for "why not?" I think the whole of this thread is about that. Google is essentially abdicating responsibility and any care for the non-technical here. That's not a great look for them.
posted by bonaldi at 11:02 AM on August 8, 2013

"Thumbprint readers are a horrible idea."

I think they're pretty nifty. I've got a nice Eikon model that's way better than the crappy Microsoft one I bought first. Unfortunately, the company was purchased by Apple or something.

Anyway, I have to confess that the only thing I use it for is my login to Win7.
posted by Ivan Fyodorovich at 11:18 AM on August 8, 2013

and using a third party product that doesn't require trusting anyone
Umm. Am I missing something or don't you have to trust the third party?
posted by edd at 12:01 PM on August 8, 2013

The FF system isn't that flexible. If you've left a browser open, that isn't going to stop your friends from logging into Facebook and changing your status to reflect a romantic attraction to barnyard animals.

But they can't do that if they don't have my master password.
posted by Benny Andajetz at 12:15 PM on August 8, 2013

I'm not getting people here who don't understand the difference between the casual intrusions of average consumers and the determined attacks of a savvy hacker/criminal.

Here's an example. In my office everyone uses their personal laptops. It's an open environment, nobody has offices. If someone goes to lunch or to a meeting, they'll more than likely lock their computer. If they're running to the bathroom, they might lock it, but not always. Going to grab something from the printer? Probably not locking it.

So let's say someone creepy has a thing a co-worker, and gets a hankering to poke around in her email/social media. There's a HUGE difference between...

a) Needing enough time and access to download a hack or find a system file and...

b) Being able to copy down all of her saved passwords in the time it takes her to run to the printer and back (giving him ample time to do his snooping around later from home).

Even with auto-fill of passwords into sites with saved passwords, there's only so much damage a person with consumer-level skills can do in that short time period.

I'm a bit more savvy than the average consumer, and I was still surprised by this. Mainly because I switched from Safari to Chrome, and In Safari you're prompted for your user account credentials when you click "show passwords" in the preference pane. It's such a simple and expected solution that it never occured to me that other browsers would do it differently.
posted by billyfleetwood at 12:39 PM on August 8, 2013 [4 favorites]

I used to work on the Chrome team.

In my opinion, the current password security design is broken, and is based on what's easy to do in a low-effort HTML-based implementation of Settings, vs the more secure platform-native Settings UI that Chrome had many versions ago.

Furthermore, whatever happens on other platforms, it is most definitely wrong to show passwords without authentication on Mac, since Apple's Keychain app has given users clear expectations about how this is supposed to work.
posted by w0mbat at 2:46 PM on August 8, 2013 [8 favorites]

Looking at this data, Google has determined that someone using your computer to steal your passwords is not a significant attack that actually happens.

At a scale that matters to Google Inc. At the scale of the mom or dad whose teenage children impersonate them online - it matters.
posted by srboisvert at 4:06 PM on August 8, 2013

Wired's take: Why Everyone Is Pissed Off About Google Chrome’s Sound Security

"So as a practical matter, Google should probably capitulate to the outrage and erect a barrier in front of the Chrome Password Manager. What’s terribly unfair about this, of course, is that in two years there will be another outraged blogger discovering that this barrier provides no real security, and Google will go through the wringer all over again."
posted by GuyZero at 8:27 PM on August 8, 2013

why wouldn't a browser requesting master password authentication before filling a password field resolve any security threat from using DOM inspection?
posted by cupcake1337 at 11:38 PM on August 8, 2013 [1 favorite]

What’s terribly unfair about this, of course, is that in two years there will be another outraged blogger discovering that this barrier provides no real security, and Google will go through the wringer all over again.

And so they should, until they fix this. People are not demanding some magic level of impossible security here -- it needs to be possible to recover the plaintext, so nothing will be absolutely secure against someone with physical access -- but they can raise the bar much, much higher than it currently is.
posted by bonaldi at 3:06 AM on August 9, 2013 [1 favorite]

Any ideas what the master password recovery procedure should look like? I can think of all sorts of solutions when you have managed machines but for a home machine you need something that anyone sitting at the machine can execute and is guaranteed to work. So anything requiring the user to type some previously entered piece of information is a non starter.
posted by Mitheral at 7:31 AM on August 9, 2013

How do smart phones with their screen lock codes handle this? Do you have to take the phone into your vendor?
posted by Mitheral at 7:32 AM on August 9, 2013

On Android if you enter your pattern wrong 5 times you get a "Forgot pattern?" button that prompts you for the google account details you used to set up the phone: username & password. So it falls back to the hard security perimeter, the password.
posted by GuyZero at 9:05 AM on August 9, 2013

If the google account is something you never use so you don't know that password what is the fall back past that?
posted by Mitheral at 10:35 AM on August 9, 2013

Some Android phones have a boot-time key sequence that can be used to reset the phone I guess. It's no different from a traditional GSM phone where if you forgot your lock PIN you're basically hosed. There's a potential security issue in that when you reset the phone the SD card remains untouched so that photos or anything else there becomes exposed.

But at some point you generally have to remember stuff.
posted by GuyZero at 11:09 AM on August 9, 2013