Chrome showing my passwords

I just downloaded the latest stable release of Chrome at work (10.0.648.151).

I realized that if you choose to store passwords, if you go to Options --> Personal Stuff --> Passwords --> Managed saved passwords...

you can click a "Show" button next to saved password, to reveal the pass.

Is there a way to disable that?

I like to store my passwords, so I don't have to type them every time, but like this anyone can enter my options and see my passwords...

 

No, I am guessing there isn't because - I suppose - the logic runs - what happens if you forget your passwords or get them mixed up? I agree that this is pretty lame, but hey...!

OTOH, you may try apps like LastPass or something like that to have an independent password manager - I think it helps from the portability angle too. Never tried it though.

 

Now that you said that I realized FireFox does this too.

 

^ you are right... I just realized too...

isn't that a major security flaw?

maybe I'm too paranoid, but if you go AFK for a second and forget to lock windows, anyone can see all your passwords...

 

There is reason for having multiple user accounts at work. No other user (except the admin) can see your personal stuff.

 

yeah... I guess locking windows when going away from the computer is actually more important than I thought...

 

Both FF and Chrome do this. Your passwords are encrypted on the disk. If you want to be secure just lock your computer when you walk away from it.

edit: It's important to note taht even if they didn't have that page I could easily go on your computer, go to gmail or whatever email provider you use, and log in just as easily. I could even run a very simple javascript on the page to see your password.

 

yes, but just becasue its easy, it doesn't mean FF/Chrome should make it even easier...

 

They could at least have a password for the, erm, passwords, lol. I don't know why they even allow you to show them though. If you forget them there's always a way to reset them which is inherently more secure than just showing them all with the click of a button.

 

They should have like a master password or something to enable seeing the others.

 

Instead of using a web browser to store your password, why not just use Windows' built-in Credential Manager?

 

Firefox lets you define a master password to hide all your other passwords, doesn't it? I think then it asks for the master password once per browser session, and again whenever you save a new password to the list.

 

There are other options, but the point being that we expect our passwords we saved with a click of the button to not have such a random feature...

 

Didn't know it existed until you mentioned it and looked at it and seems quite complicated. It's not streamlined nor is it automated with websites that I can tell.

 

Which seems to be our purpose, not to only remember, but for logging in.

 

What you expect is the purpose of the function and the actual use of it are wholly separate things. If you can't be bothered to read up on the feature, you're asking for all the consequences to drop down on you like a ton of bricks. This is true of just about anything.

IMO, saving passwords to a browser is for the convenience - it saves average joe the time of opening up a text file to do some copypasta. I doubt they'll mess with making the browser itself responsible for securing your data for a very long time, as a matter of security. Why store sensitive information inside the program that's most attacked? ESPECIALLY with open(ish) source code.

*afterthought*

if you were concerned with password security, you'd be using lastpass/keepass or some variant, or sticking them all in your head, regardless of complexity. personally, i go with the latter, although i do end up having to use the "lost password?" function because of it

 

Well they can just eliminate the option to view passwords, or require you to enter your Windows password at least, if that's even possible.

IE8/9 doesn't expose any passwords.

 

IE8/9 is a great example.

Let's say I steal your computer and you have IE8/9 and it stores your passwords but doesn't expose them.

I log onto gmail, aol, yahoo.com's mail providers and try to get to yours. EVentually I find it.

a) I run javascript to pull the password from the autofill
b) I simply log onto your email and have all of your info anyway

 

It's a convenience feature, not for security.

 

use lastpass or smth similar

 

Yeah, that's easy to do...

It's one thing for someone to hop on your computer and pull data off quickly without doing anything, another thing completely to have to execute an extra program to extract something.

 

^ sure, someone with no knowledge about scripting or related stuff can click their way to the "show password" thing.

 

The javascript isn't a program. It's literally like... 20 characters and it pops up a nice near alert box with your password.

Master password won't defend you from a keylogger (which could easily be isntalled with a USB in moments) and a master password won't protect you from someone sitting at your computer.

If you want to protect your computer just lock it when you walk away. If that isn't an option, don't save your passwords.

Honestly, who in their right mind leaves their laptop around?

edit: Again, not to mention that all they have to do is go to "gmail, yahoo, aol" until they find yours. 9/10 times they'll find it in one of those three. Searching history only makes things easier.

Honestly, what would the master password protect you from? You walking away from your laptop for 5 minutes? Why in the hell would anyone in their right minds do something like that? lol

 

Accidents happen.

 

Walking away from your computer in a public area is not an accident. Besides, chances are if someone wants your computer they won't go through your passwords... they'll walk over and take it.

 

Maybe not in public, who knows? Maybe in a dorm... idk. The point is that some people would like a master password or something because they would feel more protected.

 

The problem is that people "feel" protected when they aren't. They should not feel protected. They should never leave their computer like that, master password or not. If you leave your computer LOG OUT. That's the best solution right now, it works a hell of a lot better than a master password.

A false sense of security is a huge vulnerability.

 

Wow good point. If they think they are secure, they are all the less secure. Perhaps it is better to know they are not. But thats just it! I thought the passwords were securer than this until just now. Most will get their false sense of security by simply not knowing that they can have their passwords viewed like this.

I never keep my computer unlocked anyways

 

That's a very good habit honestly. I see a lot of people who think that the master password will save them when their computer is stolen or when they leave it alone. It is NOT a proper defense and the illusion of security that it provides is more dangerous that not having it at all by far.

 

To feel that it's fine to have exposed passwords is ridiculous. Sure there's other ways around it but it requires extra effort and a little skill, more time, and a lot more balls. I could walk up to any laptop in ten seconds and steal a password, but actually running a script, trying to log in, etc takes a lot longer.

 

Think of it this way:

Someone walks up to your laptop, are they going to sit down at it and look through your crap waiting for you to come back? No.

They're going to take your laptop and walk away.

Lock your computers and stop walking away lol

What google SHOULD implement is a way to stop Chrome from opening without a password/ lock your Chrome sessions while you're away. Or force users into a "guest mode" like on the CR-48.

Master password would be the wrong approach to this problem.

 

Saving and viewing passwords is an option...And you can turn it off or edit the ones that are saved.

 

thats exactly what I was trying to say before, but much better phrased.

We are not talking about someone who could steal your laptop... of course that person will just take it!

or a skilled person who will run scripts to get you banking password and steal your money...

We are talking about a girlfriend who wants to go through your private mail, or a friend who wants to log into your facebook account and type "I pick my nose" in your status...

 

Agusman, neither of those situations will be prevented by a master password. Your girlfriend just has to log onto your email... whether she can see your password or not is irrelevant. Anyone can go to your computer and log onto facebook, again, the password is irrelevant.