Rixstep
	`About \| ACP \| Buy \| Industry Watch \| Learning Curve \| News \| Products \| Search \| Substack`

Home » Learning Curve

The Chrome Password: A Really Bad Idea

You the user need to be aware of the dangers and avoid trusting Chrome (and Firefox) for now.

Get It

Try It

There's been quite the kerfuffle over the rediscovery of the shortcomings in the Google Chrome browser password scheme. Chief security techie for Chrome Justin Schuh has defended the Google policy, and many agree with him, although many more, including Sir Tim himself, disagree.

But the Chrome password protection scheme, similar to the one used by Firefox, is not good, and Justin Schuh is wrong, and so are all the others who agree with him. Why Google's chief of Chrome security should miss something so obvious is not known. It might be a matter of inexperience, or it might be a matter of expediency. But it's still wrong, so wrong that users should not trust it.

Background

The discussion of Chrome's password insecurity has essentially revolved around one aspect of the issue, one aspect only: access to the user account. But a quick look at the way most online services work, and a deeper look at how Apple's system works, make it patently obvious the Chrome system is lacking. So until Chrome (and Firefox) fix their protection schemes, it's strongly advised you don't trust either of those applications with your passwords.

It was Elliott Kember who rediscovered the issue in Chrome when migrating from Apple's Safari. Elliott wanted to import his Safari bookmarks into Chrome and was greeted by the following dialog.

Elliott could opt out of importing browser history and bookmarks, but not out of passwords or search engines. Elliott was most concerned about the password import option - or rather the lack of such an option - and decided to dig deeper.

Apple's keychain scheme is a fairly secure way to store passwords. What would Google do to achieve the same level of security?

Elliott found that Google did nothing. Sean Collins of Core IT Pro reports that Firefox doesn't do anymore either.

Firefox just has a button to reveal all your passwords, then an 'are you sure' speed bump dialog box.

The father of the World Wide Web doesn't like this.

The key is in what Sir Tim writes. He's not talking about using someone else's passwords - he's talking about getting them.

Apple's scheme is straightforward and effective. Your passwords are stored in the encrypted keychain. Individual applications can request passwords from the keychain system, but you the user (or whoever is posing as you) never get to see them.

To actually see the passwords, you need to run the Keychain Access application. The Keychain Access application will list all your saved passwords, but it won't display any of them in clear text. To see any given password in clear text, you need to authenticate - you need to prove you are who you claim to be.

This has a direct parallel at most websites. Twitter, Facebook, Amazon, and all the rest will require that you submit your password before changing it. Online forums behave the same way. The reasoning is patently apparent: namely that anyone can wander by your physical machine and take advantage of it being unguarded.

Local applications on OS X behave the same way. CLIX is loaded with failsafes, just in case you 'slip up'. The command line sudo behaves the same way, jumping through myriad hoops to make sure an interloper isn't trying to trick the system's authentication process. Mistakes do happen; the 'human factor' cannot be disregarded. Proper computer security takes the 'interaction' between man and machine into account, and failsafes are built into all types of security systems, not just those that pertain to computers. The end effect's the issue - keeping you safe.

Unfortunately Justin Schuh and his advisers don't see things that way. Justin defends the Google policy on the grounds that physical access to a user account gives the interloper complete access to the local machine. One wonders how much experience Justin has with OS X or any other secure (Unix) system. For being able to type at a keyboard on such a system is one thing, and 'getting root' is quite another.

This seems to be something that Sir Tim, a long time OS X user and a NeXTSTEP user before that, understands intuitively.

Justin's Dilemma

It may not be possible to secure passwords on Chrome for Windows as one can on Apple's OS X. Justin insists Chrome uses Apple's keychain on OS X, but this seems to be patently false. Many people are clamouring for a 'master password' for Chrome password display, and this is a great idea, provided that the master password can be stored in a secure fashion.

Mac users should always avail themselves of the following fundamental security policies.

Set your screensaver to require a user password to return to your screen.
Use the 'Sleep' command on your Apple menu whenever you leave your workstation.
Make sure your password isn't easy to crack.

Most intrusions happen in the physical space. It can be a family member poking about, or someone at work doing the same. Gaining access to your machine and your user account is not what you want, but it's not the end of the world if the system itself is secure.

OS X itself is secure in this regard. Should you leave your Mac unguarded, then yes, an interloper can access it and use it and most likely use your accounts at websites where you are already logged in or where your local web application has already been authorised by you to access your keychain.

But the interloper cannot see your passwords, the interloper cannot copy out your passwords with pen and paper or with a text file saved to a USB thumb, the interloper cannot take away your passwords to use somewhere else. The websites don't ask about your physical location, your MAC number, your IP, or any of that when authenticating you. They don't know it's not you when that interloper at home or at work logs in to your accounts and starts data mining and wreaking havoc.

Google's scheme for password use and password protection is a really bad idea. You the user need to be aware of the dangers and avoid trusting Chrome (and Firefox) for now.