Google Chrome Security Issue that everyone knows about

[Digital Doctor]

Disclaimer: This involves making changes to the Windows Registry. You follow these steps at your own risk - it is recommended that you backup your registry before carrying out the following:

1. Save these instructions and close all instances of Chrome

2. Open the Windows Registry Editor by going to Start > Run (or searching for Run from the Start menu)

3. In the box that appears, type "regedit.exe" (without quotes)

4. Navigate to:


HKEY_LOCAL_MACHINE\Software\Policies


5. Right click on Policies and select New > Key

6. Enter "Google" (without quotes) and press OK

7. Right click on the "Google" key you just created

8. Select New > Key

9. Enter "Chrome" (without quotes) and press OK


You should know be at the path:


HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome


10. Right click on the "Chrome" key you just created

11. Select New > DWORD (32-bit) Value

12. Name the value, "PasswordManagerAllowShowPasswords" (without quotes) and press OK

13. Right click the DWORD value you just created

14. Select Modify

15. Enter "0" into the Value data box and press OK

16. Close the Windows Registry Editor


Now open Chrome and press Chrome Menu > Settings, you should now see a yellow bar that reads, "Some settings are managed by your administrator." Press Show advanced settings > Passwords and forms > Manage saved passwords. You should now notice that you can no longer click on any passwords to show them - they are no longer shown in clear text.

 

[Digital Doctor]

Not sure the above registry edit works.
Didn't seem to on this Windows XP box.

 

[OSS 117]

Someone would need direct access to your PC, and why on earth would you save your PayPal password, regardless of whether it's easily found or not? If this truly concerns you then I suggest the following:

Don't use any Windows or OSX software that is for email; those store your password in hash but show up as plain-text through the program.

Don't use Chrome, Safari, Opera (or other Chromium based browsers as well as all legacy Opera apps).

If using KeePass, LastPass, 1Pass, etc. require master-login password authentication before your computer decrypts your login and notes data.

Don't use Windows; A Windows Administrator account that's password protected is incredibly easy to override.

Don't use OSX for the above reasons as well.

Don't save passwords on any instant messaging program, even those that are very secure. The method they store their passwords is easily beaten with a simple application that decrypts the user passwords instantaneously.

Master passwords won't save your security conscious mind against a person who is determined to get your password without your knowledge.

 

[MattW]

Chrome doesn't offer to save my PayPal password, and even if it did, they'd still need my mobile phone to be able to receive the SMS for 2 factor log in, or be able to answer the two extra secret questions.

The fact Chrome / Firefox are saving the passwords is IMO irrelevant. Take for instance, on my Laptop, SecureCRT saves a copy of my private key to SSH directly into my server.......which is the same as saving the password in your browser. Granted, you can make it more secure with a passphrase, but a lot of people won't have that enabled.

 

[lazer]

It's more of a feature than a hole.

Another perspective - http://blog.malwarebytes.org/whats-in-the-news/2013/08/revelations-chromes-stored-passwords/

 

[Lee]

I thought this was common knowledge.

My simple solution, don't use chrome to save your passwords

 

[Forsaken]

I thought this was common knowledge.

My simple solution, don't use chrome to save your passwords

You shouldn't trust any browser to store passwords.

I don't even fully trust something like LastPass, but they're a better option than a browser which is often open to exploits.

 

[Gazhyde]

Where I work, the issue isn't with storing your passwords in your browser. The issue would by "why have you left your PC unlocked while not attended"

Where I work the issue would be "why is your password written on a post it note stuck to your monitor"

 

[Divvens]

A bunch of reporters and people overreacting.

As @OSS 117 already stated, saving sensitive passwords may it be on your workplace or home or anywhere in any browser is not a good idea. Why save PayPal and banking account passwords anyway? What good is human memory for then. Try to remember the few very sensitive passwords at least.

 

[Lee]

You shouldn't trust any browser to store passwords.

I don't even fully trust something like LastPass, but they're a better option than a browser which is often open to exploits.

Yeah. I don't store any passwords anywhere.

 

[James]

I don't usually save any passwords. Most of the sites I frequently use (or don't really have anything sensitive on) I just have "remember me" ticked. This means the same attacker who is sat at my PC looking through my saved passwords can just as easily click one of the frequent sites on my Chrome homepage and login without needing the password.

You'd be an idiot to save passwords for banking information anyway really. Plus, don't most banks have a two-step authentication process? Mine uses a pinsentry system requiring a one-time code to be entered alongside my password.

 

[aiman.h.kallaf]

a needed evil , no escape
can't just memories every password nor uniform my passwords
I think it is a matter of calculated risk for normal people like me , it is safer to let the browser save the passwords rather than using one password across the net

 

[MagnusB]

I don't understand why someone considers this an issue. The same happened with firefox a few years back, then they changed it so the master password encrypted the password, and not just obfuscated it in the GUI. It doesn't really matter though, once someone has physical access to your computer, you have already lost. Your admin password can be cracked in a matter of minutes with commonly available tools, such as ophcrack: http://ophcrack.sourceforge.net/

Try it once, you will be surprised about how easy it is to gain access to your admin password.

Your best bet is to not store any passwords for critical user accounts, especially does that involves your money, or store your card information.

 

[Sador]

I don't understand why someone considers this an issue.

Well. It's not just about storing passwords. For example, if you frequently visit a forum, it makes sense to check the "remember me" box, so you don't have to login every time. This is convenient, as logging in every time you visit a website is an annoyance, even if you know the password just fine. When you do this with the default FireFox settings, your password also gets logged in FireFox. It doesn't tell you it does it however, it just does. (and please remember that not everyone is a tech person and most people don't even think about this stuff). Now, if you go to the FireFox / Chrome settings, with one click you can view every stored website, username and password at once. In plain text. Yes, you need access to the computer which kind of limits the dangers to outside hackers. On the other hand, it does enable people who do have access to the computer to get access to every account, username, and password. Again, it doesn't mention this to users and people who don't know better, have no clue they basically put a post-it on their pc with all their logins.

Now, you may use a master password to protect this, which kind of fixes the issue. However, at least in FireFox back when I started using it, this was not default. You had to specifically enable this. And guess what a lot of non-techy people won't do or know?

It might not be a security hole. However, it does do a lot of things it doesn't tell you it's doing, which happen to be very poorly protected things at that.

 

[Martok]

Well. It's not just about storing passwords. For example, if you frequently visit a forum, it makes sense to check the "remember me" box, so you don't have to login every time. This is convenient, as logging in every time you visit a website is an annoyance, even if you know the password just fine. When you do this, your password also gets logged in FireFox / Chrome. It doesn't tell you it does it however, it just does. (and please remember that not everyone is a tech person and most people don't even think about this stuff). Now, if you go to the FireFox / Chrome settings, with one click you can view every stored website, username and password at once. In plain text.

Utter tosh.

If you're not using the stored passwords feature in your browser (and I don't), the browser doesn't log your password. Any 'remembering' on frequently visited sites like Xenforo is done with cookies and these don't contain your passwords either.

 

[Sador]

Utter tosh.

If you're not using the stored passwords feature in your browser (and I don't), the browser doesn't log your password. Any 'remembering' on frequently visited sites like Xenforo is done with cookies and these don't contain your passwords either.

How clever.

Except, these are the default settings for FireFox on a clean install:

Remember how I was talking about less techy people that wouldn't know these settings existed, let alone change them? Exactly.

 

[Martok]

How clever.

Except, these are the default settings for FireFox on a clean install:

View attachment 53526

Remember how I was talking about less techy people that wouldn't know these settings existed, let alone change them? Exactly.

That's completely different to what you asserted in your previous post, which was that clicking on the "remember me" box in websites such as Xenforo causes your passwords to be remembered in your browser. It doesn't. Having "Remember passwords for sites" ticked in your browser is what remembers your passwords.

If you're going to explain things to people, especially the "less techy", then you have to do so correctly or they will panic and never use the "remember me/stay logged in" box on websites when it is perfectly safe to do so when you don't have "Remember passwords for sites" enabled in your browser.

 

[Sador]

That's completely different to what you asserted in your previous post, which was that clicking on the "remember me" box in websites such as this causes your passwords to be remembered in your browser. It doesn't. Having "Remember passwords for sites" ticked in your browser is what remembers your passwords.

If you're going to explain things to people, especially the "less techy", then you have to do so correctly or they will panic and never use the "remember me/stay logged in" box on websites when it is perfectly safe to do so when you don't have "Remember passwords for sites" enabled in your browser.

Yes, but it doesn't remember passwords when "remember passwords for sites" is checked unless you check the remember me box, right? (serious question, I'm not sure.) If so, considering that "remember password for sites" is the default setting in FireFox, which most people won't change, will actually cause the remember me box to save your password in your browser, right? So in the end, as long as you don't change the default settings, the effect is as I described? And while you could change those settings, FireFox doesn't let you know they exist, nor does it tell you the effect of having these default settings, right?

 

[Jeremy]

No, browsers will only save passwords you explicitly tell it too.

 

[Sador]

I might be wrong then.