Google Chrome Security Issue that everyone knows about

[Martok]

@King Kovifor is spot on.

It is completely irrelevant as to whether or not you have "stay logged in/remember me" ticked on a website. If you have the "Remember passwords for sites" enabled in your browser, when you visit a site and use a password the browser will ask you if you want it to remember the password or not and you can choose Yes or Never. It'll ask you this whether or not you have "stay logged in/remember me" ticked on a website.

Go and try it for yourself using this website and you'll see this.

 

[Jason]

That isn't the definition of a security hole.
And this a [show] button is massive hole in securing passwords.

chrome://settings/passwords

Unbelievable.
View attachment 53466

At least Firefox 23 has a Master Password option.
I'm back to Firefox until this gets fixed.

I disagree. The only permission boundary that matters is the OS user account. If I have access to your account, I can grab your history, dump all your session cookies, install account-level monitoring software, install malicious extensions that intercept your browsing activity, etc. Whether or not I got your stored passwords is the least of your worries, really. That master password is nothing more than a false sense of security.

For example, it's dead simple to circumvent Safari's password security mechanism by querying the keychain without prompting for a password. It's rather trivial to retrieve stored passwords for other browsers, as well. That's exactly why Chrome's mechanism is designed the way it is -- no false sense of security.

 

[Digital Doctor]

Why not show the password in plain text here as well then ?
Why false security in this context ?

http://mashable.com/2013/08/07/chrome-password-security/

I expect a master password in the next version of Chrome.

 

[Jeremy]

The password input type obscures the password from viewing. It does this so that anyone who's watching your screen as you login can't see what you are typing. That isn't a 'false sense of security'. That's actual visual security.

 

[Divvens]

View attachment 53544

Why not show the password in plain text here as well then ?
Why false security in this context ?

http://mashable.com/2013/08/07/chrome-password-security/

I expect a master password in the next version of Chrome.

If someone gains access to your computer, and they want to know your passwords, it'll happen whether Chrome adds a master password or not, as said in this thread already.

 

[Digital Doctor]

Go Tim !

Prediction: Google adds a Master Password option in a not too distant future update.

 

[Digital Doctor]

Can anyone tell me why browser passwords can't be stored more securely ?

 

[akia]

Can anyone tell me why browser passwords can't be stored more securely ?

Yes use a service like lastpass.

If anyone is security conscious then they wouldn't be saving passwords in the browser.

 

[Forsaken]

Yes use a service like lastpass.

If anyone is security conscious then they wouldn't be saving passwords in the browser.

If anyone was security conscious they wouldn't be saving passwords anywhere, especially with a third party company. Yes they encrypt your password however all encryption can eventually be cracked.

 

[Jason]

View attachment 53544

Why not show the password in plain text here as well then ?
Why false security in this context ?

http://mashable.com/2013/08/07/chrome-password-security/

I expect a master password in the next version of Chrome.

It's to prevent shoulder surfing, but the presumption is that the correct person is actually at they keyboard. When you choose "show", the presumption is that you're aware of who is around you. If I'm at your keyboard and your account is unlocked, you've already lost.

Once I have physical access to your machine and can run Chrome (or any application), it's game over. Regardless of whether Chrome prompts me for a master password or not.

Edit: typos

 

[OSS 117]

If anyone was security conscious they wouldn't be saving passwords anywhere, especially with a third party company. Yes they encrypt your password however all encryption can eventually be cracked.

The energy and time used even by a super computer to crack an AES 256 encrypted password that's alphanumeric mixed case with a dash of special characters will take ages. Yet if it's "I<3puppies" don't expect anything to be safe. At that point you would want to hire someone to bop your head.

 

[Forsaken]

The energy and time used even by a super computer to crack an AES 256 encrypted password that's alphanumeric mixed case with a dash of special characters will take ages. Yet if it's "I<3puppies" don't expect anything to be safe. At that point you would want to hire someone to bop your head.

Most people use passwords worse than that.

 

[psTubble27]

The energy and time used even by a super computer to crack an AES 256 encrypted password that's alphanumeric mixed case with a dash of special characters will take ages. Yet if it's "I<3puppies" don't expect anything to be safe. At that point you would want to hire someone to bop your head.

Conspiracy nuts claim that the NSA holds keys to all AES 256 hashes. Any truth in that?

 

[James]

I'm surprised this has become such a large story. I didn't think people were that unaware.

 

[OSS 117]

Conspiracy nuts claim that the NSA holds keys to all AES 256 hashes. Any truth in that?

The CSS approved it for TS use. If they have the keys, then it means other governments, especially China will likely have the keys. All alphabet soup agencies use AES 256 as the standard for encrypting data. If you're holding AES 256 files on a network that can be broken into by rogue countries or 'friendlies' and decrypt your files, then what good is it? I don't doubt Mr. Snowden's releases. It just tells me despite having dozens of tools at its disposal, the alphabet soup agencies still manage let things happen.

Ever hear of the saying, "It's not the tool, it's how you use it"?

 

[Slavik]

This explains the whole situation perfectly and why it is a total non-issue in simple to understand terms

www.wired.co.uk/news/archive/2013-08/08/chrome-password-manager

 

[MagnusB]

I don't see how a master password would be more secure. Firefox has it, and there is a tool to reveal it: securityxploded.com/firemaster.php

Granted, it seems like it was last updated for version 11, but I am sure other tools exists, this was something I just grabbed after 5 seconds of Googling. Any physical access to your computer is game over, even if just a lay person gets it. If this is a issue for anyone, where sensitive accounts get compromised if someone has access to your computer, I suggest you delete those passwords regardless of them having a master password or not.

 

[Digital Doctor]

I don't see how a master password would be more secure. Firefox has it, and there is a tool to reveal it: securityxploded.com/firemaster.php

Really ?
You can't understand the idea that 95% of people won't ever find that ?
?

I rarely store passwords in browsers.
But I at least thought they were hashed or something.
Can't they at least do encryption like Xenforo does ?

 

[Jeremy]

Even if they were encrypted (Such as in the Apple Keychain) the software needs to know how to decrypt them to function.

XenForo doesn't need to use them at a later date, it only needs to verify entered v. Saved, which means all it needs to do is encrypt them again.

It's a false sense of security to store passwords anywhere. It's still not a security hole or something that is exploitable.

 

[Amaury]

Even if they were encrypted (Such as in the Apple Keychain) the software needs to know how to decrypt them to function.

XenForo doesn't need to use them at a later date, it only needs to verify entered v. Saved, which means all it needs to do is encrypt them again.

It's a false sense of security to store passwords anywhere. It's still not a security hole or something that is exploitable.

This.

Think of it in XenForo terms: If this were filed as a bug, it would be closed and prefixed with As Designed.