Google Chrome to *finally* protect your passwords a little better

ChromeBack in August, there were plenty of people (including myself) venting their frustration that Google Chrome didn't do more to protect users' passwords.

The problem is this. Unlike rival browsers such as Firefox, if you ask the Chrome web browser to remember a password for you, it doesn't give you the option to protect that sensitive information with a master password.

That means that if anyone accesses your computer (maybe while you are on the loo, or on a trip to the water cooler) visited the URL

chrome://settings/passwords

they would be able to see all of your passwords.

Very handy if you want to snoop on your big sister, or partner.

Chrome password screen

Google has attempted in the past to argue that having a master password that has to be entered to access the list of passwords isn't really a security feature at all, as the attacker already has access to your computer.

That's an interesting argument, which might be technically accurate from Google's lofty ivory tower - but it's not very meaningful or useful in the real world.

Fortunately, Google appears to now have realised the error of its ways - and is considering a U-turn.

The latest build of Chromium, the browser project from which Chrome is derived, includes a new experimental flag in its Mac version - which, if enabled, prompts users to reauthenticate themselves by entering their Mac OS X password.

Password dialog

The new facility was highlighted by François Beaufort, a "happiness engineer" at Google France.

Hopefully this feature will, in due course, roll out into all shipping versions of the Chrome browser - and help prevent passwords from being snooped upon.

By the way, I'm not a big fan of internet users using browsers to remember their passwords as there have been plenty of issues discovered with that in the past.

But, seeing as Chrome and other browsers are offering such a feature, they should at least put in place simple measures to prevent someone from *casually* accessing them.

It's an all-too-common scenario for a friend or guest in your house to ask to temporarily use your computer to check their email, etc. And – if you don't have the foresight to have created a Guest account on your computer – you might just hand over your laptop without thinking.

Additionally, you might have fellow workers in your desktop who you sometimes give permission to use your computer, or who might have access if you walk away without having locked your desktop.

The requirement for a "master password" before viewing the passwords your browser remembers would prevent those kind of attacks.

I'm not suggesting that a browser master password makes your computer safe from hackers. But it makes it much harder for the vast majority of people who might try to snoop upon your passwords from accessing them.

1PasswordMy advice is not to tell any browser your password. Instead use password management software like Bitwarden, 1Password, and KeePass to remember your passwords securely, as well as help you generate complex, random passwords for the various accounts you have on the web.

Finally, remember to lock your computer when you walk away from your desk, and if you want to give someone temporary access to your computer log them into a guest account where they can't do any harm, and can't access your personal information.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

3 Responses

  1. Christopher J Bigley

    November 8, 2013 at 2:55 am #

    There I was ,sitting at my desk ,not a worry. As I watched my pc getting hacked1 At first glance I didn't notice. I didn't think in a million years it could be ALL my passwords being used and replicated before my very eyes, and there was nothing I could do except rip the plug out of the wall .Astounding ! They just waltzed right in waltzed right out ,waving bye bye,as they slaughtered my surface files in just seconds. The big surprise came when I recovered I was in this strange land called chromium,where I was poked and prompted , told I have no identity,no home, cross examined , left waiting out in the cold. Then I was told " you don't belong here" , go away, come back later..Well I didn't. But I did say , MUCH LATER! Indeed. So there you have it ,a true story. Happend on 11/4 , be watchful! C.J.B.

  2. John Johnson

    June 6, 2016 at 9:07 pm #

    Really? You're seriously recommending people to use password managers? I dont' want to write a long post here explaining all the problems with that recommendation, they should be obvious to anybody. Here's the link to an article where some of these problems are discussed:
    https://privacyblog.com/2016/06/06/why-i-always-recommend-against-password-management-products/comment-page-1/#comment-2722

    • Graham Cluley in reply to John Johnson.

      June 6, 2016 at 9:28 pm #

      Hi John

      Thanks for taking the time to comment.

      I'm afraid I can't agree with you. I think the typical computer user is much better served using a password manager than not. Without a password manager most users find themselves reusing passwords, or coming up with dumb passwords that are easy to crack.

      You are right to say that password managers are not infallible (what is?) but I believe they are add more than they take away.

      Regarding the potential for hackers to crack a password manager run on a local PC. Yes, that's possible. But they would be infecting the PC in the first place which, frankly, means all bets are off. If they have already compromised the computer they could install keylogging spyware which could steal all your credentials anyway…. indeed, I imagine that such an attack could also steal the key that you use to decrypt the encrypted passwords you store in Evernote too.

      Of course, password managers need to be used as part of a layered defence – so keep your patches up to date, your anti-virus updated, etc etc.

Leave a Reply