chrome password.png

I really love the Google Chrome browser, but it seems as though the development team has been overlooking a huge security issue that I thought would be resolved by now. If you save passwords in the browser (like a lot of other users do) you may find out the hard way that the passwords are not stored in a manor that would keep other people from quickly accessing the data. Someone could easily crack open Chrome, navigate over to the options, and click a button to reveal all of the passwords you’ve saved.

To make matters worse there are third party tools that can strip out all the login credentials from the browser. ChromePass is one of those tools that’s available for free, and it can serve as a good indication that if someone managed to get on your system (virtually or physically) it would take just a few seconds for them to nab this data. And they wouldn’t even have to open the browser.

A few years ago we took a look at just how secure your passwords were when stored in the browser, and it was extremely easy to get this private information if you don’t have a master password enabled. I thought for sure that Google would have added this feature to the browser by now, but they haven’t. Hopefully users will continue to voice their concern so that our login information will be protected.

There Are 17 Comments

  1. I don’t even trust Firefox, either…sadly :( It’s one thing I don’t trust a browser for yet. I wish FF would really secure their password storage – it’d be a nice icing on the cake. In the meantime, I can’t go past Roboform. It’s brilliant. (Hope this doesn’t sound infomercial-ish since I won a copy on Cybernet…hehe) ;)

    • Hi,
      Firefox is preety safe my friend. You can set master password under Options and NO ONE CAN SEE UR PASSWORD

  2. There was been a lot of discussion on this in Chrome’s bug list.
    I too was furious about the absence of master passwords until I read the comments on the bug. See the bug @ [code.google.com] and the 13th comment about the resolution. If someone has physical access to your machine, its anyway easy for him get all your passwords and any other information(even with a master password). So, as he said, its an illusion of security.

    • First, that’s a terrible excuse. I don’t put a master password on my stuff to keep malicious hackers who have physical access to my computer away from my passwords, I use it so that I can store my passwords while still being able to leave my computer open for friends and others to use without letting them straight into all of my accounts.

      Second, I’m pretty sure if your master password is a good one, it’d be pretty difficult if done correctly. Keeppass is about the safest way to store your passwords and it uses a single master password. As long as your master password is sound, your passwords are safe.

      I love Chrome, but the excuse that having master password as well as encryption is less secure than having encryption and no master password is ridiculous.

    • Under your reasoning if I let somebody into my house it would be an “illusion of security” to keep the safe in my house locked. As that person has “physical access” to my house where the safe is.

    • it’s not a question of security but privacy: when my current girlfriend asks me to hand the netbook over to her for a short look into cooking reciepts or what she needs to do in this moment i don’t want her to have a easy look into my favored sites using my account. and to log me out and her on is not a solution to this issue, but close chrome and start again is!

      just my $0.02

  3. Michael Dobrofsky wrote:
    In the meantime, I can’t go past Roboform. It’s brilliant.

    Glad you are enjoying Roboform. It’s definitely a good solution for storing passwords.

    Vish wrote:
    If someone has physical access to your machine, its anyway easy for him get all your passwords and any other information(even with a master password). So, as he said, its an illusion of security.

    True, but Google could encrypt the password storage using your master password, and then it would pretty much require brute force to decrypt them. Also, I found this comment to be a rather good analogy:
    [code.google.com]

  4. “not stored in a manor that would keep” – should be “MANNER”, strange coz manor is kind of rare and archaic.

  5. ChromePass didn’t work for me – maybe because I am on the dev path (version 2.0.164.0)
    The internals of the chrome user profile have changed quite a bit since it was first released, any program that worked one day might well stop working shortly after.

  6. Have you noticed that the same thing happens with Firefox? I mean, just go to the Menu > Tools > Options > Security > Saved Passwords, and there is a “Show Passwords” button, I mean, it is as “safe” as Chrome.

    As Vish wrote:

    Vish wrote:
    If someone has physical access to your machine, its anyway easy for him get all your passwords and any other information(even with a master password). So, as he said, its an illusion of security.

    So now, or since I don’t know when, anyone can see the saved passwords, sorry, but that is the stupidest thing I have ever seen. I hope Firefox takes it back. For the moment I think i’ll start using Explorer, which I don’t like.

    • with Firefox u can use master password, can’t u see the button?
      just create one and it safe your life.

  7. I was thinking that the master password feature does look like an illusion of security but at least anyone who attempts to look for your password will have a hard time. Unlike if there was no password, it’s like a sitting duck.

  8. Diego Sierra wrote “Have you noticed that the same thing happens with Firefox? I mean, just go to the Menu > Tools > Options > Security > Saved Passwords, and there is a “Show Passwords” button, I mean, it is as “safe” as Chrome.”

    The above is only true if a master password has NOT been set.
    After you HAVE set a master password, you can only view your
    saved password by again typing in the master password each
    and every time you request to view the stored passwords.

    One can argue about the strength of Firefox password encryption,
    but it does keep one’s passwords hidden from the casual user (like
    a kid buying stuff on Amazon.com with a parent’s stored account password and account info!!!).

    I REALLY want to use Google Chrome, but I simply can’t until they plug this feature hole. I call this a “feature hole” because, while Google is free to argue about how people don’t need a master password, the fact is that people (myself included) want one. So rather than lecture Chrome users about why what they want is an “illusion of security”, Google should focus on how to deliver a master password feature that IS secure.

  9. > One can argue about the strength of Firefox password encryption

    One can, but one probably would only just be assuming:
    [luxsci.com]

  10. Master password actually has been working for me with Firefox.. The way i set it up is under tools > options > privacy tab > firefox will: select USE CUSTOME settings and check the box where it says automatically start firefox with private browsing session…

    do this setting after you have saved all the passwords you want to whatever website you go to. that way, it’ll remember the cookies/passwords that you have saved..and THEN when you make it start as private session everytime, it’ll still remember the password, THEN it’ll ask for the master password.

    now you can take out the quotation marks on the word “SAFE” coz this way..firefox is indeed safe… just make sure you exit out of the browser once your done..

  11. Two and an half years later, an still no master password in Chrome.
    Unbelievable…

Leave Your Comment


Message is the only required field.
Emails are not published.