Chrome password risk is news to me

Image: Eric J. Lubbers, The Denver Post

Sometimes (more often than I care to admit) I feel like I’m the last person in the world to find out about something. This time it’s an August 7 story about a mile-wide security hole with Chrome, the browser I use most of the time. Apparently it was such a ho-hum revelation that no one has even bothered to comment on the story, but it certainly comes as news to me.

As explained by Denver Post writer Eric Lubbers, anyone who gets their hands on your computer can easily see a list of every password Chrome has ever saved for you. Just type chrome://settings/passwords into the address bar and when the list of saved websites and their obscured passwords comes up, click the “Show” button to reveal any of the passwords.

As some of you might recall, I bought 1Password a few months ago to manage my passwords. I’ve been slow to fully implement it, primarily because of a reluctance to trust all my passwords to a third party (and to trust my ability to handle the manager). It’s also just complicated enough that I’ve been less than determined to master it. And I still haven’t figured out why, once I do save a password for a given website, it keeps nagging me to save the password when I revisit the site. Shouldn’t it know it has already saved the password?

My son did remind me once that my passwords are being saved by my browsers, but I hadn’t followed up by figuring out how to delete them. That’s probably why I get nagged. If I were logging in with 1Pass, it probably wouldn’t nag. Again, I’m lazy. It’s too easy to just be automatically logged in by the browser.

Anyway, fair warning about the Chrome thing. Problem is, the suggested countermeasures are annoying for someone who lives alone and whose computer never leaves the house:

1. Make sure your computer is password locked at all times
2. Don’t let anyone use your computer. Ever.
3. Use an encrypted password manager like LastPass or 1Password
4. Turn off Chrome’s password manager

Web designer Elliott Kember first discovered the problem and reported it on his blog. Interestingly, Justin Schuh, head of Chrome security, contacted Kember, called him “a novice”, said he’s wrong, and said this is not going to change. Perhaps he was angered by Kember’s title, “Chrome’s insane password security strategy.”

I wonder if Firefox has a similar problem …

(… SIgh … judging from the number of related articles below, I am indeed the last to know.)

6 thoughts on “Chrome password risk is news to me

... and that's my two cents