Sign in / up

back to article Chrome, Firefox blab your passwords in a just few clicks: Shrug, wary or kill?

Web browsers Google Chrome and Mozilla Firefox can reveal the logged-in user's saved website passwords in a few clicks. There now rages a debate over whether this is an alarming security flaw or a common feature. Picture this: you've been asked to fix a friend's PC because it's stopped printing pages properly, or you saunter …

COMMENTS

House rules Send corrections
This topic is closed for new posts.

Page:

  1. Richard 12 Silver badge

    Firefox already does what he asked

    Optionally, anyway. I don't use the master password though, because if someone has got to my desktop it's too late anyway.

    To be honest, I think this is a good feature.

    Lots of people have more than one device now, and damn near every website wants a username and password just to look at the weather or other stupid things that shouldn't even have a login, let alone credentials.

    A simple way to find out what you used so you can type it into A N Other device is necessary.

    All the major browsers ask before saving login credentials as well, with the warning "don't do this on a shared computer"

    So I'm with Google here.

    18 9
    1. Simon 11
      Reply Icon

      Re: Firefox already does what he asked

      "...because if someone has got to my desktop it's too late anyway."

      I keep hearing this and it keeps pissing me off. It's just another way of saying 'It's easier than it should be for people to break into a system when they have physical access, so I'll use that as an excuse to justify not doing anything at all to protect the system, regardless of whether the things that can be done would prevent that person from accessing my most sensitive data, or merely slow them down'.

      If everyone stopped being lazy and started actively working on this level of security, we might actually get something that can make a system relatively secure from attackers with physical access to the machine.

      This is why Googles response is bad.

      28 5
      1. Silviu C.
        Reply Icon

        Re: Firefox already does what he asked

        The fact that you can easily pwn any machine provided you have physical access to it is not Google's fault.

        10 1
      2. Eddy Ito
        Reply Icon

        Re: Firefox already does what he asked

        Given the number of people who have the "automatically log me in" box ticked and don't have it automatically lock after a bit of inactivity there is no way this will be fixed except it would be pretty trivial to add it. If Comodo and Iron can tweak the code then it shouldn't be hard to spin in a master password.

        Besides, doesn't Google like having access to all your data anyway? Why would they make it harder on themselves? I'm actually a bit surprised they [Google, MS, Apple, etc] don't automatically cloudify all passwords to help folks log in from anywhere. What could go wrong having all the magic eggs to your life in one basket?

        3 0
      3. plrndl
        Reply Icon
        FAIL

        Re: Firefox already does what he asked @ Simon 11

        The way your computer knows who's sitting in front of it is by "looking" at the login name. The reason you have the option for multiple logins is so that you can secure your data on a system shared with others.

        How do you propose that your computer knows who is using a shared login? How often should it check, every hour, every ten minutes, or more often? Do you really want to verify that you really are you that frequently?

        0 0
      4. Nym
        Reply Icon
        Happy

        Re: Firefox already does what he asked

        And just get LastPass, free or paid (or something similar) and don't be lazy; don't be lazy with your master password program (you should have one which is "cloud independent") and you're quite safe. It's also best to set Firefox at least to wipe all history and cookies each session (dreary lag of pageload or not)--and to put your machine to sleep even when you go visit the toilet. Paranoid isn't quite enough on an accessible computer...oh dear. Now I've said too much.

        0 0
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Firefox already does what he asked

      If someone got to my desktop it is NOT too late anyway, because these are passwords to sites where other information is available. You like to surrender info?

      6 0
      1. VinceH
        Reply Icon

        Re: Firefox already does what he asked

        "If someone got to my desktop it is NOT too late anyway, because these are passwords to sites where other information is available. You like to surrender info?"

        I do agree for the main part - which is why I voted that this is a bug and needs to be fixed: Password visibility arguably means all they need is a brief access to nab that data, which is why I voted for that option, but consider that if someone has managed to nab your computer and accessed your user account, they don't actually need to see the passwords: they can just visit the sites using your browser with its saved passwords.

        Which means that on a shared computer, where the owners are too stupid or lazy to don't have separate, password protected user accounts, and/or don't log out of their account when they're finished there is no real protection anyway, password-protected passwords or not.

        This is arguably why there needs to be a lot more user education.

        My real vote would be "This is a bug that needs to be fixed (from the third option), but non-techie people won't realise and need to be educated (from the second)."

        I was tempted to add don't leave your computer and unlocked from the first, but sometimes that is necessary when people like me need to fix other people's computers - but that would often be prevented if users were better educated to start with.

        The problem with arguing that users need to be better educated, though, is that many users don't want to be educated.

        2 0
      2. Richard 12 Silver badge
        Reply Icon
        FAIL

        Re: Firefox already does what he asked

        If they've got to my desktop then they can copy the browser's keystore and upload it somewhere to crack at leisure - how do you propose stopping that?

        I lock my desktop when I leave it. Very simple solution, and as secure as the OS.

        That said, how big is the set of people who may attempt or gain physical access to steal data?

        A corporate machine may be worth an attacker trying for physical access due to the nature of the sensitive data, a personal one probably isn't.

        I don't use my corporate machine for personal stuff, and I trust that our IT dept have put in place reasonable protections given the value the company places on the data I have.

        At home, the only miscreant who might want my PC is going to smash it or sell it. He's not going to go after the data quick enough for any saved passwords to be worth anything.

        1 1
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Firefox already does what he asked

          "I lock my desktop when I leave it. Very simple solution, and as secure as the OS."

          I have admin rights over all the PCs where I work (so do the others if they thought about it. Its not me that set up the security policy and I have complained about the holes in it, but that's another story)

          As a result, I can connect to any co-worker's PC and extract those files remotely, even when they lock their desktop.

          Locking the desktop will not secure your browser passwords from me or anyone else here.

          0 1
          1. Richard 12 Silver badge
            Reply Icon

            RTFP

            "As secure as the OS"

            No more, no less.

            If you are an admin or get root over a computer then you can do whatever you like and nothing whatsoever is going to stop you.

            That's what the word "Administrator" means.

            0 0
      3. Bitbeisser
        Reply Icon
        FAIL

        Re: Firefox already does what he asked

        If you don't want to surrender info, then don't f*****g save the password in the first place!!!

        Don't know about Chrome (and don't care to be honest), but Firefox will explicitly ask you if you want to save the password or not. So if people don't realize that this info is saved and accessible somehwere/somehow, sorry, too bad.

        0 0
    3. Piro Silver badge
      Reply Icon

      Re: Firefox already does what he asked

      I use Master Password on Firefox, even though there's no real chance someone will be sat at my PC.

      Why not? It only needs inserting once a session, and means that if someone passes by your PC unlocked, they can't see your passwords in a few clicks. Seems a no brainer to me.

      6 0
      1. Mage Silver badge
        Reply Icon
        Happy

        Re: Firefox already does what he asked

        And even if you used the password for the session already you need it explicitly EVERYTIME you display passwords of the saved sites and usernames list.

        1 0
    4. Wize
      Reply Icon

      Re: Firefox already does what he asked

      If something manages to get control of your computer (a bit of mallware, for example) one of the first things it can send home is configuration file for your browser (I've moved it around myself when moving to a new machine as it contains your passwords, shortcuts etc)

      If you have set a master password, the file won't be much use to whoever has 'borrowed' it giving you a chance to find and remove the mallware before it records the keystrokes of a password being entered (which you won't anyway as they are mostly stored)

      Gives you that little bit more breathing space should your machine be compromised from outside.

      0 0
      1. Pen-y-gors
        Reply Icon

        Mallware?

        @Wize

        Presumably some sort of software that emulates an American shopping centre?

        2 0
    5. Nuno
      Reply Icon

      html manipulation

      if you go to any page for which you have a saved password, and the browser auto-completes the login form, you can manipulate the html input tag, stating that the input is not of type password, and the password will show up easily...

      0 0
  2. At0micAndy

    safari too

    yeah, safari does this, too, and very useful I have found it for those rarely used websites. Yes I know abiout it, yes I have a different password for every logon I need, yes I need a way to remember them, yes this is very very useful, and yes, I use a screen saver, with an auto set of a few minutes. No, please do not take this feature away, yes do teach people to lock their screens.

    4 1
    1. simon gardener
      Reply Icon

      Re: safari too - But it REQUIRES the users system password

      Safari requires the user password - just like the keychain does. Without the password all you can see are a list of the sites you have passwords stored for and a bunch of dots.

      1 0
  3. Anonymous Coward
    Anonymous Coward

    how is this new?

    1 1
    1. MrT
      Reply Icon

      For Firefox at least...

      ...it's not even hidden - there's a button on the Options>Security tab to show saved passwords, right under the option to use a Master Password. IIRC its been there for a few years. I think the issue here is more about the form in which the passwords are saved - e.g. if they can be grabbed remotely or accessed via another computer.

      1 0
  4. T. F. M. Reader

    Things we take for granted...

    I never knew - or considered the possibility - that Firefox would save site passwords WITHOUT setting a master password first. Seriously, it just never occurred to me that such insanity was possible.

    And am I reading this right? Chrome does not even allow a master password??? And Safari allows another application to slurp cleartext passwords en masse without prompting for a master password, either? I don't use either browser for unrelated reasons, but... DAMN!

    The argument that if someone momentarily has physical access to your computer then all is lost is BS. That someone is more likely to be your kid or an even more clueless coworker than an NSA superspy with a password-cracker-on-key gizmo, so even mild additional protection is worthwhile. And limiting security to the perimeter is a lousy practice.

    Out of curiosity, I od'ed the signon.sqlite and key3.db files in my firefox profile on my laptop. I saw the sites for which I have saved passwords (e.g., The Reg), but nothing resembling the passwords themselves, so apparently they are not stored in cleartext. I don't know how hard they would be to crack, but I doubt someone who sneaks into my office for 30 seconds can easily do it on the fly. Well, he/she can dump the profile onto a disk-on-key and do it later, granted, but no, I never leave my desk without locking the screen at least, either.

    So, KILL!

    4 2
    1. Natalie Gritpants
      Reply Icon

      Re: Things we take for granted...

      > I od'ed the signon.sqlite and key3.db files in my firefox profile on my laptop. I saw the sites for which I have saved passwords (e.g., The Reg), but nothing resembling the passwords themselves, so apparently they are not stored in cleartext.

      They are scrambled and if you know the key you can decrypt them. The key is in the source code ans probably google-able. However, if you use a master password they site passwords are scrambled with that which makes it much harder to crack.

      You could try looking through firefox's memory for the passwords or even the master key but that requires super-user privilege and shouldn't be possible unless you run as root or admin.

      You could try hunting through the hibernation image but then you should not hibernate a machine without full disk encryption.

      You could dump the machine in a liquid nitrogen bath, pull out the memory cards and go through them but it's probably cheaper and quicker to just threaten the owner of the said machine.

      1 0
      1. Barche
        Reply Icon

        Re: Things we take for granted...

        Actually, this is not how it works. There is a randomly generated encryption key for all the password store:

        http://docs.services.mozilla.com/sync/overview.html

        Setting a master password protects the above key, so you need to enter the password to access the master key to sync with a new device or to see any stored passwords:

        http://kb.mozillazine.org/Master_password

        1 0
        1. joed
          Reply Icon
          Thumb Up

          Re: Things we take for granted...

          So basically encryption is very similar to FireFox sync server - seems nice and works just fine. Especially that just like with password file that's stored locally you can setup your own sync server (not super easy but even noob like me can follow step by step instructions and figure out/fix mistakes) and copy all your passwords onto android without using any facility that NSA has direct access to;

          FF is really great the way you can copy profile folder between PCs and have all your settings, tabs etc transplanted. Compare this to IE ... - obviously no master password (it used to be trivial to leach saved passwords, not sure for newer versions).

          I guess for all other browser there's always lastpass - they do seem to have reasonable security

          2 0
  5. Alex in Tokyo

    Can I choose 'All of the above'?

    Don't let people have physical access to your private machine, or at the very least make sure that they're using a separate or a guest account. Don't save your passwords on a shared machine. *Shrug*

    That said, people should be aware that the capability to display saved passwords exists, and factor that into the assessment of whether to save a given password or not. *Wary*

    That said, how hard would it be for Google to add the option to require a master password in order to display the saved details? It's a no-brainer and they should fix it. *Kill*

    6 1
    1. Captain Scarlet
      Reply Icon
      Unhappy

      Re: Can I choose 'All of the above'?

      I second, a bit of everything.

      I can't understand why its even needed, if I can't get on I use the password reset features of whichever service it is.

      1 0
  6. julianh72
    FAIL

    Of course, if they've got access to your desktop and browser, they've got your Gmail, Email, etc, along with all the documents stored on your hard drive, the Word document you store all your bank account details and passwords in, your DropBox account, ...

    Nevertheless, it would seem to be a no-brainer that a master password should be required to access any security-related data.

    2 0
  7. bigfoot780

    simple

    Disable/don't use the feature. It wont tale long for someone to find which file in chrome/firefox stores passwords. Either that or 2 factor auth everywhere.

    0 1
    1. Charles 9
      Reply Icon

      Re: simple

      Thing is, the stored passwords are encrypted, and the key is generated per profile. A master password encrypts the key as well.

      0 0
  8. ratfox

    An optional master password would be nice

    Though to be honest, I've never used the feature. Partly because it feels unsafe, partly because I prefer to remember all my passwords, in case I'm using a different system where they are not saved. If you let your computer remember all your passwords, it feels awfully easy to forget them.

    0 0
  9. dajames
    WTF?

    That's not the issue.

    A stricter view would be that it is a security flaw that browsers can store passwords at all. I never use that feature myself.

    If the browser has access to your passwords (possibly after entering a master password once) then malware running on a web page could conceivably obtain a list of the sites you visit and your passwords for those sites and mail them off to its evil creator. This is surely not a price worth paying for the minor convenience of not having to type a password (or cut/paste it from an external password safe application) once in a while?

    I find that if I have to enter passwords by hand every once in a while I stand a chance of remembering them when I need to ...

    2 1
    1. pPPPP
      Reply Icon

      Re: That's not the issue.

      The problem is when you have logon credentials for various forums, like this one. You can either re-use the same password across them all and remember it or store it in the browser (hopefully encrypted). You're not likely to be able to remember separate credentials for each and every site.

      This doesn't mean that you need to save your bank details in the browser. I don't save anything financial, but I do save web site logins.

      3 0
      1. Neil Barnes Silver badge
        Reply Icon
        WTF?

        Re: That's not the issue.

        Except that the majority of fora and similar sites maintain the local 'remember me' password in (presumably) cookies... they don't go near the Firefox local store.

        I can't see any reason for storing passwords for remote sites on the browser, and have 'never remember passwords' selected at all times. I certainly wouldn't use a local store for e.g. bank passwords.

        0 0
      2. Steve Renouf
        Reply Icon
        WTF?

        Re: That's not the issue.

        "This doesn't mean that you need to save your bank details in the browser."

        Hmm... Interesting.... My banks don't allow the browser to remember the logins, even if I wanted them to.

        0 0
        1. pPPPP
          Reply Icon

          Re: That's not the issue.

          It's actually the browser that does that. Banks use https and browsers tend to not allow you to save passwords for those sites.

          2 0
          1. Charles 9
            Reply Icon

            Re: That's not the issue.

            They tend to now since more sites switch the login screen to https, meaning a stored password won't be useful in your scenario because more sites will be already in secure mode.

            0 0
  10. FredBloggsY
    Facepalm

    So Chrome's approach is that if someone's got to your desktop you might as well hand them your bank account and other passwords, too, because they're worth it?

    I love some of Google boy's phrases:

    - I appreciate how this appears to a novice

    - and while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today

    - providing them a false sense of security and encouraging dangerous behaviour

    ... he just failed to realise to whom they apply.

    2 2
  11. Destroy All Monsters Silver badge

    Gnome Keyring..

    KDE Keyring...

    Eclipse secure password storage....

    Same here. Unification would be nice though.

    0 0
  12. Anonymous Coward
    Anonymous Coward

    Lastpass ?

    I disabled Chromes built in password manager, and use Lastpass.

    2 0
  13. Version 1.0 Silver badge

    The sky is falling, the sky is falling!

    Here we go again - what is it with you people? If security is important then log in and log out and have a guest account set up for your friends. But you could ask yourself why this is even an issue?

    It's because we have stupid "password policies" that make it impossible to create passwords that we can remember and force us to create passwords that can't be memorized and must be saved or written down. So now you want passwords to protect passwords?

    I write mine down on a sheet of paper and keep them under the keyboard - and no, I don't give a shite.

    I just don't write them in English.

    1 1
  14. Ben Rose

    Not concerned..

    Mutiple user profiles have been in "domestic" flavours on Windows since Windows ME. During first time set-up of a new PC they have positively encouraged people to have multi-user logins, with their own wallpaper etc. It works well and your desktop etc. are stored in an area that is off-limits to other users.

    I share my PC with a wife and 2 children. Can they see my saved Chrome passwords? No.

    1 1
    1. Not That Andrew
      Reply Icon

      Re: Not concerned..

      While the feature has been available since Win95 actually, Windows has _never_ encouraged users of the desktop version to create multiple user profiles. If that were the case it would require you to create a separate admin account and user accounts during setup instead of just (since 2K or XP IIRC) requiring you to set up one account and silently giving it admin privileges. Which I suppose beats 95 and 98's way of just dumping you into what passed for an admin profile on those glorified DOS shells and expecting you to set up passwords and booting to the login screen yourself.

      0 0
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Not concerned..

        That'd be the login screen where, if you clicked Cancel, it let you in anyway? Mmm. Good job, Microsoft.

        1 0
      2. Ben Rose
        Reply Icon

        Re: Not concerned..

        Mutli-user has been available since Windows 95 but not until ME did they actually have separate NT style profiles. e.g. c:\documents and settings\username\etc

        This type of profile allowed different settings to be stored easily for each user and, in the case of Chrome, would mean two entirely separate password repositories in different folders.

        0 0
  15. DrXym

    I don't see it as an issue

    If you tell your browser to save your passwords, then that's exactly what it will do. So whether you can "see" them or not through the UI, they are sitting there on disk in a form which anyone can lift and peruse to their heart's content.

    So perhaps the browser should encrypt them, e.g. with a key which is generated into the browser profile folder? Well yes it could but then the thief could just steal the key too.

    So hiding passwords from the UI might I suppose protect them from your sister's glances but that's about the sum of the security such a measure would offer.

    The best way to protect passwords is to not save them at all. And if you do save them (e.g. for the 1000-1 throwaway forum / site accounts) protect them with a strong master password. And on top of that practice security in other ways, i.e. set your computer to screen lock after inactivity, set up another account for other family members, use stronger, unique, unsaved passwords for sites you don't want to be compromised even if all the throwaways were.

    2 1
  16. kabadisha

    I would argue that most people who use this feature (viewing saved passwords) do so because they cannot remember their password because they don't have to as Chrome is storing it for them.

    So putting a master password on it basically defeats the point of it. Older generations (my not so old parents included) see passwords as a tedious irritation, not a critical security credential which they must remember like their PIN number.

    IMO we need to ditch passwords and move to key based auth for everything. Someone just needs to come up with a suitable implementation.

    0 1
  17. kabadisha

    Also, how many people do you know who are issued with a dog-slow encrypted disk laptop who have the password written on a post-it stuck to the palm rest?

    Passwords are fail for Average Joe

    0 0
  18. Nick2039

    The only reasonable objection to this is that if they do provide a master password, then when people realise that this isn't a cast-iron guarantee of security Google will crop another dusting.

    Solution: when Chrome offers to save your passwords (for the first time) or when someone sets the master password, just put up a damn dialog box warning that it's only superficial protection.

    0 0
  19. mark l 2 Silver badge

    Having a master password set is not going to stop someone with physical access to your computer being able to get access to your email, facebook or whatever other website you have saved the password for and then its a trivial extra step to do a password change and they have your info anyway.

    It is worrying that you can access it with just a local url in chrome though as i guess in theory a cross site scripting attack could reveal it to a hacker if they convince you to open that url while have some dodgy website open

    1 1

Page:

This topic is closed for new posts.

Other stories you might like