How would you feel if someone sat in front of your computer and was immediately able to access all of your Chrome passwords? That's a scenario that is dividing opinion after web designer Elliott Kember called Google's security practices into question by demonstrating how entering a simple URL allows a person with physical access to your machine to view your stored credentials.
Chrome is designed to ask users if they want to store the passwords they enter online, making it easier to access their favorite websites. If that option is chosen, Chrome saves a list of credentials in its settings, which can be toggled to display in clear text directly on the screen — a tool it has provided for many years. In his blog post, Kember points out that if a user visits chrome://settings/passwords in the browser, those passwords are just one click away, instead of three clicks using the settings UI.
"We don't want to provide users with a false sense of security."
Justin Schuh, Google's head of Chrome Security, took to Y Combinator to clarify why Google doesn't secure stored passwords, stating that it does not want "to provide users with a false sense of security and encourage risky behavior." Schuh's argument is that if a would-be attacker had access to a user's machine then "the game was lost," as there would be "too many vectors for [the attacker] to get what he wants."
This doesn't take into account a world where users don't use master passwords (not just in browsers), share computers, and aren't aware it is so easy for someone to access their login details. Schuh argues that if a person already has access to a computer, they are free to access much more than browser data, but when Chrome provides an easy way to search passwords, an attacker could find, copy, and use a Facebook or Twitter password in a matter of seconds. It also calls into question why Google hasn't shared its security decisions more publicly in the past. If Google believes OS locks are a more secure way to protect a computer, why doesn't it provide a suitable warning for Chrome users?
Rival browsers are more careful with your passwords
Rival browsers Firefox and Safari let users view their passwords but incorporate additional security to better protect them. Mozilla recommends that Firefox users who share a public computer should set a master password (although this is not toggled by default) and both Apple's Safari and Microsoft's Internet Explorer browsers request that the user authenticate themselves using a system password. Chrome, on the other hand, has none of these measures in place.
Schuh explains that Google has "literally spent years" evaluating its security measures, giving it "quite a bit of data to inform our position." Schuh's response to the post was blasted by its author and inventor of the World Wide Web Sir Tim Berner's Lee labelled it "a disappointing reply from [the] Chrome team."
Right now, Google sits at a crossroads. The Chrome browser is no longer a tool used by ethusiasts and developers, it's a piece of software that has huge global appeal and is a tool capable of delivering web content to HD televisions. Many internet users aren't aware that their passwords are freely accessible or may not have been shown how to secure their PC or Mac to stop someone from gaining entry to their computer. Google needs to decide whether it wants to implement options similar to its rivals, or face the prospect that users may look elsewhere for their browsing needs.