Chrome draws criticism for storing passwords unprotected
Something many people aren't aware of is the way web browsers store saved passwords locally
, for the ease of signing in to accounts whenever you return to a webpage. While all browsers
offer this functionality, Chromehas recently been criticized for storing passwords in plain text,
which are easily accessible by local users.
, for the ease of signing in to accounts whenever you return to a webpage. While all browsers
offer this functionality, Chromehas recently been criticized for storing passwords in plain text,
which are easily accessible by local users.
Software developer Elliot Kember highlighted the "insane" security strategy of Chrome, showing
that by heading to chrome://settings/passwords it's very easy to see passwords by simply clicking
the "Show"button. There is no option to hide these behind a master password, so anyone with
local access to your computer is a few clicks away from seeing all your stored website
passwords.
that by heading to chrome://settings/passwords it's very easy to see passwords by simply clicking
the "Show"button. There is no option to hide these behind a master password, so anyone with
local access to your computer is a few clicks away from seeing all your stored website
passwords.
The situation is very similar with Firefox, as you can head to the Saved Passwords section of the
browser's options and see passwords with the same sort of effort. Firefox includes the option to
set a master password, but it's disabled by default, so like with Chrome for the majority of users
it's easy to find plain text passwords locally.
On the other hand, Internet Explorer stores passwords in the Web Credential Manager, which
requires you to re-enter your user account details to gain access. This is like forced master
password protection of your other account details, and could be seen as more secure.
Safari on Mac OS X uses a similar system for protection.
requires you to re-enter your user account details to gain access. This is like forced master
password protection of your other account details, and could be seen as more secure.
Safari on Mac OS X uses a similar system for protection.
Justin Schuh, head of security on the Chrome team, claims that the lack of password-protected
stored passwords is by design. He says that when a malicious user accesses your account
on your PC it's essentially game over, as they can use a number of methods to get whatever
they want, including installing account-level monitoring software to circumvent master password
protection. Chrome therefore doesn't support using a master password to hide stored passwords
as they don't want to "provide users with a false sense of security".
stored passwords is by design. He says that when a malicious user accesses your account
on your PC it's essentially game over, as they can use a number of methods to get whatever
they want, including installing account-level monitoring software to circumvent master password
protection. Chrome therefore doesn't support using a master password to hide stored passwords
as they don't want to "provide users with a false sense of security".
Schuh does have a point about local account access, as it opens the door for any personal
to be gathered. However there are methods of preventing others from seeing your locally-stored
passwords, and possibly the best way is to use a secure cloud password manager such as
LastPass, which stores all your login credentials encrypted and protected by a master password.
The program also offers additional security measures like one time passwords, a virtual keyboard
to protect against keyloggers, and multifactor authentication, so even in the event of unwanted
local access to your computer passwords should remain safe.
to be gathered. However there are methods of preventing others from seeing your locally-stored
passwords, and possibly the best way is to use a secure cloud password manager such as
LastPass, which stores all your login credentials encrypted and protected by a master password.
The program also offers additional security measures like one time passwords, a virtual keyboard
to protect against keyloggers, and multifactor authentication, so even in the event of unwanted
local access to your computer passwords should remain safe.
No comments:
Post a Comment