It seems like almost every website you visit has a login of some sort. Managing and remembering them is virtually impossible, so for convenience the major Web browsers offer a feature that saves your passwords. But software developer has discovered that it’s a bad idea to trust this sensitive information to your browser—especially if your business uses Google Chrome.
Elliot Kember wrote a blog post about the critical flaw in Chrome password security. He had decided to switch from Safari to Chrome and wanted to import his Safari bookmarks so he’d have access to all of the same sites and content between the two browsers. He was alarmed to find that one of the “options” under “Import bookmarks and settings” is to import saved passwords. However, the option is grayed out and automatically checked, meaning it’s mandatory and there’s no choice to not import saved passwords.
Aside from the irony of having a checkbox for something that is clearly not optional, the import setting set off some red flags for Kember. Chrome does not provide any protection for the passwords it stores—there is no master password that locks access to managing the saved passwords. The passwords are stored in plain-text, and can be exposed by simply clicking the “show” button next to the password field.
Kember writes in his post, “In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market—the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.”
As convenient as it may be, it’s generally a bad idea to let your browser—any browser—store your password information. Granted, most do a better job of locking things down than Chrome, but the browser only manages passwords for websites and Web-based applications, which means you’d still need a different, separate tool for managing other password credentials.
Complexity is the enemy of security. Graham Cluley, a respected security expert, recommends using a password management utility like LastPass, or 1Password. For Mac OS X users (especially when Mavericks is officially released) using the iCloud Keychain is an alternative solution as well.
The other enemy of security, however, is convenience. Any feature or capability that makes it easier for you to remember login credentials or access sensitive data also increases the risk that an attacker can exploit that convenience for nefarious activities. Having a master key to protect stored passwords is better than not having one, but having a master key is also an Achilles heel that provides access to all of your passwords if an attacker can just figure out how to crack the master key.
In fairness to Chrome (and other browsers), this is not a remote vulnerability. In order to access and view the stored passwords, someone has to have physical access to your PC or device with the Chrome browser. One possible solution is to simply make sure your PC or mobile device is locked when not in use, and that you don’t let other people borrow it, or at least log them in under a separate “guest” account so they don’t have access to your personal browser settings.
But passwords aren’t going away any time soon, and you have to manage the seemingly endless list of complex passwords somehow. A password management tool is an effective solution, and a better idea than using the password-storing feature in a Web browser. From a business security and compliance perspective, users should be governed by policies that prohibit storing passwords in this manner.
Kember ended with a challenge: “Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click “show” on a few of the rows. See what they have to say.”