topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 10:18 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Chrome’s insane password security strategy  (Read 19543 times)

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Chrome’s insane password security strategy
« on: August 17, 2013, 10:55 PM »
Judge for yourself if this link:

chrome://settings/passwords

Is what you think of when you think of password management and security.

http://blog.elliottk...rd-security-strategy

I'm not going to quote the article - visit it - it has several screenshots and whatnot, and I'm too lazy to replicate the article here.

It's a good read. Do check out some of the links at the bottom of the article as well. e.g. Wired's response is basically, "Shut up. This is normal."
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
« Last Edit: August 17, 2013, 10:57 PM by Renegade, Reason: BBCode doesn\'t work for non HTTP links it seems... »

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #1 on: August 18, 2013, 12:27 AM »
This isn't really that new, people have been asking for a Master Password feature, (ala Firefox), in Chrome since about 15 minutes after it obtained the ability to store passwords.

Google's response has always been the same: not interested.
« Last Edit: August 18, 2013, 03:22 AM by 4wd »

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #2 on: August 18, 2013, 11:12 AM »
This isn't really that new, people have been asking for a Master Password feature, (ala Firefox), in Chrome since about 15 minutes after it obtained the ability to store passwords.

Google's response has always been the same: not interested.

I guess from the fact that no extensions exist that do that very thing that there's no way to lock down access to that URL with an extension?

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #3 on: August 18, 2013, 11:54 AM »
Google's response has always been the same: not interested.

Besides, it would be just one more thing to wring their hands over and whine about "not legally being able to talk about it" next time the NSA comes calling...

Wired's response is basically, "Shut up. This is normal."

Wired is no longer Wired as many of us remember it - and hasn't been since 1998. Wired is now owned by Advance Publications and managed by their Conde Nast <*choke*> subservient subsidiary company.

Need more really be said?

 :-\

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #4 on: August 18, 2013, 01:07 PM »
Wired's response is basically, "Shut up. This is normal."

Wired is no longer Wired as many of us remember it - and hasn't been since 1998. Wired is now owned by Advance Publications and managed by their Conde Nast <*choke*> subservient subsidiary company.

Need more really be said?

 :-\

So you're saying that the downside of being "wired" is a matter of who's finger is on the button at the end of the cattle prod wires?

if <Kzzzzeeeeeerrrrtttt> (Resistance == futile) got it;




...Yes I've been drinking.  :D

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #5 on: August 18, 2013, 06:00 PM »
...Yes I've been drinking.  :D

It's the only option left to deal with reality for people that have a clue.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,017
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #6 on: August 20, 2013, 09:20 PM »
Aaaand it's in Chromium too.  Damn.  And it was such a fast browser...  :(

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #7 on: August 20, 2013, 11:40 PM »
Aaaand it's in Chromium too.  Damn.  And it was such a fast browser...  :(

Just had a look and Comodo Dragon does implement a Master Password:

2013-08-21 14_39_49-Settings - Search results - Comodo Dragon.png

Appears to work the same as Firefox's.
« Last Edit: August 20, 2013, 11:47 PM by 4wd »

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #8 on: August 20, 2013, 11:56 PM »
Google's response has always been the same: not interested.

Besides, it would be just one more thing to wring their hands over and whine about "not legally being able to talk about it" next time the NSA comes calling...

Wired's response is basically, "Shut up. This is normal."

Wired is no longer Wired as many of us remember it - and hasn't been since 1998. Wired is now owned by Advance Publications and managed by their Conde Nast <*choke*> subservient subsidiary company.

Need more really be said?

 :-\

The only thing Wired is much good for any more is covering issues that require membership in the International Brotherhood of Holier Than Thou Journalists because of the access and financial backing that comes along with it.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

oblivion

  • Supporting Member
  • Joined in 2010
  • **
  • Posts: 491
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #9 on: August 21, 2013, 01:50 AM »
This isn't really that new, people have been asking for a Master Password feature, (ala Firefox), in Chrome since about 15 minutes after it obtained the ability to store passwords.

Google's response has always been the same: not interested.
So don't let it store passwords at all, and do something with lastpass / roboform / password gorilla / keepass / whatever instead. Or, hell, run your browser from a Truecrypt container.

There's always another way to skin any given cat. :)
-- bests, Tim

...this space unintentionally left blank.
« Last Edit: August 21, 2013, 01:52 AM by oblivion, Reason: Oops. :) »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #10 on: August 21, 2013, 09:44 AM »
So don't let it store passwords at all, and do something with lastpass / roboform / password gorilla / keepass / whatever instead. Or, hell, run your browser from a Truecrypt container.

There's always another way to skin any given cat. :)

Now that you mention it... I get pretty bent out of shape about this... As is really bloody pissed.

----- Going to be a bit of history for those that don't know me -----

I first found DC through a review of ALZip here. I worked for ESTsoft at the time.

--- Enough history ---

ALPass does what 99.999% of people need/want. If you lose your ALPass master password, you're hosed. Completely hosed. Toast. Dead. Screwed.

http://www.altools.c.../ALTools/ALPass.aspx

ALPass (and ALToolbar) is a password manager where all encryption/decryption is done client side. ESTsoft couldn't help you recover a password if it wanted to.

THAT is what most people want. Clear text is just madness.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

oblivion

  • Supporting Member
  • Joined in 2010
  • **
  • Posts: 491
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #11 on: August 21, 2013, 10:26 AM »
There's always another way to skin any given cat. :)
Now that you mention it... I get pretty bent out of shape about this... As is really bloody pissed.
Easy, tiger. :)
ALPass does what 99.999% of people need/want.
I thought, here’s one I haven’t heard of, let alone tried. Oo. Roboform plus support and maybe even some integrity. Mm. Lots of yummy features. Excellent.

Then I saw the last line of text on the page.
ALPass requires Internet Explorer. It does not currently support Firefox, Opera, or other alternative web browsers.

Really? Even now?

Is there an emoticon for “disappointed”?  :o

If you lose your ALPass master password, you're hosed. Completely hosed. Toast. Dead. Screwed.

I know people get worried about the cloud, but the same is supposed to be true of Lastpass. Lastpass have Firefox and Chrome versions, I even managed -- after a fashion, and before I finally abandoned it -- to use the published workarounds for Opera. They even have an Android variant -- although that’s outside the things that are available for free, and it wasn’t quite as functional as I’d like.

Keepass (I seem to recall) has a linux variant. For that matter, although we’re all wary of the company behind the product after lots of us (yes, me included) had our lifetime licenses summarily revoked, Roboform’s security and functionality was years ahead of everyone else.

If these products delivered what people wanted, everyone would have them already. Something. Any-bloody-thing. No, what people want is not to have to think about it, and to be able to use PASSWORD123 on every website, banking service, data repository and fire alarm they ever meet or, better yet, nothing at all, and still to be able to complain, loudly and bitterly, that they’ve been let down by IT when their security is breached by some script kiddie with nothing better to do for ten minutes.

THAT is what most people want. Clear text is just madness.

I think, if I’m honest, most people want to feel secure without having to take many actions to ensure their own security. I KNOW I take password security more seriously than almost every normal (ie non-techie, non-geek) person I’ve ever met, and even I have a few frequently-used passwords stored in a CHS database. But there are people (no names, no pack drill) I know who COMPLAIN when their (carefully chosen and configured) DNS service stops them from routing a url via one of the snoopiest websites known to man because it means they can’t always click on a link in an email to a “bargain” new shiny thing.

There IS an overkill issue. Throw enough computer power at any stored, encrypted password and it’ll -- eventually -- be hacked. We tell people this and then that they have to use passwords they’ll struggle to remember and the last bit -- there’s a thing they can use to remember their passwords for them -- doesn’t make them feel that there’s a solution to the problem, it makes them feel like they’re handing over even more control to the technology brigade. And we wonder why people write their passwords down?
-- bests, Tim

...this space unintentionally left blank.

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #12 on: August 21, 2013, 02:51 PM »
On the whole I'm not all that bothered about Chrome's lack of password security primarily because I think even the significantly better security in Firefox is insufficent. I mean it's reasonably good all the way up until you use it and from then until you close it not so much. While that's fine for keeping your roommate from accessing your passwords if that's all you're worried about either you're not worried enough about online security or you really need a different roommate.

Personally I use KeePass. Besides storing passwords it also makes for a reasonably secure file container for a few small files I like to keep on my thumb drive which also has KeePass on it. It's also a much better generic solution since it's not limited to entering passwords in browsers and has pretty good functionality for sending information to other programs.

Besides, even if Chrome had a password encryption scheme it would automatically be suspect as long as the NSA has Google at least halfway under their thumb. Which seems to justify my general policy of not trusting anybody to provide me with both cloud services and any type of sensitive information beyond the scope of those services.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #13 on: August 21, 2013, 03:10 PM »
Besides, even if Chrome had a password encryption scheme it would automatically be suspect as long as the NSA has Google at least halfway under their thumb. Which seems to justify my general policy of not trusting anybody to provide me with both cloud services and any type of sensitive information beyond the scope of those services.

THIS.gif

(thanks Ren!)

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #14 on: August 21, 2013, 03:37 PM »
(see attachment in previous post)
(thanks Ren!)

Favourite to win The Most Popular Gif for 2013 Award :up:
Tom

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #15 on: August 21, 2013, 06:31 PM »
Then I saw the last line of text on the page.
ALPass requires Internet Explorer. It does not currently support Firefox, Opera, or other alternative web browsers.

Really? Even now?

Is there an emoticon for “disappointed”?  :o

You have no idea... :( I lobbied for FF support. (This is in the days before Chrome.)

(thanks Ren!)

Hehehe!  :Thmbsup: (It's gonna annoy the crap out of someone! :D)
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #16 on: August 21, 2013, 10:42 PM »
On the whole I'm not all that bothered about Chrome's lack of password security primarily because I think even the significantly better security in Firefox is insufficent. I mean it's reasonably good all the way up until you use it and from then until you close it not so much.

Which is why anybody who uses Firefox' Master Password feature should at least be using the Master Password+ addon to at least give you auto-logout/lock capability, (but most of all to stop multiple simultaneous "Enter Master Password" prompts).

xtabber

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 618
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #17 on: August 22, 2013, 10:05 AM »
Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

I won't install Chrome on any of my PCs and will only run it from inside a VM. 

I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use .  There are plenty of good Android browsers that offer much better privacy options.


Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #18 on: August 22, 2013, 11:33 AM »
Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

I won't install Chrome on any of my PCs and will only run it from inside a VM. 

I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use .  There are plenty of good Android browsers that offer much better privacy options.

Huh? Are they syncing passwords and account info?

When I read the first few words of your post, my first reaction was to just pull some smartass stuff like, "Hey, let me fix that for you:"

Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

But jeez... Not even installing Chrome? Can you point us to any other resources or info?

Also - Stoic Joker - You know a few things about big data - care to jump in?
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #19 on: August 22, 2013, 12:09 PM »
Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

I won't install Chrome on any of my PCs and will only run it from inside a VM. 

I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use .  There are plenty of good Android browsers that offer much better privacy options.



I don't think this is the case.  You have to actually sign into the browser.  Which I don't do.

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #20 on: August 22, 2013, 02:02 PM »
On the whole I'm not all that bothered about Chrome's lack of password security primarily because I think even the significantly better security in Firefox is insufficent. I mean it's reasonably good all the way up until you use it and from then until you close it not so much.

Which is why anybody who uses Firefox' Master Password feature should at least be using the Master Password+ addon to at least give you auto-logout/lock capability, (but most of all to stop multiple simultaneous "Enter Master Password" prompts).

No disagreement there but that's no excuse for such a glaring oversight. I can understand not automatically having it time out. I don't condone it but I know most users don't appreciate the risks enough to put up with the slight inconvenience. Not even offering it as a basic option is indefensible.

Honestly I'd not only include it, I'd have it enabled automatically. Most people who want to turn it off would search for instructions rather than just opening the options to look for themselves. They'd at least be exposed to a bunch of information about why they should leave it on.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #21 on: August 22, 2013, 02:22 PM »
Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

I won't install Chrome on any of my PCs and will only run it from inside a VM. 

I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use .  There are plenty of good Android browsers that offer much better privacy options.



I don't think this is the case.  You have to actually sign into the browser.  Which I don't do.

There are also options to selectively sync or not sync at all. And the data is encrypted before it leaves your computer. Actually the copies on Google's servers are probably a lot more secure than the ones on your computer.

The bigger problem IIRC is the default setting to sign you in automatically every time you open Chrome. In fact I don't even recall if that's a setting you can change and I think you also have to go to the Settings page to sign out even though the Sign In link is on every blank tab you open. That's just dishonest.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #22 on: August 22, 2013, 02:26 PM »
The bigger problem IIRC is the default setting to sign you in automatically every time you open Chrome. In fact I don't even recall if that's a setting you can change and I think you also have to go to the Settings page to sign out even though the Sign In link is on every blank tab you open. That's just dishonest.

Which is why I don't ever do it.  And change my default page so I never see that trash again.

xtabber

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 618
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #23 on: August 22, 2013, 10:10 PM »
Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.

I won't install Chrome on any of my PCs and will only run it from inside a VM. 

I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use .  There are plenty of good Android browsers that offer much better privacy options.


I don't think this is the case.  You have to actually sign into the browser.  Which I don't do.

That is correct, you must sign in to sync.  And once signed in, you must explicitly sign out or you will remain signed in for future session.  When you are signed in, everything you do is synced with your account on Google's servers.

Google's description of how Chrome sync works has the following warning:

Don't sign in to Chrome if you're using a public or untrusted computer. When you set up Chrome with your Google Account, a copy of your data is stored on the computer you're using and can be accessed by other people using the same computer. To remove your data, delete the user you are signed in as.

If you take Google at their word, this indicates that signing out still leaves the synced information stored locally.

Of course, you can use Chrome without ever signing in, but as soon as you do, you have no control over what is spread around through the sync function.  As I said, I use Android devices and I also have ported my home and business phone numbers to Google Voice to keep them when I dumped the landlines they were attached to.  This means I need to sign into my Google accounts regularly. I just don't use Chrome to do so, because I don't want whatever is cached locally from other sessions to be synced to those Google accounts.


wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Chrome’s insane password security strategy
« Reply #24 on: August 23, 2013, 07:51 AM »
Of course, you can use Chrome without ever signing in, but as soon as you do, you have no control over what is spread around through the sync function.  As I said, I use Android devices and I also have ported my home and business phone numbers to Google Voice to keep them when I dumped the landlines they were attached to.  This means I need to sign into my Google accounts regularly. I just don't use Chrome to do so, because I don't want whatever is cached locally from other sessions to be synced to those Google accounts.

Yes, you do.  The answer is... nothing.  As I said, I never sign in.  Not to the browser.  Not to the extension manager.  It's a pain doing everything myself, but I don't for the very reason that you say.  I don't use sync.  I use xmarks to sync my bookmarks, 1Password for my passwords, and just do everything else manually.