Main Area and Open Discussion > General Software Discussion
Chrome’s insane password security strategy
Vurbal:
On the whole I'm not all that bothered about Chrome's lack of password security primarily because I think even the significantly better security in Firefox is insufficent. I mean it's reasonably good all the way up until you use it and from then until you close it not so much.-Vurbal (August 21, 2013, 02:51 PM)
--- End quote ---
Which is why anybody who uses Firefox' Master Password feature should at least be using the Master Password+ addon to at least give you auto-logout/lock capability, (but most of all to stop multiple simultaneous "Enter Master Password" prompts).
-4wd (August 21, 2013, 10:42 PM)
--- End quote ---
No disagreement there but that's no excuse for such a glaring oversight. I can understand not automatically having it time out. I don't condone it but I know most users don't appreciate the risks enough to put up with the slight inconvenience. Not even offering it as a basic option is indefensible.
Honestly I'd not only include it, I'd have it enabled automatically. Most people who want to turn it off would search for instructions rather than just opening the options to look for themselves. They'd at least be exposed to a bunch of information about why they should leave it on.
Vurbal:
Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.
I won't install Chrome on any of my PCs and will only run it from inside a VM.
I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use . There are plenty of good Android browsers that offer much better privacy options.
-xtabber (August 22, 2013, 10:05 AM)
--- End quote ---
I don't think this is the case. You have to actually sign into the browser. Which I don't do.
-wraith808 (August 22, 2013, 12:09 PM)
--- End quote ---
There are also options to selectively sync or not sync at all. And the data is encrypted before it leaves your computer. Actually the copies on Google's servers are probably a lot more secure than the ones on your computer.
The bigger problem IIRC is the default setting to sign you in automatically every time you open Chrome. In fact I don't even recall if that's a setting you can change and I think you also have to go to the Settings page to sign out even though the Sign In link is on every blank tab you open. That's just dishonest.
wraith808:
The bigger problem IIRC is the default setting to sign you in automatically every time you open Chrome. In fact I don't even recall if that's a setting you can change and I think you also have to go to the Settings page to sign out even though the Sign In link is on every blank tab you open. That's just dishonest.
-Vurbal (August 22, 2013, 02:22 PM)
--- End quote ---
Which is why I don't ever do it. And change my default page so I never see that trash again.
xtabber:
Chrome has another gigantic security hole baked in: if you sign in to your Google account, it automatically syncs with Google's servers and caches account information on whatever computer you signed in from.
I won't install Chrome on any of my PCs and will only run it from inside a VM.
I use Android devices extensively, so I am automatically signed in to my Google accounts at all times, but I use Chrome as little as possible for browsing on those devices and always make sure that I have password saving disabled in any browser I use . There are plenty of good Android browsers that offer much better privacy options.
-xtabber (August 22, 2013, 10:05 AM)
--- End quote ---
I don't think this is the case. You have to actually sign into the browser. Which I don't do.
-wraith808 (August 22, 2013, 12:09 PM)
--- End quote ---
That is correct, you must sign in to sync. And once signed in, you must explicitly sign out or you will remain signed in for future session. When you are signed in, everything you do is synced with your account on Google's servers.
Google's description of how Chrome sync works has the following warning:
Don't sign in to Chrome if you're using a public or untrusted computer. When you set up Chrome with your Google Account, a copy of your data is stored on the computer you're using and can be accessed by other people using the same computer. To remove your data, delete the user you are signed in as.
If you take Google at their word, this indicates that signing out still leaves the synced information stored locally.
Of course, you can use Chrome without ever signing in, but as soon as you do, you have no control over what is spread around through the sync function. As I said, I use Android devices and I also have ported my home and business phone numbers to Google Voice to keep them when I dumped the landlines they were attached to. This means I need to sign into my Google accounts regularly. I just don't use Chrome to do so, because I don't want whatever is cached locally from other sessions to be synced to those Google accounts.
wraith808:
Of course, you can use Chrome without ever signing in, but as soon as you do, you have no control over what is spread around through the sync function. As I said, I use Android devices and I also have ported my home and business phone numbers to Google Voice to keep them when I dumped the landlines they were attached to. This means I need to sign into my Google accounts regularly. I just don't use Chrome to do so, because I don't want whatever is cached locally from other sessions to be synced to those Google accounts.
-xtabber (August 22, 2013, 10:10 PM)
--- End quote ---
Yes, you do. The answer is... nothing. As I said, I never sign in. Not to the browser. Not to the extension manager. It's a pain doing everything myself, but I don't for the very reason that you say. I don't use sync. I use xmarks to sync my bookmarks, 1Password for my passwords, and just do everything else manually.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version