or Connect
AppleInsider › Forums › General › General Discussion › Google under fire for Chrome browser's password storage policy
New Posts  All Forums:Forum Nav:

Google under fire for Chrome browser's password storage policy - Page 2

post #41 of 79
Quote:
Originally Posted by iSteelers View Post

Hardly the same situation as the access to the iPhone was limited, the sequence cumbersome, and passwords to other sites blocked anyway. Plus Apple fixed it.
Didn't I just say all that? Except for the part where it was fixed.

What I'm talking about is the huge problem the fandroids made it out to be. And on many tech blogs today they're now trying to play this down as a minor issue. Again the usual hypocrisy from the haters.

Author of The Fuel Injection Bible

Reply

Author of The Fuel Injection Bible

Reply
post #42 of 79
Quote:
Originally Posted by d4NjvRzf View Post

 

I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice.

 

It's possible (and far more common) to gain access to someone's computer without actually knowing their login information.  Locally: someone gets up to go the bathroom and doesn't lock their screen.  Remotely: entice someone to open an email attachment or go to a malicious website.

 
Reply
 
Reply
post #43 of 79
Quote:
Originally Posted by auxio View Post

 

It's possible (and far more common) to gain access to someone's computer without actually knowing their login information.  Locally: someone gets up to go the bathroom and doesn't lock their screen.  Remotely: entice someone to open an email attachment or go to a malicious website.

 

Good point. That google developer seems to think that users should lock their account when they step away from the computer and that it's the users' problem if they don't and something happens as a result.


Edited by d4NjvRzf - 8/7/13 at 1:31pm
post #44 of 79
Quote:
Originally Posted by ipen View Post

 

Great comment.  I never use password store feature either.  What's our brain for?

 

If you are using a Mac however, the keychain stores all kinds of certificates and passwords and every time I've ever looked at it on someone's computer, it generally has saved passwords in it that the user is unaware are even there.  All it takes is one errant click one day when you are busy and you've saved a password.  

 

Granted, Apple's keychain is highly secure and (rightly) requires your password to reveal what it contains, but another really common mistake of the average mac user is not to have a password on their user account in the first place.  So that leaves a lot of people in the exact same spot as the Chrome flaw we are talking about does.  People are generally idiots when it comes to this stuff. 

 

There is no need to use a third party password saver, Safari and the keychain do an excellent job of it, they are free, and they are probably more secure than anything else also, but absolutely huge numbers of people don't even use the user account password, which in this case is the "master" password that controls everything.  

post #45 of 79
Quote:
Originally Posted by auxio View Post

 

It's possible (and far more common) to gain access to someone's computer without actually knowing their login information.  Locally: someone gets up to go the bathroom and doesn't lock their screen.  Remotely: entice someone to open an email attachment or go to a malicious website.

 

I would argue that in the first example (leaving your computer logged on and unattended), the person deserves whatever they get, but in the second example, it actually doesn't happen as often as you might think.  I work with hundreds of people who know nothing about computers or viruses and many of them aren't that smart, but only once or twice a year (if that), does anyone get tricked into putting their personal credentials into a web site or email scam. 

post #46 of 79
Quote:
Originally Posted by PhilBoogie View Post

Getting old now, but..

"I once set my password to 'penis', but it was too short."

,but... I still laugh at it.

In other news hermits say this is a non issue.
post #47 of 79
I think the chrome team may be missing the point. It doesn't take a hacker to exploit this feature. Anyone in the world can be a hacker with this in place. Many people leave their computer for a minute at work, now instead of posting a silly message on their Facebook wall, somebody can find all of their sensitive data in a minute, and bring that knowledge onto their own computer. At least make it take longer than 45 seconds to compromise all passwords to sensitive websites.
post #48 of 79
Microsoft lightbulb joke translated into Googlespeak How many Google Engineers does it take to change a light Bulb? None - Google Engineers just suck all the Light out of you they need.
post #49 of 79
Quote:
Originally Posted by d4NjvRzf View Post

 

I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice. Safari would be more secure if it instead required a separate password distinct from the user's login password. 

Which it does, it is just set to the user account password by default. I think the default setting is also for the keychain to stay unlogged (while a user is logged in). 

 

But you can easily give the keychain a separate password which means when you want to use it for filling in a password you have to enter that password (either once per login or every time, as you wish).

 

post #50 of 79
Quote:
Originally Posted by Gazoobee View Post

 

I would argue that in the first example (leaving your computer logged on and unattended), the person deserves whatever they get.

I had left my computer unattended and remained logged in because my computer was in my locked house. But then somebody broke into my house and took the computer with him. Fortunately that person wasn't too bright and I was very lucky because three days later the thief was caught while breaking into another house and I got my computer back.

 

A very smart thief might have just installed spy software on my Mac. A merely smart one would have changed the password for my email accounts and then used the email accounts to reset most of my other passwords (I spend a few hours resetting most of my passwords the moment I noticed the theft, which was only about three hours later). My thief instead googled for 'Windows password recovery' (I saw this from his browsing history). 

 

Nevertheless, I did restore from a backup prior to the theft just to be sure in case somebody had tampered with my computer. And I now have my computer lock after a few minutes and use full disk encryption.

post #51 of 79
Quote:
Originally Posted by d4NjvRzf View Post

 

Good point. That google developer seems to think that users should lock their account when they step away from the computer and that it's the users' problem if they don't and something happens as a result.

Whoever believes there should only be one security level ever is very optimistic or rather very naive. 

post #52 of 79
Quote:
Originally Posted by CustomTB View Post

So... let me get this straight... they compare someone... maybe a roommate... or a coworker... etc... with a couple minutes and the tech savy of going to the control panel for a looksie to someone who is going to "dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software."

That's like not locking your door because someone could throw a brick through the window if they really wanted in.
Couldn't agree more!
post #53 of 79
Quote:
Originally Posted by ipen View Post

 

(no culture, no products, no respect for privacy, no talent, mother of all dumbs) = failed company.  Glad I didn't have GOOG.

(great culture, great products, great respect for privacy, great talent, mother of all talents) = successful company.  Bought AAPL.

 

But wait, GOOG is up 26% YTD and AAPL is down 12% YTD?

But wait since 2009 GOOG is up 277% but AAPL is up 506% during the same period  

post #54 of 79

Translation: "If we fix this gaping security hole, then we'll feel pressure to fix all of the other security holes we so carefully crafted. This isn't good for our business or the NSA's."

 

Reminds me of Microsoft and Windows, where the security holes were features.

post #55 of 79
The timing is nearly perfect considering that Apple has become a leader in information security in the past few years and may soon become the leader in information security.

If Apple releases biometric security measures in conjunction with iCloud Keychain using 248 bit Triple DES encryption Apple will make Google look very amateurish.
post #56 of 79
Why do any of these browsers offer a way to view cached passwords? If none of them offered that, there'd be no need to debate the best way to protect access from unauthorized users
post #57 of 79
yay, demands for more security theater!
>>< drow ><<
Reply
>>< drow ><<
Reply
post #58 of 79
Quote:
Originally Posted by CustomTB View Post

That's like not locking your door because someone could throw a brick through the window if they really wanted in.

more like, who bothers putting locks on the closet doors?
>>< drow ><<
Reply
>>< drow ><<
Reply
post #59 of 79
Quote:
Originally Posted by techrider View Post

Why do any of these browsers offer a way to view cached passwords? If none of them offered that, there'd be no need to debate the best way to protect access from unauthorized users

In case you forget your password when you have to change it.
Quote:
Originally Posted by drow View Post

more like, who bothers putting locks on the closet doors?

More like locking a safe than locks on a closet.
post #60 of 79
Quote:
Originally Posted by CMF View Post

In many cases, physical access means "game over" as far as security is concerned. 

Exactly, once you have the users admins password it's all over. Apple is especially vulnerable to this as you can change the password with just an OSX boot drive. Yes you can turn this off but I have yet to meet someone who has done it. Even if it's turned off I can still slave a Macbook or iMac with a Firewire and grab all information off of the hardrive, unless it's encrypted of course. Anyway, once the password is changed, login with new password and type, "security find-generic-password -l AppleID -w"in the terminal to see all of the passwords stored in the Keychain.

When storing web passwords I recommend using Norton's Secure Web, there is plugins for all of the major browsers.
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #61 of 79
Quote:
Originally Posted by Relic View Post

Quote:
Originally Posted by CMF View Post

In many cases, physical access means "game over" as far as security is concerned. 

Exactly, once you have the users admins password it's all over. Apple is especially vulnerable to this as you can change the password with just an OSX boot drive. Yes you can turn this off but I have yet to meet someone who has done it. Even if it's turned off I can still slave a Macbook or iMac with a Firewire and grab all information off of the hardrive, unless it's encrypted of course. Anyway, once the password is changed, login with new password and type, "security find-generic-password -l AppleID -w"in the terminal to see all of the passwords stored in the Keychain.

When storing web passwords I recommend using Norton's Secure Web, there is plugins for all of the major browsers.

Good point. Will this work:

Setup autolocking:

1. Launch "Keychain Access".
2. Right click on "login" keychain.
3. Click "Change Settings for Keychain 'login'".
4. Check the "Lock after:" box.
5. Change the minutes of activity to whatever you want.

You have the option of auto-locking after zero minutes of inactivity. You'll need to enter your master password every time Keychain needs to be accessed.
post #62 of 79
Quote:
Originally Posted by drblank View Post

That doesn't sound good. The more I read, the more Google should have stayed out of the smartphone, tablet, computer and browser market.

I'm glad I use only Safari and Firefox.

Firefox has the exact same system as Chrome. Go to Options in Firefox - Security - Saved Passwords - Show Saved Passwords. Just click yes and there you go.

Try this in Safari. Enable 'Show Develop menu in menu bar' in the advanced tab of the settings. Then go to a website where your password has been saved for auto fill in. Control-click on the password (masked at this point) and select 'inspect element' and change the type from "password" to "text". Your password should be in plain text visible for anyone to see now.

The Safari keychain encryption is easily beaten. Google is right here in saying that from the moment someone has physical access to your computer any extra security is only there to give you a false feeling of security.
Edited by Chipsy - 8/8/13 at 10:27pm
post #63 of 79
Quote:
Originally Posted by CMF View Post

 

In many cases, physical access means "game over" as far as security is concerned. 

 

 

Did Google screw up? Sure, no question about that. But I wonder what the real answer is. Safari does present a password dialog when you ask it to show passwords, but I would wager that people's Admin passwords are no more secure that whatever they're typing into a form on some website. It's made to be easy because people have so many passwords that they forget which account is for which site. "Normal" people (e.g, my parents) don't use things like 1Password or understand why they need it.

 

This isn't surprising, but I'm not sure how we move towards a situation where we're all using secure passwords. The idea of a Master Password isn't too bad, but you're (obviously) screwed if it gets out.

Except, forcing the user to enter a "master password" simply gives the user the illusion of security, and really doesn't provide any extra security.  Unless the master password is entered EVERY time the user starts up the web browser, the passwords have to either be stored in plain text, or be encrypted, but the decryption key must be stored in plain text.  There IS NO SECURITY for most password managers.  It simply does not exist.  Anyone who knows ANYTHING about computer security would realize this.

 

The difference is that google is upfront and honest about the issue, whereas apple attempts to hide the passwords using the age old "security by obscurity" model.  Making it semi-difficult to get access to the passwords does not make them safer, not when anyone who really wants them can easily get to them. 

 

However, it seems everyone on this forum just wants to bash google because they dare to compete against apple (thus forcing apple to make better products).  I swear sometimes I think everyone on this forum must own tons of apple stock and don't really care about apple products or the experience.  The primary concern is cutting down competitors, and looking out to ensure that apple makes more profits than the oil companies.  

 

Phil

post #64 of 79
Quote:
Originally Posted by patrickwalker View Post

 

The problem is the flood of passwords to really do anything online anymore.  Using the same ones over and over is a terrible idea.

 

Simple, just store the encryption algorithm(s) in the brain and use the website domain as a seed then every website will have a different password.

post #65 of 79
Quote:
Originally Posted by PhilBoogie View Post


Good point. Will this work:

Setup autolocking:

1. Launch "Keychain Access".
2. Right click on "login" keychain.
3. Click "Change Settings for Keychain 'login'".
4. Check the "Lock after:" box.
5. Change the minutes of activity to whatever you want.

You have the option of auto-locking after zero minutes of inactivity. You'll need to enter your master password every time Keychain needs to be accessed.

 

 

Yep, good find. Here is a detailed how too for those who want to use PhilBoogie's idea. The problem is there are still many workarounds to get website passwords, Chipsy pointed out a major hole a few posts above with Safari. There are very few people who actually follow proper security protocols making most computers extremely vulnerable when they are physically in front of an unwanted user. It still dumbfounds me the amount of people who still use auto login, don't set a firmware password to stop the resetting of the OSX users password through the Installation Tools found on the boot medium and especially don't encrypt their home directories with File Vault. I personally moved my entire home-directory onto a high speed SD card in my Macbook Air. This way I always have my data with me, in which ever device I'm currently using. I know it sounds like an overkill but I think it's really convenient, my data and the fact that the Keychain data is stored under the Library folder in the home directory, their never untended.


Edited by Relic - 8/8/13 at 1:29pm
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #66 of 79
To be fair, I copied it from a website. But yes, I do know about this keychain protection, and use it. I don't have auto login, and tell people not to use it either. And explain to them why.

I also have all of my HDD's and SSD encrypted, but don't use FileVault (because of how messy v1 was) v2 supposedly is way better; I should make to time to read up on it.

From the SD Card link, I take it you're using a 64GB card? Does the Air read a SDHC 128GB Card? Someone here (mstone?) that a 128GB card didn't work with the CCK for iPad use.
post #67 of 79
Quote:
Originally Posted by Gazoobee View Post

 

I would argue that in the first example (leaving your computer logged on and unattended), the person deserves whatever they get, but in the second example, it actually doesn't happen as often as you might think.  I work with hundreds of people who know nothing about computers or viruses and many of them aren't that smart, but only once or twice a year (if that), does anyone get tricked into putting their personal credentials into a web site or email scam. 

 

I was just trying to give examples of cases where someone can gain access to your machine without actually needing to know your login information (hence refuting the "if they have access to your computer they already know your login" argument).

 

For the second case, I meant buffer overflow attacks where the malicious website/attachment exploits some security hole in your browser/email client, thereby gaining full access to your computer without knowing your login.  After that, the payload could be a program which harvests your Google password store and uploads it somewhere.

 
Reply
 
Reply
post #68 of 79
Quote:
Originally Posted by sflocal View Post

If it were Apple, this would be on CNN, Fox, and Jon Stewart.

Since this is Google, it's irrelevant.  Fanboys and iHaters will simply call this a "feature" and hope everyone forgets about it in a week.

That's because people expect Google to screw up and when Apple does, it's a MAJOR news story, but when Google does something wrong, it's tiny little article that hardly anyone sees.  I'm on to Google's lobbying efforts, I wonder how many Nexus Phones or Google Glass they are handing out under the table to people in the media?   I wouldn't put it past Google to do that as damage control, but I already know Apple doesn't hand out product like Candy to people in the media.  They loan products out for product announcements, but they don't give them away.

post #69 of 79
Quote:
Originally Posted by PhilBoogie View Post

To be fair, I copied it from a website. But yes, I do know about this keychain protection, and use it. I don't have auto login, and tell people not to use it either. And explain to them why.

I also have all of my HDD's and SSD encrypted, but don't use FileVault (because of how messy v1 was) v2 supposedly is way better; I should make to time to read up on it.

From the SD Card link, I take it you're using a 64GB card? Does the Air read a SDHC 128GB Card? Someone here (mstone?) that a 128GB card didn't work with the CCK for iPad use.

Oh sorry I wasn't emplying that your howto was incorrect, I just provided a link because it shows why you would want this and has pretty pictures. The 128GB SD cards work fine but there not the fastest. The 64GB was a good compromise between speed and storage.
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #70 of 79
Quote:
Originally Posted by Relic View Post

Oh sorry I wasn't emplying that your howto was incorrect, I just provided a link because it shows why you would want this and has pretty pictures. The 128GB SD cards work fine but there not the fastest. The 64GB was a good compromise between speed and storage.

1) No sorry needed.

2) Yep, better to focus on the balance of speed and storage.

3) So, ok, the Air does take 128GB cards; thanks.

4) Some put a small portion of their Fusion Drive on an USB stick; creating a Security Key. That way the Mac can only boot with the USB stick in it. Mentioned here:
http://forums.appleinsider.com/t/155321/apples-fusion-drive-now-available-on-new-entry-level-21-5-imac-orders/80
post #71 of 79
Quote:
Originally Posted by drblank View Post

That's because people expect Google to screw up and when Apple does, it's a MAJOR news story, but when Google does something wrong, it's tiny little article that hardly anyone sees.  I'm on to Google's lobbying efforts, I wonder how many Nexus Phones or Google Glass they are handing out under the table to people in the media?   I wouldn't put it past Google to do that as damage control, but I already know Apple doesn't hand out product like Candy to people in the media.  They loan products out for product announcements, but they don't give them away.

To be fair this is not a new story, it has been discussed multiple times over the years. I would also argue that iHaters do their fair share of Google hating as well, your post being a pretty good example. It's our human nature to nip at the heals of the biggest guy on the block, it shouldn't be seen as a bad thing but a sign that Apple is doing well. It's when the industry stops talking about them in any light that you should start being offended.

I haven't heard of any such practice's by Google, bribing reporters with cheap gadgets. Google has always given away free products, especially at their conferences and to reviewers. I visited their campus in Switzerland a year back and you should have seen the swag bag I came home with, Chromebook, T-Shirts and hats for the kids, leather letterman jacket, Google Swatch, Converse with Google colours, Google TV device and a whole lot more. I'm not part of any media outfit, I was just visiting a friend on her birthday. Granted she is a department head and has the keys to the swag room, boy did I raid that place, she kept saying, oh you defiantly want one of these, who was I to argue. 1smile.gif
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #72 of 79
Quote:
Originally Posted by PhilBoogie View Post


4) Some put a small portion of their Fusion Drive on an USB stick; creating a Security Key. That way the Mac can only boot with the USB stick in it. Mentioned here:
http://forums.appleinsider.com/t/155321/apples-fusion-drive-now-available-on-new-entry-level-21-5-imac-orders/80

That would be a good argument for a Thunderbolt type storage device the size of a USB stick. Call it a ThunderStick, oh that's kind of dirty. Walk into an Apple store and try to order one of those with a straight face. "Yes, I would like the biggest ThunderStick you have please", Apple clerk with a funny smirk on his face, "maam I don't think that's very appropriate", another clerk jumps in,"it's okay Jay, I think I have what the lady wants", "huh, oh no, wait a minute".
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #73 of 79
Quote:
Originally Posted by Relic View Post

That would be a good argument for a Thunderbolt type storage device the size of a USB stick. Call it a ThunderStick, oh that's kind of dirty. Walk into an Apple store and try to order one of those with a straight face. "Yes, I would like the biggest ThunderStick you have please", Apple clerk with a funny smirk on his face, "maam I don't think that's very appropriate", another clerk jumps in,"it's okay Jay, I think I have what the lady wants", "huh, oh no, wait a minute".

Fortunately they're bus-powered. Otherwise it would be odd to say that your stick ran out of juice.
post #74 of 79
Quote:
Originally Posted by PhilBoogie View Post


4) Some put a small portion of their Fusion Drive on an USB stick; creating a Security Key. That way the Mac can only boot with the USB stick in it. Mentioned here:
http://forums.appleinsider.com/t/155321/apples-fusion-drive-now-available-on-new-entry-level-21-5-imac-orders/80

That's a pretty good system, one of which I wasn't aware of yet. I also like Yubikeys http://www.yubico.com/products/yubikey-hardware/. If you want decent security, using hardware authentication is still your best bet in my opinion.
post #75 of 79
Quote:
Originally Posted by Relic View Post


To be fair this is not a new story, it has been discussed multiple times over the years. I would also argue that iHaters do their fair share of Google hating as well, your post being a pretty good example. It's our human nature to nip at the heals of the biggest guy on the block, it shouldn't be seen as a bad thing but a sign that Apple is doing well. It's when the industry stops talking about them in any light that you should start being offended.

I haven't heard of any such practice's by Google, bribing reporters with cheap gadgets. Google has always given away free products, especially at their conferences and to reviewers. I visited their campus in Switzerland a year back and you should have seen the swag bag I came home with, Chromebook, T-Shirts and hats for the kids, leather letterman jacket, Google Swatch, Converse with Google colours, Google TV device and a whole lot more. I'm not part of any media outfit, I was just visiting a friend on her birthday. Granted she is a department head and has the keys to the swag room, boy did I raid that place, she kept saying, oh you defiantly want one of these, who was I to argue. 1smile.gif

 

 

WOW, aren't you special.    Google to me makes poor code. and doesn't know what they are doing.  Boy, your friend sure as heck bought you off.  Hook, Line, and SUCKER.  I've gotten free stuff from most mfg, but it doesn't mean I'm going to stick up for them.

 

She GAVE you a Chromebook?  Apple does NOT give away computers, they will give away T-shirt and coffee mugs and if they hand out anything more than that its because you did a lot of sales or something else with a customer like invite Apple to have a partner day at a customer's site.  


Edited by drblank - 8/9/13 at 7:12am
post #76 of 79
Quote:
Originally Posted by Relic View Post


To be fair this is not a new story, it has been discussed multiple times over the years. I would also argue that iHaters do their fair share of Google hating as well, your post being a pretty good example. It's our human nature to nip at the heals of the biggest guy on the block, it shouldn't be seen as a bad thing but a sign that Apple is doing well. It's when the industry stops talking about them in any light that you should start being offended.

I haven't heard of any such practice's by Google, bribing reporters with cheap gadgets. Google has always given away free products, especially at their conferences and to reviewers. I visited their campus in Switzerland a year back and you should have seen the swag bag I came home with, Chromebook, T-Shirts and hats for the kids, leather letterman jacket, Google Swatch, Converse with Google colours, Google TV device and a whole lot more. I'm not part of any media outfit, I was just visiting a friend on her birthday. Granted she is a department head and has the keys to the swag room, boy did I raid that place, she kept saying, oh you defiantly want one of these, who was I to argue. 1smile.gif

Yeah, they don't hand out cheap gadgets, they'll hand out expensive gadgets and SWAG.  But they gave you expensive stuff, and you're not the media.  I wonder how much of these so-called SWAG they give to the media?  So, you just validated what I was suspecting.

post #77 of 79
Quote:
Originally Posted by drblank View Post

 

 

WOW, aren't you special.    Google to me makes poor code. and doesn't know what they are doing.  Boy, your friend sure as heck bought you off.  Hook, Line, and SUCKER.  I've gotten free stuff from most mfg, but it doesn't mean I'm going to stick up for them.

 

She GAVE you a Chromebook?  Apple does NOT give away computers, they will give away T-shirt and coffee mugs and if they hand out anything more than that its because you did a lot of sales or something else with a customer like invite Apple to have a partner day at a customer's site.  

We grew up together and if she wanted something from me all she would need to do is ask, not buy me off with silly stuff that I didn't want or ask for, she gave it to my kids, though I did keep the Chromebook, which I have to say I really like. She works in media relationships, used to work for the NY Times Euro Desk. She has more integrity than any person I have ever met and I know she wouldn't buy off any one person for a good story on some blog. The Chromebook I got was a in house development platform, not meant for general use. All of the employees got one, so they threw a bunch of the overstock into the swag room for guests of the facility. Your view of Google is your own business but as I have many friends who work for them and am a long time user of their services I personally like them, especially the way they treat their employees. It is probably the best company to work for.

When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #78 of 79
The feature that makes you enter your account password to view saved credentials in Safari is actually part of the system called Keychain. In fact both Firefox & Chrome could also save your passwords in Keychain as well if they wanted to, they intentionally choose not to.

Also, it isn't your user password that allows you to see the credentials it's your keychain password, it is actually possible to make them different. What happens is when you first create your account on a Mac it uses the password you enter to encrypt your keychain so that the passwords then match. When you login to your Mac it automatically applies that password toward keychain to allow apps that save passwords to automatically log in as well. If someone stole your laptop & reset your user account password using an install disk they can't open your keychain because it's password is impossible to reset without totally wiping out your keychain & starting from scratch (bye bye saved passwords).

Keychain is awesome and for years I've tried to teach users how to open it & create manual entries to keep track of passwords they don't necessarily access via web. Alas even after showing them several times I still know users who keep a text document or sticky note with everything from facebook to bank accounts.
post #79 of 79
Quote:
Originally Posted by Gatorguy View Post


As other posters here have commented under similar circumstances, it requires physical access to your computer (or smartphone or tablet as the argument would be) and so they proclaim it's not that big a deal.

In my opinion it's still not acceptable no matter if a malicious person needs your device in front of him or not. It's even an easy enough fix if Google chooses to do so, which I hope they do.

Perhaps, but since Google's service syncs your passwords across all systems wouldn't this mean that if someone happened to get ahold of your Google account password they could then sign it into chrome & suddenly have all your bank passwords?

 

Keychain (password store used by Safari) by comparison requires them to sign in to iCloud in order to do this, which then registers your computer serial with Apple & alerts the user by e-mail that someone just setup their icloud account on a new computer.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Google under fire for Chrome browser's password storage policy