Google under fire for Chrome browser's password storage policy

24

Comments

  • Reply 21 of 79
    genovellegenovelle Posts: 1,480member

    Quote:

    Originally Posted by EricTheHalfBee View Post



    Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.



    Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?


    Big difference.  Here they have access to all of your passwords on you computer. The iPhone flaw was quickly fix as well.  Google doesn't seem to think this is a problem.  That is a problem in and of itself.  

  • Reply 22 of 79
    customtbcustomtb Posts: 346member
    So... let me get this straight... they compare someone... maybe a roommate... or a coworker... etc... with a couple minutes and the tech savy of going to the control panel for a looksie to someone who is going to "dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software."

    That's like not locking your door because someone could throw a brick through the window if they really wanted in.
  • Reply 23 of 79


    Do you suppose folks at Google routinely keep a Post-It stuck to their monitors labeled "Secret - Please Don't peek" that has all of their passwords written on the back?


    Why would you want to tempt anyone around you that may be a bit ethically challenged?


    I doubt they leave their wallet on their desk either. 

  • Reply 24 of 79
    mstonemstone Posts: 11,510member


    I suppose no one remembers the Safari auto form fill exploit that could steal your entire address book in seconds. That was back in July 2010.


     


    I'm sure Google will fix this flaw next update.


     


    That is what security researchers do. They find flaws and then they get fixed.

  • Reply 25 of 79
    allenbfallenbf Posts: 993member
    Oh no! i hope my wife doesnt find the password for our joint checking account!

    More click bait for the frothing google haters.
  • Reply 26 of 79
    jungmarkjungmark Posts: 6,926member
    To paraphrase Creepy Eric: if you don't want your passwords viewable, just move to another browser.
  • Reply 27 of 79
    allenbfallenbf Posts: 993member
    disturbia wrote: »
    As I said many many times, Google has no culture, no products (except search), no respect for people's privacy and no talent.

    Even though they keep buying companies to get some smart developers, no matter how talented they are, as soon as they join Google, they become mother of all dumbs!

    On another note, Google hasn't started sending requests to various sites to lower down their tunes on this yet another Google security messed up? They always do that, you know.

    I probably speak for many when I say:

    "Huh?"
  • Reply 28 of 79
    customtbcustomtb Posts: 346member

    Quote:

    Originally Posted by mstone View Post


    I suppose no one remembers the Safari auto form fill exploit that could steal your entire address book in seconds. That was back in July 2010.


     


    I'm sure Google will fix this flaw next update.


     


    That is what security researchers do. They find flaws and then they get fixed.



    Except they said it's not a flaw and why bother.

  • Reply 29 of 79
    isteelersisteelers Posts: 738member
    Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.

    Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?

    Hardly the same situation as the access to the iPhone was limited, the sequence cumbersome, and passwords to other sites blocked anyway. Plus Apple fixed it.
  • Reply 30 of 79
    philboogiephilboogie Posts: 7,675member
    jungmark wrote: »
    To paraphrase Creepy Eric: if you don't want your passwords viewable, just move to another browser.

    Indeed. "If you've got something to hide, maybe you shouldn't be doing it in the first place"
  • Reply 31 of 79
    iaeeniaeen Posts: 588member
    The problem is the flood of passwords to really do anything online anymore.  Using the same ones over and over is a terrible idea.

    Yes, But one should use a dedicated app from a well known company that is in the business of selling secure products, not some built in afterthought feature intended to add convenience for people who don't know any better.
    genovelle wrote: »
    Big difference.  Here they have access to all of your passwords on you computer. The iPhone flaw was quickly fix as well.  Google doesn't seem to think this is a problem.  That is a problem in and of itself.  

    This. I didn't really think it was that big of a deal until I read Google's response. The guy deserves to be flogged for releasing such an asinine comment as Google's official response.
  • Reply 32 of 79

    Quote:

    Originally Posted by SockRolid View Post


     


    Much of computer security is "mostly just theater" anyway.  And the show must go on.


    Just put up some UI for the user's system password before you display web passwords.


    Too busy to do even that much?  Or is there some kind of ideological roadblock?



     


    The ideological roadblock is there because YOU are not Google's customer... You are its product. Never lose sight of this distinction.

  • Reply 33 of 79

    Quote:

    Originally Posted by PhilBoogie View Post





    Indeed. "If you've got something to hide, maybe you shouldn't be doing it in the first place"


    What? Like accessing your banking information from your computer? Get a brain! 

  • Reply 34 of 79
    jungmarkjungmark Posts: 6,926member
    What? Like accessing your banking information from your computer? Get a brain! 

    Um he was quoting creepy Eric as well.
  • Reply 36 of 79
    philboogiephilboogie Posts: 7,675member
    philboogie wrote: »
    Indeed. "If you've got something to hide, maybe you shouldn't be doing it in the first place"
    What? Like accessing your banking information from your computer? Get a brain! 

    Me, or Eric?

    [edit] pipped by jungmark
  • Reply 37 of 79
    cmfcmf Posts: 65member

    Quote:



    Originally Posted by EricTheHalfBee View Post



    Remember the lock screen bypass for the iPhone where you get limited access if you're quick enough to perform the right sequence? People said it's no big deal since it requires the other person to have physical access to your device.



    Gee, kinda sounds familiar, doesn't it? Now what will the apologists say to this issue when they slammed the "physical device access " that was required for the iPhone security flaw?


     


    In many cases, physical access means "game over" as far as security is concerned. 


     


    Quote:

    Originally Posted by Damn_Its_Hot View Post


     


    So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."


     


    Do no evil. Yeah...



     


    Did Google screw up? Sure, no question about that. But I wonder what the real answer is. Safari does present a password dialog when you ask it to show passwords, but I would wager that people's Admin passwords are no more secure that whatever they're typing into a form on some website. It's made to be easy because people have so many passwords that they forget which account is for which site. "Normal" people (e.g, my parents) don't use things like 1Password or understand why they need it.


     


    This isn't surprising, but I'm not sure how we move towards a situation where we're all using secure passwords. The idea of a Master Password isn't too bad, but you're (obviously) screwed if it gets out.

  • Reply 38 of 79
    d4njvrzfd4njvrzf Posts: 797member

    Quote:

    Originally Posted by Damn_Its_Hot View Post


     


    So Googles attitude is since there are already issues with security, why bother with having (i.e., fixing) security on parts of the system where they can through up a barrier. Seems to me they are saying "Well they got hold of the computer so we might as well give them access to everything else this person has access to."


     


    Do no evil. Yeah...



     


    I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice. Safari would be more secure if it instead required a separate password distinct from the user's login password. But that extra security comes with a trade-off in usability. 

  • Reply 39 of 79
    philboogiephilboogie Posts: 7,675member
    Getting old now, but..

    "I once set my password to 'penis', but it was too short."
  • Reply 40 of 79
    isteelers wrote: »
    Hardly the same situation as the access to the iPhone was limited, the sequence cumbersome, and passwords to other sites blocked anyway. Plus Apple fixed it.
    Didn't I just say all that? Except for the part where it was fixed.

    What I'm talking about is the huge problem the fandroids made it out to be. And on many tech blogs today they're now trying to play this down as a minor issue. Again the usual hypocrisy from the haters.
Sign In or Register to comment.