Google under fire for Chrome browser's password storage policy

13

Comments

  • Reply 41 of 79
    auxioauxio Posts: 2,760member

    Quote:

    Originally Posted by d4NjvRzf View Post


     


    I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice.



     


    It's possible (and far more common) to gain access to someone's computer without actually knowing their login information.  Locally: someone gets up to go the bathroom and doesn't lock their screen.  Remotely: entice someone to open an email attachment or go to a malicious website.

  • Reply 42 of 79
    d4njvrzfd4njvrzf Posts: 797member

    Quote:

    Originally Posted by auxio View Post


     


    It's possible (and far more common) to gain access to someone's computer without actually knowing their login information.  Locally: someone gets up to go the bathroom and doesn't lock their screen.  Remotely: entice someone to open an email attachment or go to a malicious website.



     


    Good point. That google developer seems to think that users should lock their account when they step away from the computer and that it's the users' problem if they don't and something happens as a result.

  • Reply 43 of 79
    gazoobeegazoobee Posts: 3,754member

    Quote:

    Originally Posted by ipen View Post


     


    Great comment.  I never use password store feature either.  What's our brain for?



     


    If you are using a Mac however, the keychain stores all kinds of certificates and passwords and every time I've ever looked at it on someone's computer, it generally has saved passwords in it that the user is unaware are even there.  All it takes is one errant click one day when you are busy and you've saved a password.  


     


    Granted, Apple's keychain is highly secure and (rightly) requires your password to reveal what it contains, but another really common mistake of the average mac user is not to have a password on their user account in the first place.  So that leaves a lot of people in the exact same spot as the Chrome flaw we are talking about does.  People are generally idiots when it comes to this stuff. 


     


    There is no need to use a third party password saver, Safari and the keychain do an excellent job of it, they are free, and they are probably more secure than anything else also, but absolutely huge numbers of people don't even use the user account password, which in this case is the "master" password that controls everything.  

  • Reply 44 of 79
    gazoobeegazoobee Posts: 3,754member

    Quote:

    Originally Posted by auxio View Post


     


    It's possible (and far more common) to gain access to someone's computer without actually knowing their login information.  Locally: someone gets up to go the bathroom and doesn't lock their screen.  Remotely: entice someone to open an email attachment or go to a malicious website.



     


    I would argue that in the first example (leaving your computer logged on and unattended), the person deserves whatever they get, but in the second example, it actually doesn't happen as often as you might think.  I work with hundreds of people who know nothing about computers or viruses and many of them aren't that smart, but only once or twice a year (if that), does anyone get tricked into putting their personal credentials into a web site or email scam. 

  • Reply 45 of 79
    solomansoloman Posts: 228member
    philboogie wrote: »
    Getting old now, but..

    "I once set my password to 'penis', but it was too short."

    ,but... I still laugh at it.

    In other news hermits say this is a non issue.
  • Reply 46 of 79
    I think the chrome team may be missing the point. It doesn't take a hacker to exploit this feature. Anyone in the world can be a hacker with this in place. Many people leave their computer for a minute at work, now instead of posting a silly message on their Facebook wall, somebody can find all of their sensitive data in a minute, and bring that knowledge onto their own computer. At least make it take longer than 45 seconds to compromise all passwords to sensitive websites.
  • Reply 47 of 79
    paul94544paul94544 Posts: 1,027member
    Microsoft lightbulb joke translated into Googlespeak

    How many Google Engineers does it take to change a light Bulb?

    None - Google Engineers just suck all the Light out of you they need.
  • Reply 48 of 79
    noirdesirnoirdesir Posts: 1,027member

    Quote:

    Originally Posted by d4NjvRzf View Post


     


    I think in their view, Safari's method of prompting for the login password isn't really more secure because if an attacker gets your account credentials, it doesn't make much difference if he has to enter them once or twice. Safari would be more secure if it instead required a separate password distinct from the user's login password. 



    Which it does, it is just set to the user account password by default. I think the default setting is also for the keychain to stay unlogged (while a user is logged in). 


     


    But you can easily give the keychain a separate password which means when you want to use it for filling in a password you have to enter that password (either once per login or every time, as you wish).



     


  • Reply 49 of 79
    noirdesirnoirdesir Posts: 1,027member

    Quote:

    Originally Posted by Gazoobee View Post


     


    I would argue that in the first example (leaving your computer logged on and unattended), the person deserves whatever they get.



    I had left my computer unattended and remained logged in because my computer was in my locked house. But then somebody broke into my house and took the computer with him. Fortunately that person wasn't too bright and I was very lucky because three days later the thief was caught while breaking into another house and I got my computer back.


     


    A very smart thief might have just installed spy software on my Mac. A merely smart one would have changed the password for my email accounts and then used the email accounts to reset most of my other passwords (I spend a few hours resetting most of my passwords the moment I noticed the theft, which was only about three hours later). My thief instead googled for 'Windows password recovery' (I saw this from his browsing history). 


     


    Nevertheless, I did restore from a backup prior to the theft just to be sure in case somebody had tampered with my computer. And I now have my computer lock after a few minutes and use full disk encryption.

  • Reply 50 of 79
    noirdesirnoirdesir Posts: 1,027member

    Quote:

    Originally Posted by d4NjvRzf View Post


     


    Good point. That google developer seems to think that users should lock their account when they step away from the computer and that it's the users' problem if they don't and something happens as a result.



    Whoever believes there should only be one security level ever is very optimistic or rather very naive. 

  • Reply 51 of 79
    customtb wrote: »
    So... let me get this straight... they compare someone... maybe a roommate... or a coworker... etc... with a couple minutes and the tech savy of going to the control panel for a looksie to someone who is going to "dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software."

    That's like not locking your door because someone could throw a brick through the window if they really wanted in.
    Couldn't agree more!
  • Reply 52 of 79
    kenwkkenwk Posts: 25member

    Quote:

    Originally Posted by ipen View Post


     


    (no culture, no products, no respect for privacy, no talent, mother of all dumbs) = failed company.  Glad I didn't have GOOG.


    (great culture, great products, great respect for privacy, great talent, mother of all talents) = successful company.  Bought AAPL.


     


    But wait, GOOG is up 26% YTD and AAPL is down 12% YTD?



    But wait since 2009 GOOG is up 277% but AAPL is up 506% during the same period  

  • Reply 53 of 79
    cpsrocpsro Posts: 3,232member


    Translation: "If we fix this gaping security hole, then we'll feel pressure to fix all of the other security holes we so carefully crafted. This isn't good for our business or the NSA's."


     


    Reminds me of Microsoft and Windows, where the security holes were features.

  • Reply 54 of 79
    macbook promacbook pro Posts: 1,605member
    The timing is nearly perfect considering that Apple has become a leader in information security in the past few years and may soon become the leader in information security.

    If Apple releases biometric security measures in conjunction with iCloud Keychain using 248 bit Triple DES encryption Apple will make Google look very amateurish.
  • Reply 55 of 79
    Why do any of these browsers offer a way to view cached passwords? If none of them offered that, there'd be no need to debate the best way to protect access from unauthorized users
  • Reply 56 of 79
    drowdrow Posts: 127member
    yay, demands for more security theater!
  • Reply 57 of 79
    drowdrow Posts: 127member
    customtb wrote: »
    That's like not locking your door because someone could throw a brick through the window if they really wanted in.

    more like, who bothers putting locks on the closet doors?
  • Reply 58 of 79
    jungmarkjungmark Posts: 6,927member
    techrider wrote: »
    Why do any of these browsers offer a way to view cached passwords? If none of them offered that, there'd be no need to debate the best way to protect access from unauthorized users

    In case you forget your password when you have to change it.
    drow wrote: »
    more like, who bothers putting locks on the closet doors?

    More like locking a safe than locks on a closet.
  • Reply 59 of 79
    relicrelic Posts: 4,735member
    cmf wrote: »
    In many cases, physical access means "game over" as far as security is concerned. 

    Exactly, once you have the users admins password it's all over. Apple is especially vulnerable to this as you can change the password with just an OSX boot drive. Yes you can turn this off but I have yet to meet someone who has done it. Even if it's turned off I can still slave a Macbook or iMac with a Firewire and grab all information off of the hardrive, unless it's encrypted of course. Anyway, once the password is changed, login with new password and type, "security find-generic-password -l AppleID -w"in the terminal to see all of the passwords stored in the Keychain.

    When storing web passwords I recommend using Norton's Secure Web, there is plugins for all of the major browsers.
  • Reply 60 of 79
    philboogiephilboogie Posts: 7,675member
    relic wrote: »
    cmf wrote: »
    In many cases, physical access means "game over" as far as security is concerned. 

    Exactly, once you have the users admins password it's all over. Apple is especially vulnerable to this as you can change the password with just an OSX boot drive. Yes you can turn this off but I have yet to meet someone who has done it. Even if it's turned off I can still slave a Macbook or iMac with a Firewire and grab all information off of the hardrive, unless it's encrypted of course. Anyway, once the password is changed, login with new password and type, "security find-generic-password -l AppleID -w"in the terminal to see all of the passwords stored in the Keychain.

    When storing web passwords I recommend using Norton's Secure Web, there is plugins for all of the major browsers.

    Good point. Will this work:

    Setup autolocking:

    1. Launch "Keychain Access".
    2. Right click on "login" keychain.
    3. Click "Change Settings for Keychain 'login'".
    4. Check the "Lock after:" box.
    5. Change the minutes of activity to whatever you want.

    You have the option of auto-locking after zero minutes of inactivity. You'll need to enter your master password every time Keychain needs to be accessed.
Sign In or Register to comment.