It pains me to criticize a browser that I typically praise and recommend, but I can’t play favorites when it comes to security. An article by Elliott Kember pointed out a glaring security controversy within Chrome that has the various tech ideology camps (hackers, security analysts, developers, power-users etc.) bickering over some of the most basic elements of data security. In a nutshell, Chrome (like all browsers) has the ability to save passwords for any website you visit, and when this feature is enabled (it is, by default) it will ask you politely if you’d like to save that password you just entered for this website. Here’s the controversy: if you go into Chrome’s advanced settings and view the list of passwords saved by the browser, you can actually click on each password and view it in clear text. Not the usual black bullets we’re used to seeing – you can actually read the password. Go ahead, see for yourself. I’ll wait.
I was literally gobsmacked when I found this out, as I have been using Chrome ever since it was released to the public. “They obviously haven’t thought this out!” I said to myself, but it seems that the head of Chrome’s security development thinks otherwise (warning: geeks arguing on the internet – the knives are out!); the basis of his argument is that if someone other than you is physically sitting at your computer and can manipulate the mouse and keyboard to the point where they can get to this screen, then any security precautions Chrome could put in place are essentially null. This is actually a position I share regularly with my clients: if someone has physical control of your device, most security measures like passwords will do much less to protect you than you think. HOWEVER…
What this means for you:
Yes, if someone unsavory has possession of your hardware and are appropriately trained/equipped, even a strong password isn’t going to keep them at bay for long. But what about the time your roomate or co-worker asks to borrow your laptop real quick to do [random, innocuous websurfing task]. Sure, no problem, you close out of whatever sensitive websites you might have open and push it over to him. Let’s say this person’s intentions aren’t completely honorable, but he also knows he doesn’t have much time to go browsing around randomly through your bookmarks or history to see if any website sessions are still valid (ie. you’ve recently entered a password, and a cookie provides convenient re-opening of a website). But he does know that Chrome has this particular flaw, and he quickly glances through the saved password list, memorizing a couple critical ones to use for later wreaking of havoc.
Scared now? It’s not clear whether Chrome will ever fix this “issue” when they don’t recognize it as such. I rarely let anyone else use my laptop or desktop, but I’m still erasing all my saved passwords and disabling this feature. As convenient as it may seem, at minimum you should NEVER save passwords for any sensitive accounts like online banking, email, etc, and if you can stand the inconvenience, don’t let your browser save passwords at all, in any browser on any platform.