Something interesting happened last week.

Elliot Kember posted on his blog about a discovery that he made while working on a project. He had gone into the Google Chrome settings and saw an area for saved passwords. He was alarmed to find that Google does not just keep track of passwords for the sites you collect. They actually keep them completely viewable, in full, along with your username and the associated URL.

Passwords On Display

For those who have never looked in their browser settings, here is how it works. Go into the Settings tab by pressing the menu button in the right hand corner of your screen. It will look like three lines on top of one another. This will bring down a menu.

Scrolling down to the bottom you should see Show Advanced Settings. There will be a section titled Passwords and Forms, with two little check boxes. One is to enable autofill, and below that is allowing Chrome to ask you if you want to save your passwords. There is also a button for managing saved passwords, and this is where things get crazy.

When you click on that you will be given a separate box with every website you have authorized your password to be saved. All of these will show dots rather than letters…so far so good. Until you hover over each box and hit Show. This gives the actual password, right next to your username and the URL.

What’s The Problem?

On one hand this is pretty helpful for retrieving forgotten passwords without the email recovery function on most sites. On the other, it is a pretty big security flaw. There is no master password or fail safe that attempts to verify your identity. All someone needs is the access to your computer, and they can quickly sign into anything they like, as long as you have stored the password at some point in time.

What did Google have to say about this? Nothing officially, but the head developer on the Chrome project popped into Y Combinator and left a comment about it. According to Justin Schuh, they did this for our own good.

“We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior,” he said.

This was such an obvious case of passing the buck that it was painful to read. You can read the rest of his comment here, where he talks about how someone malicious could get into your account and pick up details anyway, and that a master password (or any security) wouldn’t help someone who really wanted your data.

You hear that, guys? Might as well leave your doors unlocked tonight, because if someone really wants to get in they will find a way. No point in offering security if a pesky criminal could wriggle their way past the defenses.

Bottom line? Don’t use Chrome for anything password protected, and never agree to have a password saved. The minor inconvenience of typing it in is worth it for your safety.


Acer Chromebook C738T 11.6

Acer Chromebook C738T 11.6" Celeron 1.4GHz 4GB RAM FULL TOUCHSCREEN

$41.95



Acer Spin 513 - 13.3

Acer Spin 513 - 13.3" Touchscreen Chromebook Qualcomm 7c 2.1GHz 4GB 64GB Chrome

$179.99



Acer C738T Chromebook 2-in-1 Touch 360 Hinge 11.6

Acer C738T Chromebook 2-in-1 Touch 360 Hinge 11.6" Intel 1.6GHz 4GB 16GB SSD

$59.99



ASUS C523NA-IH44F 15.6

ASUS C523NA-IH44F 15.6" FHD Intel Celeron N3350 1.1GHz 4GB 64GB Chrome OS

$128.99



Acer Chromebook 315 15.6

Acer Chromebook 315 15.6" Touchscreen 4GB Ram 64GB eMMC Intel Celeron N4020 1.1G

$119.00



Lenovo ThinkPad 11e Chromebook 11.6

Lenovo ThinkPad 11e Chromebook 11.6" Laptop | 16GB SSD | Chrome OS

$33.96



HP 11 G4 EE CHROMEBOOK HDMI 11.6

HP 11 G4 EE CHROMEBOOK HDMI 11.6" INTEL 2.16G 4GB 16GB SSD CHROME OS WiFi WEBCAM

$47.95



Acer C731T - 11.6

Acer C731T - 11.6" Touchscreen Chromebook - Intel @ 1.60Ghz 4GB RAM 16GB SSD

$44.99



Lenovo Chromebook 11.6

Lenovo Chromebook 11.6" Google School Laptop Intel 4GB 16GB SSD WiFi Webcam HDMI

$49.99



HP 11 G4 CHROMEBOOK HDMI 11.6

HP 11 G4 CHROMEBOOK HDMI 11.6" INTEL 2.16G 4GB 16GB SSD CHROME OS WiFi WEBCAM SD

$47.95