Something interesting happened last week.

Elliot Kember posted on his blog about a discovery that he made while working on a project. He had gone into the Google Chrome settings and saw an area for saved passwords. He was alarmed to find that Google does not just keep track of passwords for the sites you collect. They actually keep them completely viewable, in full, along with your username and the associated URL.

Passwords On Display

For those who have never looked in their browser settings, here is how it works. Go into the Settings tab by pressing the menu button in the right hand corner of your screen. It will look like three lines on top of one another. This will bring down a menu.

Scrolling down to the bottom you should see Show Advanced Settings. There will be a section titled Passwords and Forms, with two little check boxes. One is to enable autofill, and below that is allowing Chrome to ask you if you want to save your passwords. There is also a button for managing saved passwords, and this is where things get crazy.

When you click on that you will be given a separate box with every website you have authorized your password to be saved. All of these will show dots rather than letters…so far so good. Until you hover over each box and hit Show. This gives the actual password, right next to your username and the URL.

What’s The Problem?

On one hand this is pretty helpful for retrieving forgotten passwords without the email recovery function on most sites. On the other, it is a pretty big security flaw. There is no master password or fail safe that attempts to verify your identity. All someone needs is the access to your computer, and they can quickly sign into anything they like, as long as you have stored the password at some point in time.

What did Google have to say about this? Nothing officially, but the head developer on the Chrome project popped into Y Combinator and left a comment about it. According to Justin Schuh, they did this for our own good.

“We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior,” he said.

This was such an obvious case of passing the buck that it was painful to read. You can read the rest of his comment here, where he talks about how someone malicious could get into your account and pick up details anyway, and that a master password (or any security) wouldn’t help someone who really wanted your data.

You hear that, guys? Might as well leave your doors unlocked tonight, because if someone really wants to get in they will find a way. No point in offering security if a pesky criminal could wriggle their way past the defenses.

Bottom line? Don’t use Chrome for anything password protected, and never agree to have a password saved. The minor inconvenience of typing it in is worth it for your safety.