Something interesting happened last week.

Elliot Kember posted on his blog about a discovery that he made while working on a project. He had gone into the Google Chrome settings and saw an area for saved passwords. He was alarmed to find that Google does not just keep track of passwords for the sites you collect. They actually keep them completely viewable, in full, along with your username and the associated URL.

Passwords On Display

For those who have never looked in their browser settings, here is how it works. Go into the Settings tab by pressing the menu button in the right hand corner of your screen. It will look like three lines on top of one another. This will bring down a menu.

Scrolling down to the bottom you should see Show Advanced Settings. There will be a section titled Passwords and Forms, with two little check boxes. One is to enable autofill, and below that is allowing Chrome to ask you if you want to save your passwords. There is also a button for managing saved passwords, and this is where things get crazy.

When you click on that you will be given a separate box with every website you have authorized your password to be saved. All of these will show dots rather than letters…so far so good. Until you hover over each box and hit Show. This gives the actual password, right next to your username and the URL.

What’s The Problem?

On one hand this is pretty helpful for retrieving forgotten passwords without the email recovery function on most sites. On the other, it is a pretty big security flaw. There is no master password or fail safe that attempts to verify your identity. All someone needs is the access to your computer, and they can quickly sign into anything they like, as long as you have stored the password at some point in time.

What did Google have to say about this? Nothing officially, but the head developer on the Chrome project popped into Y Combinator and left a comment about it. According to Justin Schuh, they did this for our own good.

“We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior,” he said.

This was such an obvious case of passing the buck that it was painful to read. You can read the rest of his comment here, where he talks about how someone malicious could get into your account and pick up details anyway, and that a master password (or any security) wouldn’t help someone who really wanted your data.

You hear that, guys? Might as well leave your doors unlocked tonight, because if someone really wants to get in they will find a way. No point in offering security if a pesky criminal could wriggle their way past the defenses.

Bottom line? Don’t use Chrome for anything password protected, and never agree to have a password saved. The minor inconvenience of typing it in is worth it for your safety.



Acer Chromebook 11.6
Acer Chromebook 11.6" Laptop 2.16GHz 2GB 16GB Chrome (CB3-111-C670)
$132.49


Acer 15.6
Acer 15.6" Chromebook 2.5GHz 4GB 32GB HDD Chrome (CB515-1HT-P39B)
$223.29


[2 Pack] Keyboard Cover Skin for 2018/2017 Newest Acer Premium R11 Chrome... New picture
[2 Pack] Keyboard Cover Skin for 2018/2017 Newest Acer Premium R11 Chrome... New
$12.99


HP 11-v020wm 11.6
HP 11-v020wm 11.6" Chromebook Touchscreen Chrome Intel Celeron N3060 Processor
$34.89


Samsung Chromebook XE303C12-A01US  Dual-Core 1.7GHz 2GB 16GB 11.6
Samsung Chromebook XE303C12-A01US Dual-Core 1.7GHz 2GB 16GB 11.6" LED Chrome OS
$46.0


Grand General 67811 Plastic Chrome Passenger Side Overhead Storage Pocket for picture
Grand General 67811 Plastic Chrome Passenger Side Overhead Storage Pocket for
$38.51


Penna Bluetooth Keyboard White Chrome Keycap(US Language) (Switch-Cherry ... New picture
Penna Bluetooth Keyboard White Chrome Keycap(US Language) (Switch-Cherry ... New
$253.99


Thermaltake Pacific Chrome 4 Build-in O-Rings C-ProG1/4 PETG 16mm OD Comp... New picture
Thermaltake Pacific Chrome 4 Build-in O-Rings C-ProG1/4 PETG 16mm OD Comp... New
$15.99