Categories

Chrome’s Stored Passwords

An oddity in Google’s Chrome allows you to reveal stored passwords saved by the popular browser.

Software developer Elliot Kember came across this while importing his Safari browser settings and thought he’d share. His blog points out how our stored passwords are readily available in Chrome.

login-password-rounded

We’ve all seen the option in our favorite browser that offers to save our passwords—fair enough. Chrome takes it a step further and gives you the ability to see those stored passwords.

In Chrome’s Password manager, chrome://settings/passwords, you are presented with any saved passwords, from there you can select the account and click the “Show” button to reveal the password.

chrome02

This isn’t a huge security hole but really a privacy issue if you use Chrome. The feature hasn’t be targeted by malware authors but could leave you exposed if someone with prying eyes has access to your PC.

Google seems confident in the feature and that it is not a security issue.

“The only strong permission boundary for your password storage is the OS user account,” Justin Schuh, a Security Tech Lead for Chrome, said. ”So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account.”

He has a good point, sometimes all bets are off when a bad guy gets access to your PC—although you can make the job difficult by not having passwords easily accessible. If you want to clear out any stored passwords in Chrome you can remove in its Advanced settings under “Passwords and Forms.” Access by going to Chrome’s menu  -> Settings.

chrome01

Firefox also has this feature and is accessible through the Firefox menu then Options -> Options -> Security -> Saved Passwords. Firefox does prompt when accessing “Save Passwords” but reveals them just the same. So this is not strictly a Chrome thing.

chrome03

If you do like to use password store features don’t use on a “community” PC or leave your PC unlocked when away. We’ve covered password security in past blogs, our Josh Cannell covered them recently and also Neil Rubenking, a journalist for PC Mag, covered this Chrome feature and offered some tips on using third party password managers.

It’s interesting how long this has gone under the radar by the media and security industry, though it’s not necessarily a security exploit, it does bring up the password issue again. Please stay secure and be aware of where and when you’re storing your passwords.


7 thoughts on “Chrome’s Stored Passwords

  1. Roy Harvey says on August 22, 2013 at 8:35 am :

    This is no different from Firefox.

  2. Collier Smith says on August 22, 2013 at 8:55 am :

    Except in Firefox you have an option to set a Master Password, and you can reveal the saved passwords only if you enter this Master Password. I have not seen a similar feature in Chrome.

  3. bruceatcohocomputerdotcom says on August 22, 2013 at 12:41 pm :

    If you do use the master password, Firefox’s Password Manager provides good security. The local password database is encrypted. Better still, passwords, bookmarks and other browsing data can be synced automatically and securely across multiple computers and Android devices.

  4. thedonsway says on August 22, 2013 at 2:35 pm :

    For those of us with a bad memory and forget where we write things down, this is a very handy feature. and now I know how to find it, thank you.

  5. Jay Imerman says on August 22, 2013 at 4:15 pm :

    What a sensationalist post! I thought you found some real vulnerability! This was a waste of time. Like Roy Harvey says, no different from Firefox, and you have to show the password in order to have it visible. Duh, just don’t do it with anyone else looking on, or get a privacy screen cover on your laptop or other device. Can’t believe I clicked the link to read this article.

  6. Jason Von Ruden says on August 22, 2013 at 5:43 pm :

    I a disappointed in a reputable security company reporting failing to report that all browsers have this default feature to allow viewing passwords cached just as easily.

    All Major browsers Internet Explorer, Firefox, Opera, Chrome, Safari, mobile devices, and etc.

    ** Especially since this is not really a security vulnerability, once someone already has full access to a computer it is game over man… **

  7. Nunya Biznis says on November 7, 2013 at 6:36 pm :

    a long time ago I kind of figured this would happen. so I decided right then
    to NEVER store my passwords for ANY website. when you log in to a site
    it offers that little box to check “remember me” ??
    I don’t do those either….
    it’s a wise habit to get into maybe reconsider your position on storing them
    in ANY browser.

Leave a Reply

Subscribe to our YouTube Channel