Skip to main content
  1. Home
  2. Computing
  3. News

Lay off Chrome – Firefox has the same password security ‘flaw’

By
lay off chrome firefox has the same password security flaw screen shot 2013 08 at 2 41 46 pm
Image used with permission by copyright holder

Google’s Chrome browser has come under fire this week after software developer Elliott Kember revealed on his Svbtle blog that he discovered that Chrome makes it possible for anyone with access to you computer to see all your saved passwords. Inevitably, the press (including Digital Trends) picked up the story, and began sounding the alarm bells.

As Kember explains, typing “chrome://settings/passwords” into the browser (or clicking Chrome>Preferences>Show advanced settings>Manage saved passwords) will bring up a box that contains your usernames and hidden passwords for each of your saved sites. Click on a password, and a box appears that allows you to show the actual password right there, in plain sight.

Recommended Videos

The problem people have with this system is that, if someone you don’t trust (like a thief or crappy roommate) gains physical access to your computer, they can easily get your login credentials for, potentially, every website, email account, and social network you use.

Related

In response to Kember’s complaints, Justin Schuh, who works on Google Chrome Security, claimed in a thread on YCombinator’s Hacker News that he and his team have “literally spent years evaluating” the safest way to store passwords in Chrome, and that “quite a bit of data” supports the theory that storing passwords differently would “make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior.”

My reaction: How is this news? Why are we upset? And, if there is reason to be upset, why aren’t we blasting Firefox out of the sky for doing exactly the same thing? That’s right, Firefox does it, too. 

How is this Chrome ‘flaw’ news?

Let me preface this by saying, like Kember, I am not anything close to an expert on browser security. But I do know one thing: the system Chrome v28 has in place for viewing saved passwords is an improvement over what it was. In earlier versions, Chrome had only one “show passwords” button, and it revealed all the passwords at once. Now, you can select each password individually. Does the “problem” of someone gaining access to your computer and stealing your digital life still exist in both instances? Yes – but it’s certainly no worse now than it has been for a long time; I would say it’s a slight improvement, from a user perspective at least.

Why are we upset?

I’m going to go out on a limb here and assume that Schuh knows what he’s talking about when it comes to browser security. He works at Google, after all, and most of us do not. In other words, the way Chrome (and Firefox) store passwords by default probably is the best way to stop the most likely kind of attacks – those that come over the Web.

Yes, it may be possible for someone to snag your passwords if they have direct physical access to your computer. But, as Schuh explains, if that has happened “the game was lost.”

Plus, if you are particularly concerned this feature, remember that nobody is forcing you to save your passwords in your browser. In fact, most prudent cybersecurity folks will tell you that using a password manager is a far better way to keep yourself safe than going with Chrome’s offerings.

Firefox does it, too

Seriously, the default password saving feature in Firefox is virtually identical to Chrome’s – save for the fact that clicking “show passwords” shows all the passwords. Here’s a quick video I shot of what I’m talking about:

Now, this is just for the default settings for saving passwords in Firefox. The browser actually has a fairly good quality password manager built in. Under Firefox>Preferences>Security, click the box that says “Use a master password.” You’ll then be prompted to create a relatively high quality master password, meaning you can’t create it unless you use all the tricks: symbols, capital letters, numbers, and a good length. Only after you meet all those criteria will Firefox let you create the master password, which will then be required to see all your saved passwords. You will also have to input your master password on any site for which you’ve saved your login credentials – all of which adds an extra level of security in case someone bad really does snag your laptop.

Deep breath, everyone

Okay, so this feature does make Firefox more secure than Chrome, but that compliment only applies if you’ve enabled the master password feature in Firefox, which absolutely nobody tells you to do.

Furthermore, the downside to Chrome is also one of the things that makes it such a useful browser; because you can log into Chrome from any computer that has it, a hacker would really only need to crack your Google account password to then have access to your login credentials – and he or she wouldn’t need physical access to your computer to exploit that loophole. (Why is this not the thing we’re all pissed off about?) Good news is, you can turn on two-step authentication on your Google account, which will make that security gap far tighter.

So there you have it, folks, storing your passwords in your browser is probably a dumb idea, especially if you go with the default settings and have a crappy password “protecting” your Google account. Moving along …

Editors’ Recommendations

Topics
Andrew Couts
Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
Chrome is making a key change to protect you from phishing
Google Chrome with pinned tabs on a MacBook on a table.

Phishing campaigns -- where a fraudulent website or email is made to look like it comes from a legitimate source -- have caused a huge amount of destruction, leading to untold numbers of virus infections and money lost through scams. Google has just rolled out a powerful way to fight phishing in its Chrome browser, however, and it could help you avoid falling victim.

As part of Chrome’s 15th-anniversary update, Google will be pushing its Enhanced Safe Browsing feature to all users in the coming weeks. This checks website URLs against a list of malicious sites stored on Google’s cloud servers, all in real time. If a match is found, the website is blocked and a warning is displayed to users.

Read more
Chrome has a security problem — here’s how Google is fixing it
Google Chrome icon in mac dock.

Google is looking to get ahead of high-severity vulnerabilities on its Chrome browser by shortening the time between security updates.

The brand hopes that more frequent updates will give bad actors less time to access and exploit n-day and zero-day flaws found within Chrome browser code.

Read more
Is macOS more secure than Windows? This malware report has the answer
A person using a laptop with a set of code seen on the display.

It’s a long-held belief that Macs are less at risk of malware and viruses than Windows PCs, but how true is that? Well, a new report has shed some light on the situation -- and the results might surprise you.

According to threat research firm Elastic Security Labs, roughly 39% of all malware infections happen on Windows PCs. In good news for Apple fans, only 6% of breaches occurred on macOS, making Mac systems far less vulnerable than their Windows counterparts.

Read more