Software developer Elliott Kember has ignited a controversy over the way Google Chrome allows users to see saved passwords in plain text. In a post on his website he describes the process users can follow to reveal all of the passwords Chrome has saved that allow for entry to various websites.
All web browsers offer users the option of saving login information so that they won’t have to remember them themselves or go through the ritual of having to type them in. What many may not realize, however, is that most browsers, including Chrome, offer a way to view those passwords. At issue is whether Chrome should ask for a master-password before revealing those passwords. Kember says it should, while Google’s security head Justin Schuh says no, it isn’t necessary.
Schuh argues that once someone with nefarious purpose gains physical access to someone else’s computer, the game is up. That person can visit sites found on a favorites list, check the history log, or basically, use the computer to visit any site the owner of the computer visits themselves. They won’t need the passwords to gain entry, of course, because Chrome will provide them. Thus, Schuh says, there is little point in providing a false sense of security to users—if someone gains access to their computer, they’re going to get into those sites (and possibly use sneaky techniques to capture login information as they go) whether they go find the clear text passwords or not. For that reason, he says, in a response posted on Web site Hacker News, implementing a master password would only give users a feeling that they have protected their login information, when clearly, they have not.
Read more at: Phys.org