Thursday, June 9, 2011 - 00:35

Google Chrome and password security

While looking for information if anything has changed recently on the master password front I found a somewhat dated but still valid statement from Google. And I think it's fundamentally flawed.

We understand that many of you want a master password for your saved passwords in Google Chrome.  You’ve laid out many scenarios in which this might be useful, but the most common is that if your computer were to fall into the wrong hands, that person would then have access to your saved passwords.

This is pretty much the idea of a secured ( password ) vault. Data is at least hard to get to in case of catastrophic failure aka. loss.

While we agree that this situation would be terrible, we believe that a master password would not sufficiently protect you from danger. Someone with physical access to your computer could install a key logger to steal your passwords or go to the sites where your passwords are stored and get them from the automatically filled-in password fields. A master password required to show saved passwords would not prevent these outcomes.

It is true that there are various ways to get to my passwords. A key logger being one of them. But that has not much to do with other ways to gain access. The big difference between having and having no master password in this case is that if the computer is otherwise perfectly fine ( just lost ) someone who gains access will not be able to retrieve any passwords whereas without a master password he'd just have to open Chrome. This is particularly annoying as some OS do not ultimately protect logged out accounts. It's pretty much a breeze to reset passwords on OS X. It's not really rocket science on a standard Linux installation. Gaining access to logged out accounts ( as long as you don't mind making it obvious ) is surprisingly easy compared to cracking encrypted data. It's by far easier to gain access to a windows account ( virtually any other OS in standard installation as well ) than to crack Firefox's password vault.

Currently, the best method for protecting your saved passwords is to lock your computer whenever you step away from it, even for a short period of time.  We encrypt your saved passwords on your hard disk. To access these passwords, someone would either need to log in as you or circumvent the encryption.

Correct. And logging in as you isn't a particular challenge if the attacker doesn't have to cover the tracks. If it's just about getting access it's surprisingly - not to say annoyingly - easy if the OS isn't hardened. A standard OS X, Windows and even Linux can be "resetted" without too much trouble. It's kicking in the front door. But if that's not a problem it's really not a big deal. What this guy basically says is you don't need a vault. Just lock your front door. What if my front door isn't particularly fancy ? There's really not much Joe Average can do about this. Having a vault might ultimately fail as well. But it's quite a bit of additional spoke in their wheels.

We know this is a long-standing issue, and we see where you're coming from. Please know that your security is our highest priority, and our decision not to implement the master password feature is based on our belief that it creates a false sense of security instead of actually providing a strong security benefit.

For the average user it does create an additional level of security. For some it would actually create the only level of real security. The only credible attack against a master password would be a key logger or a captured open session. Both of course would be fatal and a key logger isn't the most unlikely scenario. A key logger however is an invalid scenario for this discussion since it works equally well with or without master password. The question is does the password add a level of security that is relevant. It does as it denies access in case of unauthorized system access when the vault is not opened. This includes stolen devices and stolen or computed user credentials. The two most common attacks when it comes to hands-on access. In both cases the attacker would not automatically gain access to potentially relevant accounts. Without a master password all he'd have to do is open up Chrome.

I ultimately fail to see where this would create a false sense of security.