Pages

How to Protect Your Website Passwords in Chrome

Protect Your Passwords
A blog post published yesterday by software developer Elliott Kember caused quite a stir. Titled "Chrome's insane password security strategy," the post points out that anybody with access to your Windows account can view all of your Chrome-saved passwords in plain text. That's a huge security risk, and Chrome is not the only browser affected. To see the extent of the problem, launch Chrome's Settings page and click the link at the bottom that says "Show advanced settings..." Scroll down to the section titled Passwords and forms, then click the link titled Manage saved passwords.
It doesn't look so bad at first—just a list of the sites for which you've let Chrome save passwords. However, when you click on any item in the list a button labeled Show appears next to the password. Yes, clicking the button displays the password in plain text. You can see it, and anybody else who gets access to your computer can see it.

Firefox, Too
Is Firefox your preferred browser? In that case, you've got a little more security available. Select Options from the Tools menu and click the Security tab. Note the checkbox titled "Use a master password." If you've checked this and defined a strong master password, your credentials are safe from casual snooping. If not, they're even more exposed than in Chrome.
To see why, click the Saved Passwords button. Initially it just displays the websites and corresponding usernames, but with the click of a button you can show all the passwords at once.

Internet Explorer's Better
A recent study by NSS Labs revealed that Internet Explorer's default settings protect your privacy better than Firefox, Safari, or Chrome. In fact, Chrome came in last for privacy protection.
IE also handles saved passwords better. The encrypted passwords reside in the Registry, and there's no mechanism to display them in IE. However, there are plenty of free third-party utilities that will dump this password cache and make all the passwords visible.

Google Responds
In a response to the original post, Chrome browser security tech lead Justin Schuh defended Chrome's password-handling behavior. Schuh contends that once a malefactor gets into your Windows user account, it's already Game Over, so adding a master password or otherwise protecting the saved passwords is pointless.
The comment thread is entertaining; it's a virtual fistfight right on the page. I have to agree with those who point out that theft of your system by a hacker is just one possible scenario. Do you lock down your user account when you briefly leave a roomful of friends? They could grab a password to prank you, or a jealous ex could do some real harm.
Twitter is abuzz with comment. One wag tweeted, "@justinschuh if you think that's a response then Chrome is in trouble. It's worse than Steve Jobs 'Don't hold it that way' response." On a more serious note, Tim Berners-Lee himself weighed in, saying, "How to get all you big sister's passwords http://blog.elliottkember.com/chromes-insane-password-security-strategy... and a disappointing reply from Chrome team."

Protect Your Passwords!
Whichever browser you use, this simple four-step plan will protect your passwords from snooping.
  • Install a password manager
  • Import passwords saved by your browser
  • Delete all browser-saved passwords
  • Turn off password-saving in the browser
The mere fact that third-party password managers can import passwords from your browser should be a red flag. If they can do it, a malicious application that got past your antivirus could do it too.
LastPass 2.0 (free) and Dashlane 2.0 (inexpensive) do a great job with browser-saved passwords. Not only can they import from Chrome, Firefox, and Internet Explorer, they'll also delete those passwords from the browser and turn off the password-saving feature. Not surprisingly, both are Editor's Choice products in this category. Note that LastPass extends this feature to Opera and Safari as well.
In Chrome, Firefox, and IE, manual deletion of saved passwords starts with pressing Shift+Ctrl+Del. The dialog that appears lets you delete a variety of browsing history components. Use it to specifically delete passwords. Firefox and Chrome ask what time period to clear. In Firefox, choose "Everything"; in Chrome, select "from the beginning of time."
That just leaves turning off the password-saving feature. In Chrome, launch Settings, click the link for advanced settings, and un-check "Offer to save passwords...". In Firefox, click the Security tab in the Options dialog and un-check the box "Remember passwords for sites." For IE, you have to dig a little deeper. In the Internet Options dialog, click the Content tab and then click the Settings button in the AutoComplete panel. Un-check the "User names and passwords..." box to turn off this feature.

Improve Your Passwords
Now that you've gotten your passwords out of insecure, browser-based storage, take a little time to upgrade them. Both LastPass and Dashlane will provide you with a security report listing the weakest passwords and also identifying those you've used on multiple websites (a security risk). Take a little time each day to replace the worst passwords with strong ones—since you've got a password manager you can have it generate crazy-strong passwords like 5GZk8cpC*XYs (freshly generated by LastPass).