Anyone with access to a computer running the web browser can potentially also access, read and copy any stored passwords within it, be they for email, social media or online retailers.
Just like Safari, Internet Explorer and Firefox, Google’s Chrome web browser can store and save passwords for frequently visited websites.
However, unlike its counterparts, the saved list of web logins can be viewed as plain text. Just click on the browser’s settings icon, choose “show advanced settings” from the menu, followed by “managed saved passwords.” The user’s list of passwords will appear, shown as dots. So far, so good. However next to each password is a button which, when clicked shows it as plain text, meaning that anyone with access to the computer can copy and paste them or take a quick screenshot and email it for later use.
This gaping security hole was discovered by developer Elliott Kember, who was so shocked he immediately took to his blog to draw users’ and Google’s attention to it. “In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market — the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay,” he wrote.
Since the initial post, he has been stuck in a back and forward argument with the head of Google’s Chrome developer team, Justin Schuh, via the Hacker News community board which makes for entertaining reading.
So, if you’ve been saving web passwords in Chrome, what is the best action to take?
Firstly, if the computer is communal, or if it’s an office PC, make sure that password-protected login and logout are enabled so that when you’re not using it, it’s locked down so that no one else can either.
Secondly, if a site or service you use on a regular basis offers two-factor authentication, enable it. Once activated, as well as entering the password, a second pin code, usually sent to a mobile or smartphone, is also needed for validation. Therefore, if someone has copied down all of your passwords, unless they also steal your phone, they won’t be able to access your accounts.
Finally, don’t save passwords in browsers, not just Chrome, but any of its competitors for that matter. Consider investing in a free or paid for password management or locker tool, such as last Pass or 1Password. They create totally random, fiendishly difficult to crack and impossible to remember unique logins for all websites but will store them all together in one very secure place behind one master password. When you need to fill in a password, as long as the management tool is open it will automatically populate the field. It not only means that a potentially infinite number of secure logins can be created and stored, you only have to create and remember one password, the one that gives you access to the password management application. For Apple users, the next version of the Mac Operating system, Mavericks, will offer a secure cloud-based password management and storage feature when it launches in September. Activate it.
