Software developer Elliott Kember wrote a post entitled "Chrome's insane password security" - he takes issue with the fact that when you authenticate (log into) Chrome, you have access to your saved passwords.
His post seems sincere which I'd find a little scary if I were his employer, given his profession. Yes, when you authenticate to Chrome you can see your saved passwords.
When you authenticate to Firefox you can see your saved passwords. When you authenticate to OS X, you can see your saved passwords. When you authenticate to Windows, you can see your saved passwords. Thankfully you can see them as text ... otherwise "seeing" them would not be very useful. (I love that part ... "it has your passwords as plain text" the horror! what's the other option?)
In his example scarenario Mr. Kember even posits that the computer has fallen into someone else's hands. In this scenario the "bad guy" would not only have your Chrome passwords, he would have every other password you saved from other browsers as well as any network passwords saved on the device.
The primary solution, to add yet another password (even though we've already authenticated) - which is how Safari sort of works (the password for Keychain is the OS password) and an optional setting in Firefox is, to the Chrome team's point, kind of silly and does nothing to actually protect your security. If I have your physical machine, I'm going to take over admin rights on the OS - I'm going to have everything. This is why people can fix said computer when someone forgets who/when/where/why someone set admin credentials that no one knows.
Bottom line, if you don't want your passwords to be available to you, the person who controls the OS - don't save them, remember them.
If you don't have a photographic memory:
- Protect your Google Account including your Chrome settings with two-factor authentication.
- Make sure you understand how to use iCloud to wipe your Mac in case it's lost or stolen. (although the bad guys will probably beat you to the punch to keep their location hidden)
If I have your physical machine, I don't need any of your passwords to access it. If I have your car, it doesn't matter how good the lock on the glove box is - I have access.
It's amazing how much attention this original post has gotten, how it got on Techmeme is a mystery to me. I wouldn't be surprise if the Chrome team was like "OK, now you have another password if you want" - which would do absolutely nothing to help people understand how they can protect themselves and their passwords more effectively. Our biggest threat to our online security is ourselves.
No comments:
Post a Comment