Preventing plaintext password problems in Google Chrome

Plaintext passwords are risky business. Michael Cobb discusses what Google says about the Chrome password vulnerability and potential exploits.

There's been a big kerfuffle over the way Google's Chrome browser handles passwords, specifically that passwords can be viewed in plain text with little effort. Can you explain how this is possible and how enterprises should react? Are there viable attack techniques that take advantage of this configuration remotely?

Ask the expert

SearchSecurity expert Michael Cobb is standing by to answer your questions about application security and platform security. Send them via email now!

To get to the password section of Google Chrome's settings panel, type chrome://settings/passwords into the address bar. Here you will notice that any saved passwords are visible in plaintext, meaning anyone with physical access to the device can easily view the user's saved passwords to online accounts as long as the owner is logged into the operating system account. Google's response to this perceived security weakness is that in this situation anyone could easily take control of the machine by installing monitoring software or malicious extensions to intercept browsing activity.

Google offers a valid argument and although best practice is to log out of the operating system when leaving a computer unattended, it isn't always practical, particularly in out-of-office situations. The fact that Chrome doesn't require a master password to view all the saved passwords means giving someone just a few minutes to borrow your computer -- be it to check their email or the latest basketball score -- would enable them to snoop on your email, social media and other online accounts. They don't have to be experienced hackers, know how to install malware or even have a high level of technical proficiency to access all of the owner's Web-based accounts.

Google says the only strong permission boundary for password storage is the OS account and that additional controls give a false sense of security. This may be true, but it's important to always frustrate both simple attacks and the technically difficult ones by reducing the attack surface area wherever possible. This is one reason why Apple Safari and Mozilla Firefox prompt for a master password before revealing any stored passwords.

Although incredibly convenient, storing important passwords in any browser is not advisable, as password management in any browser product is generally not very secure. Researchers have found that although browsers encrypt stored passwords, they don't always prevent them from being extracted. Even browsers that require a master password to view stored passwords can be made to reveal them by using a Web inspector tool commonly used by developers to check the code behind webpages.

In enterprises, avoiding this issue (and other related issues related to unauthorized physical access) is best done with a clean desk policy, which should include logging out of computers left unattended. If somebody needs to borrow a computer, they should be told to enable the guest account, which has limited user rights and no access to the other person's confidential data. Never let browsers save passwords; instead, use a third-party password management tool such as RoboForm, Lastpass or 1Password. All of these products save credentials in encrypted stores and require a master password to access plaintext passwords. Furthermore, pairing a password manager application with a product like YubiKey will add multifactor authentication and other features to control where and how passwords can be accessed.

Dig Deeper on Identity and access management