The problem is this. Unlike rival browsers such as Firefox, if you ask the Chrome web browser to remember a password for you, it doesn’t give you the option to protect that sensitive information with a master password.
That means that if anyone accesses your computer (maybe while you are on the loo, or on a trip to the water cooler) visited the URL
they would be able to see all of your passwords.
Very handy if you want to snoop on your big sister, or partner.
Google has attempted in the past to argue that having a master password that has to be entered to access the list of passwords isn’t really a security feature at all, as the attacker already has access to your computer.
That’s an interesting argument, which might be technically accurate from Google’s lofty ivory tower – but it’s not very meaningful or useful in the real world.
Fortunately, Google appears to now have realised the error of its ways – and is considering a U-turn.
The latest build of Chromium, the browser project from which Chrome is derived, includes a new experimental flag in its Mac version – which, if enabled, prompts users to reauthenticate themselves by entering their Mac OS X password.
The new facility was highlighted by François Beaufort, a “happiness engineer” at Google France.
Hopefully this feature will, in due course, roll out into all shipping versions of the Chrome browser – and help prevent passwords from being snooped upon.
By the way, I’m not a big fan of internet users using browsers to remember their passwords as there have been plenty of issues discovered with that in the past.
But, seeing as Chrome and other browsers are offering such a feature, they should at least put in place simple measures to prevent someone from *casually* accessing them.
It’s an all-too-common scenario for a friend or guest in your house to ask to temporarily use your computer to check their email, etc. And – if you don’t have the foresight to have created a Guest account on your computer – you might just hand over your laptop without thinking.
Additionally, you might have fellow workers in your desktop who you sometimes give permission to use your computer, or who might have access if you walk away without having locked your desktop.
The requirement for a “master password” before viewing the passwords your browser remembers would prevent those kind of attacks.
I’m not suggesting that a browser master password makes your computer safe from hackers. But it makes it much harder for the vast majority of people who might try to snoop upon your passwords from accessing them.
Finally, remember to lock your computer when you walk away from your desk, and if you want to give someone temporary access to your computer log them into a guest account where they can’t do any harm, and can’t access your personal information.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.