Software developer Elliott Kember is upset with Google Chrome.
Why? because of what he describes as its “insane password security strategy”.
You see, unlike rivals like Firefox, when you tell your Chrome browser to remember a password it doesn’t give you the option to protect the information with a strong master password.
In fact, Chrome doesn’t let you protect your passwords with a master password at all.
So, anyone who has access to your desktop (perhaps you have walked off to make a cup of tea) could simply visit the URL
and find your passwords are just the click of a “Show” button away.
Of course, if you do leave your computer unattended you should always lock it to prevent this sort of problem. But human nature being what it is, it’s hard to see how Google can justify not putting an extra level of protection in place when other browsers have adopted similar techniques.
Kember stumbled across the problem after temporarily switching from Apple’s Safari browser to Chrome, and being surprised to find that he was unable to disable Chrome’s desire to import passwords stored in his usual browser of choice.
It does seem very odd that Google Chrome greys-out the option to import passwords, meaning that the user has no choice about the information being shared with another application – particularly one that isn’t offering the most rudimentary level of protection.
Researchers have shown that asking any of the leading browsers to remember your passwords is not necessarily a safe idea, but Google Chrome’s handling of the situation seems particularly lax.
And Kember is in good company, judging by this tweet by internet legend Tim Berners-Lee:
How to get all you big sister's passwords http://t.co/CpytKWH9aT and a disappointing reply from Chrome team.
— Tim Berners-Lee (@timberners_lee) August 6, 2013
My advice is not to tell any browser (and especially not Chrome) your password. Instead use password management software like Bitwarden, 1Password, and KeePass to remember your passwords securely, as well as help you generate complex, random passwords for the various accounts you have on the web.
Furthermore, get in the habit of always locking your computer when you step away from the keyboard.
And if you are going to let a friend or colleague borrow your computer for a few minutes, make sure to log into a “guest” account so they can’t access any of your personal files or settings.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.