Just a couple of months ago trend-watcher “The Next Web” announced that Google Chrome had overtaken Microsoft’s Internet Explorer as the Web’s most used browser.
Unfortunately last week it was revealed that Chrome is not very protective of stored passwords.
According to a story in the UK’s Telegraph newspaper, a security flaw in Google’s Chrome browser allows anyone with access to a user’s computer to see all of their stored passwords directly from the settings panel.
Software developer Elliott Kember discovered that simply typing “chrome://settings/passwords” into the URL/search bar brings up a list of all stored passwords. While the passwords come up obscured clicking the line brings up a “show” button, and clicking that button reveals the password! Even more shocking, Kember found there’s no way to require a “master password” that can be invoked before seeing the individual ones. Anyone with access to your computer can bring up Chrome and see all of your passwords – and the associated usernames.
Even worse, Kember found that when migrating to Chrome (he was moving from Safari, but moving from IE or Firefox works the same way) you have to import all of the saved passwords and they will all be available no matter if you want them to be or not.
In a world where we seem to spend an inordinate amount of time talking about strong authentication, flaws like this show that no matter how “strong” we think our passwords and passphrases are they’re completely vulnerable to a flawed system.
It is obvious that you’ll need a better “password vault” like the certificate encrypted password safe included in Aloahas Middleware “Cardconnector”.
The best solution is obvious: Stop using passwords to authenticate and use certificate authentication whenever possible!