Chrome-saved passwords in plain text not a flaw, according to Google

August 7, 2013 – 6:34 PM

Go into the password section in Google Chrome’s settings panel and you can see that the popular web browser displays saved passwords in plain text. Many consider this a flaw – but not Google.

Software developer Elliott Kember may not be the first one to realize this, but he learned about it for the first time just recently and decided to write about it in a blog post that is gaining some attention.

More often than not, Kember is found using Safari on his Apple computer – a web browser he said does not reveal passwords in plain text – but he occasionally gives Chrome a whirl and decided he would try to import his bookmarks from Safari for consistency.

It struck him as odd that he was not able to uncheck a “Saved passwords” option on the import setting menu that popped up, which quickly led him to discover that all saved passwords can be displayed in plain text in the Chrome settings panel.

“There’s no master password, no security, not even a prompt that ‘these passwords are visible,’” Kember wrote in his post.

The response in the media and on internet forums has been negative, but Google maintains this is not a flaw. Passwords are encrypted on Google servers, but Justin Schuh, Chrome browser security lead, responded to Kember in a post of his own by likening boundaries on a user computer to “theater.”

Schuh said any attacker who gains access to an account can dump all session cookies, grab history, install monitoring software or install malicious extensions to intercept browsing activity. His point is that “once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.”


You must be logged in to post a comment.