Google fixing Chrome password security flaw
A new authentication process will mean that passwords saved within the Chrome browser cannot be accessed anyone with access to the computer.tech reviews Updated: Nov 08, 2013 13:13 IST
A new authentication process will mean that passwords saved within the Chrome web browser cannot be accessed, read or copied by anyone with access to the computer.
The flaw, which was first reported in August, relates to how Chrome manages web passwords. Like other browsers, Chrome offers users the ability to save login details that it will automatically fill in when it lands on the page for Facebook, or Yahoo or Gmail, for instance.
However, anyone with access to a computer that runs Chrome also had access to the passwords and, because they are stored as a plain text list, they are simple to read, write down or simply copy and paste. A serious problem if the computer has multiple users. Imagine a teenage girl's younger brother ‘stumbling' upon her login details and the ‘fun' he could have with her social media accounts, never mind the implications for business users.
This security hole was discovered by developer Elliott Kember, who was so shocked he immediately took to his blog to draw users' and Google's attention to it. "In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market -- the users. The overwhelming majority.
They don't know it works like this. They don't expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay," he wrote.
Three months on, Chrome developer Francois Beaufort has taken to Google+ to announce that although the plain text list of passwords will remain, they will only be accessible once a user has entered a system password. The change is coming to Chrome for the Mac but so far, there is no mention whether the feature will be offered on the Windows build of the web browser.
In the meantime, Windows PC Chrome users can protect themselves by ensuring that PCs in a communal space or those shared by co-workers or other family members have separate user-specific login passwords.
They can also activate two-factor authentication on a number of websites such as Facebook, Twitter, Evernote and Gmail. When navigating to those sites, users are required to enter a randomly generated PIN number as well as a user ID and password for extra security.
And finally, they can delete all saved passwords from Chrome and consider investing in a password management tool, such as last Pass or 1Password. They create totally random, fiendishly difficult to crack and impossible to remember unique logins for all websites but will store them all together in one very secure place behind one master password. When you need to fill in a password, as long as the management tool is open it will automatically populate the field. It not only means that a potentially infinite number of secure logins can be created and stored, you only have to create and remember one password, the one that gives you access to the password management application.