Google Chrome and master passwords [LWN.net]

By Jake Edge
May 19, 2010

Master passwords for browsers provide a measure of security against some common, if weak, attack vectors. Firefox has had master passwords for some time, but Google's Chrome browser does not, nor does it seem to have any kind of priority to be added. That makes some users rather unhappy, to the point of saying that they won't use the browser until it is implemented. Google's position seems to be that master passwords only provide an illusion of security, but that is an oversimplification.

The idea behind a master password is to protect the credentials (username and password) for accessing web sites that are stored by the browser. The master password is required to unlock (really decrypt) the credential storage before the browser can auto-fill login forms. Without a master password, Firefox stores credential information unencrypted on the disk. Chrome does encrypt the credentials using the user's session information—but only on Windows—for Linux it stores them unencrypted.

As Jamie Strandboge describes in a blog posting, it is trivial to extract the credentials stored by Chrome on Linux in a SQLite database file. A bug filed against Chrome in September 2008 requests adding a master password, and, while it has seen many comments, it has also seen little action on the part of the Chrome developers. For Linux users, it is pretty clear that leaving an unencrypted version of all stored passwords on the disk is a security hole; it definitely requires access to the data, either on the machine itself or elsewhere—like a network share or backup of the home directory. Ways to get that access aren't very hard to envision. Since the data is encrypted on Windows, the picture there is a little murkier.

It is certainly true that anyone who gets physical access to your machine can do an amazing amount of harm to it if they want to. But it is also true that many people allow their computer to be used by others to do a quick search or check email. Those uses are typically short in duration and are "semi-supervised" in the sense that the owner is often around and might very well notice someone installing a keylogger or running some kind of password cracker. What may escape notice is someone using the browser interface in fairly standard ways—to look at stored passwords for example.

The answer, according to Chrome developer Peter Kasting is to "lock your desktop (it's two keys!) or close Chrome" if you don't trust those with physical access. Essentially, because of the way Chrome is implemented, there is no secure way to allow someone to use your open browser session—or even to start a new one for them to use. With Firefox, one can start a new browser and not provide the master password (or just log out of the "Software Security Device"), which will allow semi-untrusted users to jump on and do a quick Google—or check Gmail.

Given the sensitivity of stored passwords—though many sensitive web sites, like banks and brokerages, have started disallowing credential storage—a master password protecting them gives users a sense of protection. It may well be that the average user overestimates the amount of protection that a master password provides, but that doesn't mean it provides no protection. There is certainly a big difference between a sophisticated hacker willing to risk jail time by installing a keylogger and a "friend" who thinks it would be funny to update your Facebook status for you. The latter is likely to be thwarted by a master password.

It is a bit hard to understand why the Chrome developers are so unwilling to consider adding the feature. It shouldn't be particularly difficult in a technical sense. The "UI complexity" argument rings a little hollow. The lack of any way to get password encryption on Linux just seems like a bug that needs to be fixed, though there isn't any real indication that it will be. Maybe someone in the community needs to take a crack at it—it is, after all, free software.

(Log in to post comments)

Google Chrome and master passwords

Posted May 20, 2010 3:26 UTC (Thu) by jake (editor, #205) [Link]

> Google Chrome is a proprietary browser.

Built from Chromium source with some other free software components (FFmpeg + codecs) linked in. At least as I understand it. Unless I am missing something, which is always possible, that makes Chrome free software.

jake

It's not true anymore

Posted May 20, 2010 7:16 UTC (Thu) by khim (subscriber, #9252) [Link]

Unless I am missing something, which is always possible, that makes Chrome free software.

Well, there are flash, for example. The Chrome core contains only open-source, but there are different proprietary addons. This makes the whole bundle proprietary...

Google Chrome and master passwords

Posted May 20, 2010 17:20 UTC (Thu) by intgr (subscriber, #39733) [Link]

This is exactly the sort of "false sense of security" that Chrome devs are talking about. If someone gets access to your user account -- remotely or not -- then they can do pretty much *anything* with it, including setting up a keylogger or dumping the memory of your running Chrome process.

Google Chrome and master passwords

Posted May 22, 2010 5:15 UTC (Sat) by thedevil (subscriber, #32913) [Link]

Wouldn't installing a keylogger require root access?

The point about memory dump is true. But I don't see *any* way to avoid that risk, even if I typed all the passwords manually.

Google Chrome and master passwords

Posted May 31, 2010 11:56 UTC (Mon) by robbe (subscriber, #16131) [Link]

> Wouldn't installing a keylogger require root access?
Not if you only care about the keys typed by this user.

LastPass

Posted May 20, 2010 13:35 UTC (Thu) by Cato (subscriber, #7643) [Link]

You might want to try LastPass - it's an in-browser password manager for Firefox, Chrome, IE, and others, which runs on Linux, Mac and Windows. There's also a desktop version called LastPass Pocket for the same platforms, and you can use it via web app only where you don't want to install anything (e.g. a live CD you're using a few minutes). It's generally pretty good, with developers willing to respond to questions. I've been using it for a while on Ubuntu 8.04 and 9.04, and Windows XP and 7, with Firefox, Chromium and Chrome. The Chrome plugin is fairly complete these days.

Specifically, it does have an "override sites that don't let you remember passwords" feature - and if a site isn't let you store cookies that store credentials, LastPass can auto login when it sees the site's login page. For your requirement, just disable all timeouts in its config - for most people I'd recommend a suitable inactivity timeout.

It's free as in beer (except on mobile phones where they charge a yearly fee) but not open source. See https://lastpass.com/

KeePass is also good and open source, with many plugins and great features, but doesn't have the browser integration.

LastPass

Posted May 20, 2010 14:47 UTC (Thu) by jackb (subscriber, #41909) [Link]

I second this. I use LassPass on Firefox, Chrome and Android.

One of the other nice features is that you can set up one-time passwords if you want to access your account from a semi-trusted computer.

remove autocomplete=off

Posted May 20, 2010 20:50 UTC (Thu) by pflugstad (subscriber, #224) [Link]

I used to have a bookmarklet that would do this. A quick search turned up the way to hack your Firefox install to do the same thing:

http://lifehacker.com/5152945/make-firefox-remember-any-p...

Google Chrome and master passwords

Posted May 20, 2010 10:23 UTC (Thu) by ThinkRob (subscriber, #64513) [Link]

This is a little silly IMHO, but not entirely unprecedented. Sadly, there seems to be more and more of a move towards building software to "protect the users from themselves".

It's the user's responsibility to make sure that they trust the folks who use their box, plain and simple. If you [the software developer] really, really, _really_ want to shield fools from themselves, then build in "keychain" functionality but just disable it by default. Why deprive sane users of a feature just because some users can't figure out how to use it in a safe, effective manner?

Chrome's stance is like the Linux kernel developers deciding to strip out swap support because some folks could use a laptop with an unencrypted swap partition.

Google Chrome and master passwords

Posted May 20, 2010 15:32 UTC (Thu) by AndreE (subscriber, #60148) [Link]

what ever happened to secure by default.

Leaving your site passwords in plaintext is just stupid. Stupid enough for them NOT to do it on windows.

Google Chrome and master passwords

Posted May 21, 2010 13:35 UTC (Fri) by jwarnica (subscriber, #27492) [Link]

Well... The question really is "whose job is it to provide security against remote or local physical attacks?"

Chrome doesn't do RAID, it doesn't do tape backups, it doesn't patch the OS with updates. Such services and tasks are clearly something else's problem.

Disk encryption exists, if currently unusual. Locking screensavers are everywhere, if not always used.

Users have the ability, today, to protect against the attacks that a browser master lock also provide.

A browser master lock is:
- not going to be as effective (system based security would both protect against more things, and likely be technically better as its importance would get it more attention from devs and testers)
- be annoying to those using other locks (I hate the gnome keyring thing, for example. I just logged in to my account, and you want me to log in again?)

Google Chrome and master passwords

Posted May 22, 2010 8:37 UTC (Sat) by tzafrir (subscriber, #11501) [Link]

A browser "master lock" is optional. If you don't trust the browser, don't store passwords with it.

If I don't want to install a different password (and copy/paste passwords, which may expose them on the clipboard), what should I do?

Google Chrome and master passwords

Posted May 22, 2010 21:52 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]

option 1
remember your passwords yourself and type them

option 2
have an application, device remember your passwords but type them, don't copy-n-paste them

option 3
get a browser plugin that generates a password based on the website and what you type so that you don't have to remember a different password per website, but each website gets a different password

Google Chrome and master passwords

Posted May 22, 2010 18:07 UTC (Sat) by salimma (subscriber, #34460) [Link]

On Fedora, at least, the Gnome keyring is unlocked automatically when you login. The KDE wallet on openSUSE, on the other hand, *does* require manual unlocking.

Google Chrome and master passwords

Posted May 20, 2010 12:16 UTC (Thu) by DG (subscriber, #16978) [Link]

On OSX, Chrome does store passwords the system storage thing, whatever it's called.

Google Chrome and master passwords

Posted May 20, 2010 13:10 UTC (Thu) by jku (subscriber, #42379) [Link]

That should be especially easy in the future as there is a common API:

http://www.freedesktop.org/wiki/Specifications/secret-sto...

Google Chrome and master passwords

Posted May 20, 2010 18:13 UTC (Thu) by leiz (subscriber, #46265) [Link]

Except there hasn't been much activity in this area. Their mailing list gets 1-2 emails a month.

Google Chrome and master passwords

Posted May 20, 2010 18:23 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

Which mailing list? Once the spec is finalized, there isn't any need for much activity outside of the implementation specific mailing lists. GNOME Keyring does support it now.

USB key attacks

Posted May 20, 2010 13:44 UTC (Thu) by Cato (subscriber, #7643) [Link]

At least on Windows, the threat of an unencrypted password store is much greater due to AutoPlay - when a USB key is inserted, a script on that drive is executed which can do anything (e.g. grab any unencrypted password stores, or install a keylogger to capture keystrokes). This could happen invisibly when a colleague is asking you to put a file on their key.

Not sure if this threat exists in Linux given Nautilus and similar file managers, but if the attacker can get you to open a file on the USB key (perhaps an innocuous looking symbolic link to an executable shell script?) that could have the same effect.

The use of a silently unencrypted password store in Chrome on Linux is horrible - something like LastPass (http://lastpass.com) would be much safer, though still vulnerable to keyloggers of course. (Windows keyloggers are quite sophisticated these days - the Zeus trojan captures a screenshot near the mouse pointer each time a key is typed, to bypass virtual on-screen keyboards as a defence.)

Defence in Depth

Posted May 20, 2010 14:41 UTC (Thu) by davecb (subscriber, #1574) [Link]

It's quite normal in a war to build multiple defense lines,
some of which are only capable of stopping a recon team,
while others can stop a armored brigade.

The criteria is that the first kind of line is staffed by
people with a radio, to tell the folks managing the whole
mess that they've encountered the enemy, and in what strength.

In our case, one might do a logical variant: provide a master
password mechanism, and use "not unlocked" as a warning to other
security mechanisms that the owner thinks they're NOT doing
something insecure.

That will definitely catch "probing" attacks, just like a "tripwire"
defense line does.

--dave

Google Chrome and master passwords

Posted May 20, 2010 17:33 UTC (Thu) by socket (guest, #43) [Link]

I recently discovered a useful and clever way of dealing with passwords in the web browser... I don't recall if I learned this from LWN, so apologies if everyone's already seen this, but the general technique should be reasonably easy to make a Chrome plugin for, and significantly reduces the need to store any password on disk, encrypted or not.

Have a look at http://crypto.stanford.edu/PwdHash/. And correspondingly, https://www.pwdhash.com/.

I tend to avoid the problem of browser-stored passwords by using a program on my PDA for storing passwords in a database encrypted with a single password. It's not integrated into my laptop, much less my browser, so I wind up having to type my passwords into the browser. It's not convenient, but I've never really trusted that the appropriately crafted javascript won't be able to read any arbitrary file my login account has permission to read and send it off to some random website.

I don't trust Firefox's security model. Javascript is used both by plugins which can do anything they like, and by websites which supposedly can't, based on complicated sandboxing techniques. I highly doubt that the sandboxing is perfect.