LWN: Comments on "Google Chrome and master passwords"

Google Chrome and master passwords

robbe — Mon, 31 May 2010 11:56:13 +0000

> Wouldn't installing a keylogger require root access?
Not if you only care about the keys typed by this user.

Google Chrome and master passwords

Russ.Dill@gmail.com — Fri, 28 May 2010 20:36:32 +0000

Yes, that in combination with the ~/Private provides a low impact solution. It should really be easier or more automated, but it is still pretty easy to utilize:

cp -a ~/.firefox ~/Private
rm -rf ~/.firefox
ln -s ~/Private ~/.firefox

Google Chrome and master passwords

dlang — Sat, 22 May 2010 21:52:48 +0000

option 1
remember your passwords yourself and type them

option 2
have an application, device remember your passwords but type them, don't copy-n-paste them

option 3
get a browser plugin that generates a password based on the website and what you type so that you don't have to remember a different password per website, but each website gets a different password

Google Chrome and master passwords

salimma — Sat, 22 May 2010 18:07:01 +0000

On Fedora, at least, the Gnome keyring is unlocked automatically when you login. The KDE wallet on openSUSE, on the other hand, *does* require manual unlocking.

Google Chrome and master passwords

tzafrir — Sat, 22 May 2010 08:37:27 +0000

A browser "master lock" is optional. If you don't trust the browser, don't store passwords with it.

If I don't want to install a different password (and copy/paste passwords, which may expose them on the clipboard), what should I do?

Google Chrome and master passwords

thedevil — Sat, 22 May 2010 05:15:03 +0000

Wouldn't installing a keylogger require root access?

The point about memory dump is true. But I don't see *any* way to avoid that risk, even if I typed all the passwords manually.

Google Chrome and master passwords

ssam — Fri, 21 May 2010 14:50:50 +0000

if you are letting someone have a quick browse on your computer you can give them a guest session.

on ubuntu this is very easy. click the session menu (the one with log out and shutdown), and choose guest session. it creates a guest user, with limited privileges (eg. they can only read a small white list of the filesystem), and logs them into an X session. when they log out it deletes their temporary home folder. it is pretty hard for them to do anything bad from it.

i guess other distros must have similar features.

Google Chrome and master passwords

jwarnica — Fri, 21 May 2010 13:35:49 +0000

Well... The question really is "whose job is it to provide security against remote or local physical attacks?"

Chrome doesn't do RAID, it doesn't do tape backups, it doesn't patch the OS with updates. Such services and tasks are clearly something else's problem.

Disk encryption exists, if currently unusual. Locking screensavers are everywhere, if not always used.

Users have the ability, today, to protect against the attacks that a browser master lock also provide.

A browser master lock is:
- not going to be as effective (system based security would both protect against more things, and likely be technically better as its importance would get it more attention from devs and testers)
- be annoying to those using other locks (I hate the gnome keyring thing, for example. I just logged in to my account, and you want me to log in again?)

remove autocomplete=off

pflugstad — Thu, 20 May 2010 20:50:46 +0000

I used to have a bookmarklet that would do this. A quick search turned up the way to hack your Firefox install to do the same thing:

http://lifehacker.com/5152945/make-firefox-remember-any-p...

Google Chrome and master passwords

rahulsundaram — Thu, 20 May 2010 18:23:40 +0000

Which mailing list? Once the spec is finalized, there isn't any need for much activity outside of the implementation specific mailing lists. GNOME Keyring does support it now.

Google Chrome and master passwords

leiz — Thu, 20 May 2010 18:13:46 +0000

Except there hasn't been much activity in this area. Their mailing list gets 1-2 emails a month.

Google Chrome and master passwords

riddochc — Thu, 20 May 2010 17:33:46 +0000

I recently discovered a useful and clever way of dealing with passwords in the web browser... I don't recall if I learned this from LWN, so apologies if everyone's already seen this, but the general technique should be reasonably easy to make a Chrome plugin for, and significantly reduces the need to store any password on disk, encrypted or not.

Have a look at http://crypto.stanford.edu/PwdHash/. And correspondingly, https://www.pwdhash.com/.

I tend to avoid the problem of browser-stored passwords by using a program on my PDA for storing passwords in a database encrypted with a single password. It's not integrated into my laptop, much less my browser, so I wind up having to type my passwords into the browser. It's not convenient, but I've never really trusted that the appropriately crafted javascript won't be able to read any arbitrary file my login account has permission to read and send it off to some random website.

I don't trust Firefox's security model. Javascript is used both by plugins which can do anything they like, and by websites which supposedly can't, based on complicated sandboxing techniques. I highly doubt that the sandboxing is perfect.

Google Chrome and master passwords

intgr — Thu, 20 May 2010 17:20:49 +0000

This is exactly the sort of "false sense of security" that Chrome devs are talking about. If someone gets access to your user account -- remotely or not -- then they can do pretty much *anything* with it, including setting up a keylogger or dumping the memory of your running Chrome process.

Google Chrome and master passwords

AndreE — Thu, 20 May 2010 15:32:28 +0000

what ever happened to secure by default.

Leaving your site passwords in plaintext is just stupid. Stupid enough for them NOT to do it on windows.

LastPass

jackb — Thu, 20 May 2010 14:47:44 +0000

I second this. I use LassPass on Firefox, Chrome and Android.

One of the other nice features is that you can set up one-time passwords if you want to access your account from a semi-trusted computer.

Defence in Depth

davecb — Thu, 20 May 2010 14:41:23 +0000

It's quite normal in a war to build multiple defense lines,
some of which are only capable of stopping a recon team,
while others can stop a armored brigade.

The criteria is that the first kind of line is staffed by
people with a radio, to tell the folks managing the whole
mess that they've encountered the enemy, and in what strength.

In our case, one might do a logical variant: provide a master
password mechanism, and use "not unlocked" as a warning to other
security mechanisms that the owner thinks they're NOT doing
something insecure.

That will definitely catch "probing" attacks, just like a "tripwire"
defense line does.

--dave

USB key attacks

Cato — Thu, 20 May 2010 13:44:02 +0000

At least on Windows, the threat of an unencrypted password store is much greater due to AutoPlay - when a USB key is inserted, a script on that drive is executed which can do anything (e.g. grab any unencrypted password stores, or install a keylogger to capture keystrokes). This could happen invisibly when a colleague is asking you to put a file on their key.

Not sure if this threat exists in Linux given Nautilus and similar file managers, but if the attacker can get you to open a file on the USB key (perhaps an innocuous looking symbolic link to an executable shell script?) that could have the same effect.

The use of a silently unencrypted password store in Chrome on Linux is horrible - something like LastPass (http://lastpass.com) would be much safer, though still vulnerable to keyloggers of course. (Windows keyloggers are quite sophisticated these days - the Zeus trojan captures a screenshot near the mouse pointer each time a key is typed, to bypass virtual on-screen keyboards as a defence.)

LastPass

Cato — Thu, 20 May 2010 13:35:23 +0000

You might want to try LastPass - it's an in-browser password manager for Firefox, Chrome, IE, and others, which runs on Linux, Mac and Windows. There's also a desktop version called LastPass Pocket for the same platforms, and you can use it via web app only where you don't want to install anything (e.g. a live CD you're using a few minutes). It's generally pretty good, with developers willing to respond to questions. I've been using it for a while on Ubuntu 8.04 and 9.04, and Windows XP and 7, with Firefox, Chromium and Chrome. The Chrome plugin is fairly complete these days.

Specifically, it does have an "override sites that don't let you remember passwords" feature - and if a site isn't let you store cookies that store credentials, LastPass can auto login when it sees the site's login page. For your requirement, just disable all timeouts in its config - for most people I'd recommend a suitable inactivity timeout.

It's free as in beer (except on mobile phones where they charge a yearly fee) but not open source. See https://lastpass.com/

KeePass is also good and open source, with many plugins and great features, but doesn't have the browser integration.

Google Chrome and master passwords

jku — Thu, 20 May 2010 13:10:56 +0000

That should be especially easy in the future as there is a common API:

http://www.freedesktop.org/wiki/Specifications/secret-sto...

Google Chrome and master passwords

agl — Thu, 20 May 2010 13:07:43 +0000

If you are interested in the current thinking around this, and something which could see the light of day in Chrome, read http://www.links.org/?p=928

Google Chrome and master passwords

DG — Thu, 20 May 2010 12:16:45 +0000

On OSX, Chrome does store passwords the system storage thing, whatever it's called.

Google Chrome and master passwords

cortana — Thu, 20 May 2010 11:25:14 +0000

Sounds like Chromium needs to use the GNOME keyring on Gnome, KDE's equivalent when on KDE, etc.

Google Chrome and master passwords

ThinkRob — Thu, 20 May 2010 10:23:21 +0000

This is a little silly IMHO, but not entirely unprecedented. Sadly, there seems to be more and more of a move towards building software to "protect the users from themselves".

It's the user's responsibility to make sure that they trust the folks who use their box, plain and simple. If you [the software developer] really, really, _really_ want to shield fools from themselves, then build in "keychain" functionality but just disable it by default. Why deprive sane users of a feature just because some users can't figure out how to use it in a safe, effective manner?

Chrome's stance is like the Linux kernel developers deciding to strip out swap support because some folks could use a laptop with an unencrypted swap partition.

It's not true anymore

khim — Thu, 20 May 2010 07:16:50 +0000

Unless I am missing something, which is always possible, that makes Chrome free software.

Well, there are flash, for example. The Chrome core contains only open-source, but there are different proprietary addons. This makes the whole bundle proprietary...

Google Chrome and master passwords

ikm — Thu, 20 May 2010 06:40:22 +0000

> many sensitive web sites, like banks and brokerages, have started disallowing credential storage

Yeah, I really hate that one. My home's encrypted, I'm the only user of the box, I'm behind the firewall, etc etc -- would you, mr. Firefox, please, let me decide myself whether or not I would want to store my forms?

If anyone knows how to disable this misfeature, please let me know, I'd greatly appreciate that.

Google Chrome and master passwords

thedevil — Thu, 20 May 2010 05:46:41 +0000

Is nobody using "desktops" anymore? Nobody has physical access to my desktop without breaking into my apartment, but if someone gets remote access (which cannot be completely ruled out, since I run at least sshd), having the credentials encrypted will make a big difference.

Google Chrome and master passwords

jamesd — Thu, 20 May 2010 05:16:31 +0000

I think the best advice is to not store any passwords in the browser and use an extension like PasswordMaker Pro.

Google Chrome and master passwords

jake — Thu, 20 May 2010 03:26:23 +0000

> Google Chrome is a proprietary browser.

Built from Chromium source with some other free software components (FFmpeg + codecs) linked in. At least as I understand it. Unless I am missing something, which is always possible, that makes Chrome free software.

jake

Google Chrome and master passwords

rahulsundaram — Thu, 20 May 2010 02:17:27 +0000

" Maybe someone in the community needs to take a crack at itit is, after all, free software."

Chromium is free software. Google Chrome is a proprietary browser.