Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Note that Chrome is using keychain and that you can dump the complete keychain data with all passwords decrypted via terminal anyway. You don't need any third party software ala Chrome installed. E.g.:

    security find-internet-password -g -s news.ycombinator.com
Klick allow and that's it. The master password question for showing individual passwords in the Keychain.app does not protect your passwords.

As others said: don't let anybody use your computer if you're logged in (have the keychain(s) unlocked).



Actually this is still better than Chrome does. If you run that, you are prompted for access to it. If you click "Allow" the next time the command is called, you will be prompted again.

If you "Allow" when Chrome prompts for access to a keychain item it then creates a new keychain item and gives itself "always allow" access.


> Note that Chrome is using keychain

I note that it's misusing keychain: if it's given (temporary) access to a password it will copy it to a permanent access entry.

> and that you can dump the complete keychain data with all passwords decrypted via terminal anyway.

Interestingly annoying, thanks.


I can't replicate that behavior. If I choose "Always Allow" Chrome is added to the allowed applications (see Keychain.app in the Access Control tab). If I allow it temporary there're no changes or new/copied password items in the keychain.


>The master password question for showing individual passwords in the Keychain.app does not protect your passwords.

That's insane too then! as it suggests/teaches that keychain passwords are master password protected.


Yes and no. If you're in the Keychain.app a user expects security question for revealing passwords.

On the other hand: if you in a third party app you just click "allow" and the app can use that password. Let's read that again: an arbitrary third party app … has access … to a password … by just clicking a button. You have probably done this many times (if you're using a Mac), but without thinking much about it (convenience).

Obviously there must be a way so that everyone can write a little app, request and access a password with a single mouse click and then show it in plain text.

(Always under the assumption that the keychain is already unlocked.)


> On the other hand: if you in a third party app you just click "allow" and the app can use that password. Let's read that again: an arbitrary third party app … has access … to a password … by just clicking a button.

It's possible to require the master password for each password release, though that is not the default and — in 10.6 — it seems there is no way to enable this globally, it has to be set individually per password as far as I can see.


You're right, and this is really bad. The thing Chrome gives you on top of this is greater discoverability - i.e. a list of ALL passwords - and a few buttons to make it easier for non-technical users.


"Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click “show” on a few of the rows. See what they have to say."

Someone that does that to me would not get a punch in the nose, but that is certainly what they would deserve.


I suppose it's a pretty in-your-face way of showing you. But it would certainly get the message across. It'd be a bit of a shock, right?


I don't store any passwords in Chrome.

Regardless, what you suggest is an enormous invasion of privacy.

How about a, "Did you know that within 30 seconds, I can see all your passwords?"




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: