Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Elliottkmember is right here. Chrome's approach to this is absurd. What if you simply don't want friends, coworkers, significant others browsing your passwords? At least tell users that if they choose to save passwords in Chrome, that everyone who uses their computer, even pretty non-technical people, will be able to access those passwords. Tell them that storing their passwords in Chrome is unsafe.

Justin, can you tell us the real reason Chrome does it this way? Because the reasons you list so far don't make sense.




Please don't invent motivations for the statements people make when you don't like what they've stated so far.

If you don't want people browsing your passwords, you can't ever give them access to your user account or your unlocked desktop. That's it, that is the entire solution. Any other method of protecting the passwords is vulnerable as long as the potential attacker has physical access to the unlocked desktop.

Now, perhaps some of this is mitigated by the fact that most of those friends, coworkers, significant others won't know how to install a keylogger or install extensions - but some small percentage will anyway, and those users who were lulled into a false sense of security will have been just as exploited anyway.


>If you don't want people browsing your passwords, you can't ever give them access to your user account or your unlocked desktop. That's it, that is the entire solution.

Nope.

Just don't use Chrome. That's an even better solution.


Hahahahahhhh.

Let me teach you a neat trick (I'll use firefox as an example, but this can be done in any browser because it's a "feature" of HTML).

>Open firefox and navigate to a login page where your password is saved

>Right click on password box and click inspect element

>In the console, change type="password" to type=""

>Move your eyes back to the password field

Oh dear, what's this?!

Protip: Don't store your passwords in your browsers if you let other people use your computer. End of story.


Ha... The people complaining really are novices, looking for something to get outraged over. Every operating system allows multiple user accounts. I recommend people start learning how to use them.


I'm not a novice, but I would prefer that it wasn't trivial for a novice to access my passwords if I'm away from the keyboard for 30 seconds. A novice is going to have not a single clue of what to do with a console, but they can get at passwords in plaintext with four clicks with Chrome. No other browser makes it this easy to get at passwords in plaintext.


> No other browser makes it this easy to get at passwords in plaintext.

In Firefox you can go to preferences, security, and saved passwords. And News Flash: If you leave your wallet unattended for 30 seconds, someone could take your money. I guess wallet makers should include a warning too?


> In Firefox you can go to preferences, security, and saved passwords.

Incorrect if you set a master password, which Firefox allows you to do and is the reason why everyone's saying 'wtf, chrome?' and leaving firefox alone.


IF you set a master password... But how many people do that? By the way, you can set up user profiles in Chrome.


That's not the point. The point is that Chrome lacks this option, which, again, is why nobody's heckling Firefox right now. This isn't a thread about people failing to configure their software, it's a thread about a popular piece of software that's bungling some trivial security features.


How many? ALL the smart people.

As for the dumb ones, they're storing their passwords on a sticky-post. Or using Chrome.


Thanks. By chance, I needed to recover a password (one of my own of course) today and I remembered that trick.


Right, I'm not arguing against any of that. The point is if it's going to be that insecure, Chrome should make more of an effort to make it clear. They could do this by displaying a warning alongside the prompt to save a password.

Also, just because some people will be able to access the passwords with physical access doesn't mean it's not worth doing basic/unsecure locking. I'd rather use a system where people need to have the know how to use keyloggers in order to break, over one where Joe Schmoe can walk in and take everything.

In the end I have always known the security issues with saving passwords so I don't save any banking passwords or email account passwords in any browser.


"The point is if it's going to be that insecure, Chrome should make more of an effort to make it clear"

And what's a better way to make it clear than actually showing the passwords ?


A better way (than showing the passwords) to make it clear that storing the passwords is insecure was in the very next sentence after the snippet you quoted.

Read this: https://en.wikipedia.org/wiki/Principle_of_least_astonishmen...

Then tell me what's better:

- Asking users to store password, and having a menu hidden in the guts of Chrome's settings that most users will never look at.

OR

- Asking users to store password, and prompting them at the same time that doing so is insecure.

Keeping in mind that the vast majority of users of this software are average, non-techies.


What about the situation where I drop my computer off for service. While I may remember to delete all the passwords, I doubt my dad will...Now we have the possibility that a service tech who I will never meet can harvest credentials and sell them on the black market.


The real reason is simple. Get people to fear their real life circles so that, by contrast, they'll be more inclined to share their private information on the Internet.

After all, google's business model depends directly on how much private information is shared over much of the internet.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: