You say you do not wish to lull users into a false sense of security. So why not clearly tell people each time Chrome saves a password that the saved password will be visible in plaintext by visiting chrome://settings/passwords ?
Otherwise you are lulling people into a false sense of security.
E.g., to view passwords in my coworker's Keychain, I have to at least enter their account password to show the plaintext. To view their web passwords (which probably overlap significantly with their Keychain) all I have to do is open Chrome. I often use my coworkers computers for minutes at a time, and they use mine.
This flaw actually makes it possible to read their passwords — something not possible using other methods within seconds or minutes as they step out of the room.
So why not clearly tell people each time Chrome saves a password that the saved password will be visible in plaintext by visiting chrome://settings/passwords ?
Because the vast majority of the population don't know what a browser is, let alone a URL.
You (the developer) are providing the illusion of consent. The person don't know what just happened, but you're inferring that they have consented to what it showing up in that url.
So Chrome should not allow passwords to be read without the system Keychain password.
There is no technical reason it can't do this. Safari does this if you want to view passwords.
Chrome makes passwords casually available, this is unlike Safari and unlike the Keychain. So either Chrome informs the user of that behaviour or it stops doing it.
What it is doing now is very poorly designed behaviour. I am surprised that you are arguing for Chrome's current implementation.
I fail to see how it is beneficial to the user. As you say, most non-technical users don't know about chrome://settings/passwords, these are also the group of users who most likely need to be reminded of their passwords. So what Chrome is doing is essentially allowing slightly technically competent users to easily peek at the passwords of the "vast majority of the population." Bad design that is easily fixed.
- It's not as fast or inconspicuous as navigating to chrome://settings/passwords
- It does not present all passwords in a single list with the ability to show the one I'm interested in
- I would have to go to each site, allow Chrome to auto-fill, and then inspect the DOM and change the input type for each password I'm interested in. Far slower.
- It feels far more malicious to do what you suggest. Feeling is important. If I feel like I'm doing something bad, I'm less likely to do it. If I feel like I'm innocently navigating the Chrome settings page then I'm more likely to take a peek at your passwords.
- Far fewer people will be comfortable or familiar, or capable of using the DOM modification method. If a novice practices they are likely to get good at it. But that goes back to malicious intent.
Otherwise you are lulling people into a false sense of security.
E.g., to view passwords in my coworker's Keychain, I have to at least enter their account password to show the plaintext. To view their web passwords (which probably overlap significantly with their Keychain) all I have to do is open Chrome. I often use my coworkers computers for minutes at a time, and they use mine.
This flaw actually makes it possible to read their passwords — something not possible using other methods within seconds or minutes as they step out of the room.