The great thing about Apple’s iOS 7 password syncing feature is that setting up iCloud Keychain on your device with an iCloud Security Code prevents anyone from gaining access to your saved web passwords by going to Settings > Safari > Passwords & AutoFill > Saved Passwords. That is, viewing any saved entry there requires providing an iCloud Security Code, or your account password on the Mac.
This added layer of protection ensures I can’t steal your iPhone while it isn’t auto-locked and use the Settings app to hijack your online identities in a snap. Not so much with Chrome for Mac. Currently, Google’s browser does not require any form of authentication to reveal saved passwords. The Internet giant is aware of the problem and is aiming to deploy enhanced security for saved passwords in an upcoming Chrome build…
I was setting up iCloud Keychain on my devices the other day and just out of curiosity fired up Chrome to re-check how it handles saved passwords. Much to my horror, I was reminded that Google’s browser allows anyone to simply go to Chrome Preferences, click the ‘Show advanced settings’ link at the bottom then hit the ‘Manage saved passwords’ to access saved web site log in data in the clear.
As you can see, all it takes is hitting the Show button to reveal any password entry. I pixelated usernames for the sake of my own security, by the way.
According to Google’s Happiness Evangelist François Beaufort, the last Chromium build for Mac contains a new experimental flag which protects those saved passwords with your Mac’s system password.
Once you’ve enabled the chrome://flags/#enable-password-manager-reauthentication flag, user who’s trying to reveal a plain text password in chrome://settings/passwords will be prompted to reauthenticate with the User Mac OS password.
It wasn’t immediately clear whether the enhancement will make it to other platforms, especially mobile. It would be also great to authenticate those passwords with my Google Account instead of the Mac system password. They already do this for Chrome’s browser sync so all that’s needed is forced re-authentication, in my opinion.
I’m guessing this is a high-profile security enhancement and am expecting the feature to trickle down to Beta Chrome builds before it’s ready for prime time. Google’s solution may offer a fine balance between security and ease of use as Beaufort notes that once authenticated, “you won’t need to reauthenticate anymore for one minute”.
You can download the most recent Chromium build and try this out yourself today.
Don’t worry, Chromium builds don’t override the existing Chrome installation and your settings are preserved. I’d very much prefer an option to disable the one-minute timer and tell Chrome to instead always ask me for the system password, just like iCloud Keychain does on iOS 7 devices and Macs.
At any rate, this will be a huge boost for users’ security as the current implementation simply isn’t acceptable at all. Makes me wonder why it took Google so long to realize that Chrome’s current password-saving feature provides a dangerous vector for malicious attacks and identity theft.
Do you rely on a third-party password manager such as 1Password or do you trust your browser with your saved password?
I’m a heavy iCloud Keychain user, but still rely on 1Password for secure notes, PINs and other private information iCloud Keychain currently does not handle.