back to article Chrome, Firefox blab your passwords in a just few clicks: Shrug, wary or kill?

Web browsers Google Chrome and Mozilla Firefox can reveal the logged-in user's saved website passwords in a few clicks. There now rages a debate over whether this is an alarming security flaw or a common feature. Picture this: you've been asked to fix a friend's PC because it's stopped printing pages properly, or you saunter …


This topic is closed for new posts.
  1. Richard 12 Silver badge

    Firefox already does what he asked

    Optionally, anyway. I don't use the master password though, because if someone has got to my desktop it's too late anyway.

    To be honest, I think this is a good feature.

    Lots of people have more than one device now, and damn near every website wants a username and password just to look at the weather or other stupid things that shouldn't even have a login, let alone credentials.

    A simple way to find out what you used so you can type it into A N Other device is necessary.

    All the major browsers ask before saving login credentials as well, with the warning "don't do this on a shared computer"

    So I'm with Google here.

    1. Simon 11

      Re: Firefox already does what he asked

      "...because if someone has got to my desktop it's too late anyway."

      I keep hearing this and it keeps pissing me off. It's just another way of saying 'It's easier than it should be for people to break into a system when they have physical access, so I'll use that as an excuse to justify not doing anything at all to protect the system, regardless of whether the things that can be done would prevent that person from accessing my most sensitive data, or merely slow them down'.

      If everyone stopped being lazy and started actively working on this level of security, we might actually get something that can make a system relatively secure from attackers with physical access to the machine.

      This is why Googles response is bad.

      1. Silviu C.

        Re: Firefox already does what he asked

        The fact that you can easily pwn any machine provided you have physical access to it is not Google's fault.

      2. Eddy Ito

        Re: Firefox already does what he asked

        Given the number of people who have the "automatically log me in" box ticked and don't have it automatically lock after a bit of inactivity there is no way this will be fixed except it would be pretty trivial to add it. If Comodo and Iron can tweak the code then it shouldn't be hard to spin in a master password.

        Besides, doesn't Google like having access to all your data anyway? Why would they make it harder on themselves? I'm actually a bit surprised they [Google, MS, Apple, etc] don't automatically cloudify all passwords to help folks log in from anywhere. What could go wrong having all the magic eggs to your life in one basket?

      3. plrndl

        Re: Firefox already does what he asked @ Simon 11

        The way your computer knows who's sitting in front of it is by "looking" at the login name. The reason you have the option for multiple logins is so that you can secure your data on a system shared with others.

        How do you propose that your computer knows who is using a shared login? How often should it check, every hour, every ten minutes, or more often? Do you really want to verify that you really are you that frequently?

      4. Nym

        Re: Firefox already does what he asked

        And just get LastPass, free or paid (or something similar) and don't be lazy; don't be lazy with your master password program (you should have one which is "cloud independent") and you're quite safe. It's also best to set Firefox at least to wipe all history and cookies each session (dreary lag of pageload or not)--and to put your machine to sleep even when you go visit the toilet. Paranoid isn't quite enough on an accessible computer...oh dear. Now I've said too much.

    2. Anonymous Coward
      Anonymous Coward

      Re: Firefox already does what he asked

      If someone got to my desktop it is NOT too late anyway, because these are passwords to sites where other information is available. You like to surrender info?

      1. VinceH

        Re: Firefox already does what he asked

        "If someone got to my desktop it is NOT too late anyway, because these are passwords to sites where other information is available. You like to surrender info?"

        I do agree for the main part - which is why I voted that this is a bug and needs to be fixed: Password visibility arguably means all they need is a brief access to nab that data, which is why I voted for that option, but consider that if someone has managed to nab your computer and accessed your user account, they don't actually need to see the passwords: they can just visit the sites using your browser with its saved passwords.

        Which means that on a shared computer, where the owners are too stupid or lazy to don't have separate, password protected user accounts, and/or don't log out of their account when they're finished there is no real protection anyway, password-protected passwords or not.

        This is arguably why there needs to be a lot more user education.

        My real vote would be "This is a bug that needs to be fixed (from the third option), but non-techie people won't realise and need to be educated (from the second)."

        I was tempted to add don't leave your computer and unlocked from the first, but sometimes that is necessary when people like me need to fix other people's computers - but that would often be prevented if users were better educated to start with.

        The problem with arguing that users need to be better educated, though, is that many users don't want to be educated.

      2. Richard 12 Silver badge

        Re: Firefox already does what he asked

        If they've got to my desktop then they can copy the browser's keystore and upload it somewhere to crack at leisure - how do you propose stopping that?

        I lock my desktop when I leave it. Very simple solution, and as secure as the OS.

        That said, how big is the set of people who may attempt or gain physical access to steal data?

        A corporate machine may be worth an attacker trying for physical access due to the nature of the sensitive data, a personal one probably isn't.

        I don't use my corporate machine for personal stuff, and I trust that our IT dept have put in place reasonable protections given the value the company places on the data I have.

        At home, the only miscreant who might want my PC is going to smash it or sell it. He's not going to go after the data quick enough for any saved passwords to be worth anything.

        1. Anonymous Coward
          Anonymous Coward

          Re: Firefox already does what he asked

          "I lock my desktop when I leave it. Very simple solution, and as secure as the OS."

          I have admin rights over all the PCs where I work (so do the others if they thought about it. Its not me that set up the security policy and I have complained about the holes in it, but that's another story)

          As a result, I can connect to any co-worker's PC and extract those files remotely, even when they lock their desktop.

          Locking the desktop will not secure your browser passwords from me or anyone else here.

          1. Richard 12 Silver badge


            "As secure as the OS"

            No more, no less.

            If you are an admin or get root over a computer then you can do whatever you like and nothing whatsoever is going to stop you.

            That's what the word "Administrator" means.

      3. Bitbeisser

        Re: Firefox already does what he asked

        If you don't want to surrender info, then don't f*****g save the password in the first place!!!

        Don't know about Chrome (and don't care to be honest), but Firefox will explicitly ask you if you want to save the password or not. So if people don't realize that this info is saved and accessible somehwere/somehow, sorry, too bad.

    3. Piro Silver badge

      Re: Firefox already does what he asked

      I use Master Password on Firefox, even though there's no real chance someone will be sat at my PC.

      Why not? It only needs inserting once a session, and means that if someone passes by your PC unlocked, they can't see your passwords in a few clicks. Seems a no brainer to me.

      1. Mage

        Re: Firefox already does what he asked

        And even if you used the password for the session already you need it explicitly EVERYTIME you display passwords of the saved sites and usernames list.

    4. Wize

      Re: Firefox already does what he asked

      If something manages to get control of your computer (a bit of mallware, for example) one of the first things it can send home is configuration file for your browser (I've moved it around myself when moving to a new machine as it contains your passwords, shortcuts etc)

      If you have set a master password, the file won't be much use to whoever has 'borrowed' it giving you a chance to find and remove the mallware before it records the keystrokes of a password being entered (which you won't anyway as they are mostly stored)

      Gives you that little bit more breathing space should your machine be compromised from outside.

      1. Pen-y-gors



        Presumably some sort of software that emulates an American shopping centre?

    5. Nuno

      html manipulation

      if you go to any page for which you have a saved password, and the browser auto-completes the login form, you can manipulate the html input tag, stating that the input is not of type password, and the password will show up easily...

  2. At0micAndy

    safari too

    yeah, safari does this, too, and very useful I have found it for those rarely used websites. Yes I know abiout it, yes I have a different password for every logon I need, yes I need a way to remember them, yes this is very very useful, and yes, I use a screen saver, with an auto set of a few minutes. No, please do not take this feature away, yes do teach people to lock their screens.

    1. simon gardener

      Re: safari too - But it REQUIRES the users system password

      Safari requires the user password - just like the keychain does. Without the password all you can see are a list of the sites you have passwords stored for and a bunch of dots.

  3. Anonymous Coward
    Anonymous Coward

    how is this new?

    1. MrT

      For Firefox at least...'s not even hidden - there's a button on the Options>Security tab to show saved passwords, right under the option to use a Master Password. IIRC its been there for a few years. I think the issue here is more about the form in which the passwords are saved - e.g. if they can be grabbed remotely or accessed via another computer.

  4. T. F. M. Reader Silver badge

    Things we take for granted...

    I never knew - or considered the possibility - that Firefox would save site passwords WITHOUT setting a master password first. Seriously, it just never occurred to me that such insanity was possible.

    And am I reading this right? Chrome does not even allow a master password??? And Safari allows another application to slurp cleartext passwords en masse without prompting for a master password, either? I don't use either browser for unrelated reasons, but... DAMN!

    The argument that if someone momentarily has physical access to your computer then all is lost is BS. That someone is more likely to be your kid or an even more clueless coworker than an NSA superspy with a password-cracker-on-key gizmo, so even mild additional protection is worthwhile. And limiting security to the perimeter is a lousy practice.

    Out of curiosity, I od'ed the signon.sqlite and key3.db files in my firefox profile on my laptop. I saw the sites for which I have saved passwords (e.g., The Reg), but nothing resembling the passwords themselves, so apparently they are not stored in cleartext. I don't know how hard they would be to crack, but I doubt someone who sneaks into my office for 30 seconds can easily do it on the fly. Well, he/she can dump the profile onto a disk-on-key and do it later, granted, but no, I never leave my desk without locking the screen at least, either.

    So, KILL!

    1. Natalie Gritpants

      Re: Things we take for granted...

      > I od'ed the signon.sqlite and key3.db files in my firefox profile on my laptop. I saw the sites for which I have saved passwords (e.g., The Reg), but nothing resembling the passwords themselves, so apparently they are not stored in cleartext.

      They are scrambled and if you know the key you can decrypt them. The key is in the source code ans probably google-able. However, if you use a master password they site passwords are scrambled with that which makes it much harder to crack.

      You could try looking through firefox's memory for the passwords or even the master key but that requires super-user privilege and shouldn't be possible unless you run as root or admin.

      You could try hunting through the hibernation image but then you should not hibernate a machine without full disk encryption.

      You could dump the machine in a liquid nitrogen bath, pull out the memory cards and go through them but it's probably cheaper and quicker to just threaten the owner of the said machine.

      1. Barche

        Re: Things we take for granted...

        Actually, this is not how it works. There is a randomly generated encryption key for all the password store:

        Setting a master password protects the above key, so you need to enter the password to access the master key to sync with a new device or to see any stored passwords:

        1. joed
          Thumb Up

          Re: Things we take for granted...

          So basically encryption is very similar to FireFox sync server - seems nice and works just fine. Especially that just like with password file that's stored locally you can setup your own sync server (not super easy but even noob like me can follow step by step instructions and figure out/fix mistakes) and copy all your passwords onto android without using any facility that NSA has direct access to;

          FF is really great the way you can copy profile folder between PCs and have all your settings, tabs etc transplanted. Compare this to IE ... - obviously no master password (it used to be trivial to leach saved passwords, not sure for newer versions).

          I guess for all other browser there's always lastpass - they do seem to have reasonable security

  5. Alex in Tokyo

    Can I choose 'All of the above'?

    Don't let people have physical access to your private machine, or at the very least make sure that they're using a separate or a guest account. Don't save your passwords on a shared machine. *Shrug*

    That said, people should be aware that the capability to display saved passwords exists, and factor that into the assessment of whether to save a given password or not. *Wary*

    That said, how hard would it be for Google to add the option to require a master password in order to display the saved details? It's a no-brainer and they should fix it. *Kill*

    1. Captain Scarlet Silver badge

      Re: Can I choose 'All of the above'?

      I second, a bit of everything.

      I can't understand why its even needed, if I can't get on I use the password reset features of whichever service it is.

  6. julianh72

    Of course, if they've got access to your desktop and browser, they've got your Gmail, Email, etc, along with all the documents stored on your hard drive, the Word document you store all your bank account details and passwords in, your DropBox account, ...

    Nevertheless, it would seem to be a no-brainer that a master password should be required to access any security-related data.

  7. bigfoot780


    Disable/don't use the feature. It wont tale long for someone to find which file in chrome/firefox stores passwords. Either that or 2 factor auth everywhere.

    1. Charles 9

      Re: simple

      Thing is, the stored passwords are encrypted, and the key is generated per profile. A master password encrypts the key as well.

  8. ratfox

    An optional master password would be nice

    Though to be honest, I've never used the feature. Partly because it feels unsafe, partly because I prefer to remember all my passwords, in case I'm using a different system where they are not saved. If you let your computer remember all your passwords, it feels awfully easy to forget them.

  9. dajames

    That's not the issue.

    A stricter view would be that it is a security flaw that browsers can store passwords at all. I never use that feature myself.

    If the browser has access to your passwords (possibly after entering a master password once) then malware running on a web page could conceivably obtain a list of the sites you visit and your passwords for those sites and mail them off to its evil creator. This is surely not a price worth paying for the minor convenience of not having to type a password (or cut/paste it from an external password safe application) once in a while?

    I find that if I have to enter passwords by hand every once in a while I stand a chance of remembering them when I need to ...

    1. pPPPP

      Re: That's not the issue.

      The problem is when you have logon credentials for various forums, like this one. You can either re-use the same password across them all and remember it or store it in the browser (hopefully encrypted). You're not likely to be able to remember separate credentials for each and every site.

      This doesn't mean that you need to save your bank details in the browser. I don't save anything financial, but I do save web site logins.

      1. Neil Barnes Silver badge

        Re: That's not the issue.

        Except that the majority of fora and similar sites maintain the local 'remember me' password in (presumably) cookies... they don't go near the Firefox local store.

        I can't see any reason for storing passwords for remote sites on the browser, and have 'never remember passwords' selected at all times. I certainly wouldn't use a local store for e.g. bank passwords.

      2. Steve Renouf

        Re: That's not the issue.

        "This doesn't mean that you need to save your bank details in the browser."

        Hmm... Interesting.... My banks don't allow the browser to remember the logins, even if I wanted them to.

        1. pPPPP

          Re: That's not the issue.

          It's actually the browser that does that. Banks use https and browsers tend to not allow you to save passwords for those sites.

          1. Charles 9

            Re: That's not the issue.

            They tend to now since more sites switch the login screen to https, meaning a stored password won't be useful in your scenario because more sites will be already in secure mode.

  10. FredBloggsY

    So Chrome's approach is that if someone's got to your desktop you might as well hand them your bank account and other passwords, too, because they're worth it?

    I love some of Google boy's phrases:

    - I appreciate how this appears to a novice

    - and while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today

    - providing them a false sense of security and encouraging dangerous behaviour

    ... he just failed to realise to whom they apply.

  11. Destroy All Monsters Silver badge

    Gnome Keyring..

    KDE Keyring...

    Eclipse secure password storage....

    Same here. Unification would be nice though.

  12. Anonymous Coward
    Anonymous Coward

    Lastpass ?

    I disabled Chromes built in password manager, and use Lastpass.

  13. Version 1.0 Silver badge

    The sky is falling, the sky is falling!

    Here we go again - what is it with you people? If security is important then log in and log out and have a guest account set up for your friends. But you could ask yourself why this is even an issue?

    It's because we have stupid "password policies" that make it impossible to create passwords that we can remember and force us to create passwords that can't be memorized and must be saved or written down. So now you want passwords to protect passwords?

    I write mine down on a sheet of paper and keep them under the keyboard - and no, I don't give a shite.

    I just don't write them in English.

  14. Ben Rose

    Not concerned..

    Mutiple user profiles have been in "domestic" flavours on Windows since Windows ME. During first time set-up of a new PC they have positively encouraged people to have multi-user logins, with their own wallpaper etc. It works well and your desktop etc. are stored in an area that is off-limits to other users.

    I share my PC with a wife and 2 children. Can they see my saved Chrome passwords? No.

    1. Not That Andrew

      Re: Not concerned..

      While the feature has been available since Win95 actually, Windows has _never_ encouraged users of the desktop version to create multiple user profiles. If that were the case it would require you to create a separate admin account and user accounts during setup instead of just (since 2K or XP IIRC) requiring you to set up one account and silently giving it admin privileges. Which I suppose beats 95 and 98's way of just dumping you into what passed for an admin profile on those glorified DOS shells and expecting you to set up passwords and booting to the login screen yourself.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not concerned..

        That'd be the login screen where, if you clicked Cancel, it let you in anyway? Mmm. Good job, Microsoft.

      2. Ben Rose

        Re: Not concerned..

        Mutli-user has been available since Windows 95 but not until ME did they actually have separate NT style profiles. e.g. c:\documents and settings\username\etc

        This type of profile allowed different settings to be stored easily for each user and, in the case of Chrome, would mean two entirely separate password repositories in different folders.

  15. DrXym Silver badge

    I don't see it as an issue

    If you tell your browser to save your passwords, then that's exactly what it will do. So whether you can "see" them or not through the UI, they are sitting there on disk in a form which anyone can lift and peruse to their heart's content.

    So perhaps the browser should encrypt them, e.g. with a key which is generated into the browser profile folder? Well yes it could but then the thief could just steal the key too.

    So hiding passwords from the UI might I suppose protect them from your sister's glances but that's about the sum of the security such a measure would offer.

    The best way to protect passwords is to not save them at all. And if you do save them (e.g. for the 1000-1 throwaway forum / site accounts) protect them with a strong master password. And on top of that practice security in other ways, i.e. set your computer to screen lock after inactivity, set up another account for other family members, use stronger, unique, unsaved passwords for sites you don't want to be compromised even if all the throwaways were.

  16. kabadisha

    I would argue that most people who use this feature (viewing saved passwords) do so because they cannot remember their password because they don't have to as Chrome is storing it for them.

    So putting a master password on it basically defeats the point of it. Older generations (my not so old parents included) see passwords as a tedious irritation, not a critical security credential which they must remember like their PIN number.

    IMO we need to ditch passwords and move to key based auth for everything. Someone just needs to come up with a suitable implementation.

  17. kabadisha

    Also, how many people do you know who are issued with a dog-slow encrypted disk laptop who have the password written on a post-it stuck to the palm rest?

    Passwords are fail for Average Joe

  18. Nick2039

    The only reasonable objection to this is that if they do provide a master password, then when people realise that this isn't a cast-iron guarantee of security Google will crop another dusting.

    Solution: when Chrome offers to save your passwords (for the first time) or when someone sets the master password, just put up a damn dialog box warning that it's only superficial protection.

  19. mark l 2 Silver badge

    Having a master password set is not going to stop someone with physical access to your computer being able to get access to your email, facebook or whatever other website you have saved the password for and then its a trivial extra step to do a password change and they have your info anyway.

    It is worrying that you can access it with just a local url in chrome though as i guess in theory a cross site scripting attack could reveal it to a hacker if they convince you to open that url while have some dodgy website open

    1. Anonymous Coward
      Anonymous Coward


      I have solved half this problem. The email send system on this computer doesn't work! Plusnet! Also, doesn't use internet banking, no credit card numbers, no Facebook or any other vanity social network and an obsolete browser which is uncommon and has distinct foibles. Anyone is welcome to try to access the unwanted passwords required by some sites to view their content. Half the people I know with internet banking have had their accounts hacked in the past, maybe it has improved now. Any online purchases are made only with another dedicated non standard Linux machine, not used for browsing, which reduces the risk.

      I learned from the defense industry that internet access is a no no for a secure environment and systems required to be secure should have dedicated connections and unique software.

  20. Adam T

    Passwords, PINs, 4 digit numbers, 5 digit numbers, combinations there-of, the last four digits of my bank card, expiry dates, security codes, pet's first name, favourite dog food.

    Dystopia here we come.

    1. Adam T

      In fact no! I'm not finished...

      Passwords that start with a capital letter, passwords that contain non-alphanumeric characters, passwords that contain alpha-numeric characters *except* for one particular character, passwords that need a mix of characters and numbers, passwords that can't start with a number, passwords that have to be over 7 characters...16 characters...32 characters long... password fields that won't accept more than # characters...passwords that need at least 2 capitals and 2 numbers, passwords that can't contain a real word, ad infinitum...

      And how many people have lost email accounts with services tied to them? Even better, services tied to re-distributed email accounts (like hotmail). How often have you clicked on recover password, and wondered why you haven't got the recovery email yet...and the paranoia creeps in that some other bugger with your old email address is getting access to whatever it is you were trying to log into.

      It's not just browsers that are dangerous, it's passwords as a whole. 15 years ago, we had no idea we'd need so many, that we'd rely on all of this so much. I can't wait for smartphones with fingerprint sensors, because you know I'll probably forget to wear oven gloves taking the rock cakes out of the cooker the day I get one...

      1. Neil Barnes Silver badge

        passwords - no idea we'd need so many

        That's just it - we *don't* need so many. It's just all those idiot websites that unnecessarily insist on registration to (e.g.) purchase, and in a couple of cases I've come across, even to see the bloody prices!

      2. DropBear

        There's a neat way around that - at least in theory: google "InputStick". Ok, you can't actually buy it yet (soon, hopefully) but that's not the point - it's the idea that I like. It removes the need to store or remember passwords anywhere except on your phone, and at the same time it lets you use and enter appalingly complex and strong passwords with relative ease, on pretty much any computer, without having to install anything on it (fine, not on computers that disable USB HID devices but those are pretty rare, and you still can simply ask the app to show you the password and enter it by hand). Granted, it's still your responsibility to secure the stored passwords on your phone, but that doesn't sound impossible to do. Oh, and I'm not directly related to IS in any way - I'm simply a fan...

  21. dogknees

    Some responders are suggesting that someone could use this to get to your bank account. If you going to a https site, Chrome will not save the passwords for you. I'm prompted for passwords to my bank, paypal, and other secure sites.

    So, the problem is nothing like as big as some are making out.

  22. Anonymous Coward
    Anonymous Coward

    This has been in Chrome for some time...

    ... I swapped from FireFox a while ago since it seemed to be performing better at the time, while I was setting up I noticed there wasn't a master password, and although this isn't a perfect solution against physical access to the machine, I doubt the people I live with have the knowledge to bypass it, unlike a "Show Password" button.

  23. Zimmer

    Settings... Advanced

    Untick the box that says ' Offer to Save Passwords I Enter on the Web'.


    1. Not That Andrew

      Re: Settings... Advanced

      I agree, but it really shouldn't be hidden under advanced settings.

      1. John Hughes

        Re: Settings... Advanced

        Nothing should be under "advanced settings".

        "Advanced settings" is the work of the devil

  24. This post has been deleted by its author

    1. JimmyPage

      Re: This is working as intended

      I think the issue is one of *scale*. There's a world of difference between having unrestricted access to a machine (e.g. if you have stolen it, or the owner is absent for any length of time) and having a couple of minutes while someones gone on a comfort break.

      That said, you should *always* lock your screen when away from your desk. I've known some firms mandate this and discipline people if they leave their screen unlocked.

      1. Charles 9

        Re: This is working as intended

        The thing is that (1) a well-practices malcontent can probably pwn the machine within a minute of getting their hands on it with help form a handy USB key or something like that, so length of time may not be a factor when it comes to physical access. Plus (2) there are plenty of scenarios where one could get the machine INTENTIONALLY unlocked, such as to "borrow" the browser for JUST a minute...

    2. John Hughes

      Re: This is working as intended

      "If I have access to your computer it's game over."


      " I can go to certmgr.msc and steal client certificates, insert trusted certificates for fake sites."

      No, you don't have root access.

      "I could boot up a backtrack live CD and add an administrator account to windows,"

      Not running windows. If you reboot my machine you can't access the disk 'cos you don't know the decryption key.

      "deactivate your AV and add a rootkit, then poison your DNS by going to your hosts file."

      No, you don't have root access.

      "I could just copy netcat onto your machine and run it with nc -l -e cmd.exe -p 9999 and I have a backdoor into your machine.... "

      Yes, you could do this. You'd have access to all my local files. Wouldn't be able to get my files from the NFS server 'cos you don't have a kerberos ticket.

      "I could change your proxy settings to go through a client proxy I've setup, and then accept all the certificate alerts as "trusted".... now I can see all your SSL connections with passwords included in clear text."

      Yup, you could do that.

      In other words you could do nothing bad to me if I lock my screen.

      Memo to self - keep locking screen when away from desk. Also makes sure boss can't see the porn I'm reading when I'm supposed to be working.

  25. kyza

    How hard is ctrl-alt-delete > lock computer?

    Too hard for most *users* it seems.

    1. AlexanderUK

      On most windows computers it's even easier than that:

      (Windows Key) + L

    2. kabadisha
      Thumb Up

      Pro Tip:

      Hit Windoze key + k to lock your screen when you walk away. Not sure it it works on Win8, I switched to Mac.

      1. John Hughes

        Re: Pro Tip:

        control+alt+L for Gnome users.

        Isn't it windows+L on windows?

        1. kyza

          Re: Pro Tip:

          You don't want to confuse users with things like the window key. IME most of them get scared by numlock being switched on.

  26. mistersaxon

    There's some silliness here

    All these password safe stores are designed to disburse the password when you go to the site - automatically and without intervention. IF you set a master password firefox will ask you for it on the first site you visit which has a stored password and then not again until you close / reopen the browser. So, without going into Prefs and browsing the list you only need to go to the site you are interested in (Apple, amazon, what have you) and let the system log you in automatically.

    And in IE10 it's even easier than that because if you click the little Eye icon in the password field it is shown in clear text - no registry hacks or 3rd party tools needed. For any browser that stores passwords and is left unlocked and running, just go to the site and let it log you in. Do your harm there and then.

    Only Firefox makes even a stab at protecting these assets once stored and that is carefully balanced against the usability of the feature. There is no option to require you to input the master password on every use so if you wander off leaving your laptop unlocked you do need to close the browser first!

    Realistically the danger is that the laptop will be stolen and the passwords retrieved from it. In which case the fact that the passwords are put into the website for you is the same for all browsers - whether the password is known or not the site is still compromised. Moral of the story: don't save passwords in your browser unless you are prepared to accept the consequences. Do users understand this? Well, most of them CAN understand it if it is pointed out to them, but most don't think about the risk of losing the laptop or of leaving it unattended. The tool is fit for purpose, the users - less so.

  27. John 73

    Users aren't the real problem

    What woke me up to the real problem was installing LastPass. It could slurp all the passwords I'd stored in Firefox (usernames and passwords, indeed) and import them. Indeed, it actually makes this point explicitly during the installation - if LastPass can do this as a normal extension, so could any other extension.

    Your passwords are not secure stored in any of the main browsers, whether from other users or from malicious code. The only answer is to remember all your passwords yourself (unlikely for most of us), use LastPass/OnePass/whatever service to store them, or use a local secure keyring if your browser will play nicely with it.

    1. Roland6 Silver badge

      Re: Users aren't the real problem

      The question does arise as to how a user gains clear text access to their various passwords, when stored in a password manager and how this differs from Chrome.

      I've an IBM Thinkpad and have used the ThinkVantage Password Manager. Whilst this stores the passwords in an encrypted file, once I have logged on (biometric and/or password) I can freely access the database and get it to display individual passwords in clear text. Unlike Chrome it even gives me an Export/Import facility, so I can dump the entire database to an (encrypted) file and load it into TPM on another machine.

      Hence the real question is whether the chrome://settings/passwords page can be read by a third-party webpage script.

  28. JDX Gold badge

    Never knew that

    Now when I run into the common scenario that I can't remember my password but Chrome can on one of my PCs, I can actually get the darn thing back.

    1. Caesarius

      Re: Never knew that

      Because I know the passwords are there, I have fallen into the error of thinking that everyone else knows too. If you, experienced as you are, did not know, then that helps me to see that it is more serious. But, of course, you probably treat an unlocked screen as a liability, so you are safe by other means. Therefore I recommend educating the masses to be much, much more wary.

      C.f. the GP in the 1980's who thought that sending patient details down a phone line with a modem was secure because it was digital. He never thought that because the intended recipient could read it then so could any eavesdropper!

  29. Anonymous Coward
    Anonymous Coward

    Been in Firefox for years

    ... at least since version 2.

    I have been using this handy feature to sabotage co-workers for a long time and I always thought Mozilla were insane to allow this.

    *steeples hands* My plans for world domination are proceeding apace.

  30. John B Stone

    Make it a write only store?

    Why not make the passwords not viewable (and encrypted)? It appears most users don't know they are even there in any case.

    The only times I have used it is when I can't immediately remember/find a password and needed it on another device/browser and that only a handful of times over the years.

    This has made me consider using a stupidly long and complex password to protect them and then throwing away the password (in Firefox).

  31. Unicornpiss

    In other news...

    If someone walks into your unlocked house, they can steal everything that isn't nailed down, including all your personal documents.

    Firefox lets you set a master password to access your stored passwords, as everyone here knows. Should there be some sort of warning to make you consider setting one when you ask your browser to save passwords? Probably. But really you're complaining about user stupidity---the lock has been provided by Mozilla, and you're blaming them because people are too dumb to use it.

  32. Anonymous Coward
    Anonymous Coward

    Avoid Chrome at all costs anyway

    I installed it on Linux only to find it requires the chrome-sandbox process to be sutuid root and it won't run without it. Well sorry, but no browser on my system is running with root privs so it was deleted ASAP and I won't be going back anytime soon.

  33. Colin Miller

    It would be better if the browser had options to

    1) Forget the entered master password now.

    2) Auto-forget it when the screen saver engages.

    3) Auto-forget after nnn minutes of inactivity in the browser.

    Thus if you leave your machine alone miscreants will find it harder to log into your accounts.

  34. Jamie Kitson

    Missed Option

    There is another option: don't show the passwords at all, ever. Why do you need to view a password? If you don't know it, then reset it.

    1. Charles 9

      Re: Missed Option

      Do you know the hoops some people have to jump just to get a password reset without the original password? Plus what if the account's tied to an e-mail address that no longer exists (and you didn't realize that until too late)? The thing is that password reset can potentially be abused, so they make the process necessarily hard.

  35. Fletchulence


    This is "news"? I've been using it for years.

  36. Lexxy

    Storm in a teacup

    If I knew stating the blindingly obvious (as in "what does this big 'Show Password' button do in my web browser?") would get my blog coverage on all the major IT news sites I'd of done this years ago.

    Food for thought - if this is a bug, and there should be a master password - that implies the encryption of the keystore, which in turns means that the software itself would need to ask for the key (as FF currently does now with a master password set) the first time a user needs to auto-fill a password. As ever, security or convenience, friends - rarely both. I believe though it's the users choice which they desire here, not that of a internet knee-jerk reaction.

    Why? - let's put this into perspective. The exposure of a typical vulnerability is generality the entirety of the WWW. This is much worse than the exposure of this issue, which is typically going to be your family, friends or co-workers who have actual physical access to your PC. Generally these people can be trusted not to go off and steal your identity/bank/both. Most of the time, anyway. Besides, if they did, you can poke them with sticks, or whatever it is you do when you're mad. The fact is, the likelihood in my mind of this vulnerability being used for criminal purposes is low. It would more likely be used for a prank.

    Many of the readers here know that their passwords are the keys to their IT/enterprise kingdom. The anxiety surrounding these passwords being lost or compromised are the cause of much angst and sleepless nights. Do I want to encrypt my keystore and provide my master password when I log on for my work network? You're damn right. [Shaft, 1971]. Do I want to provide my master password at home and I want to log into Icanhazcheezburger? No, not really. Not that I have a login for Icanhazcheezburger, but hypothetically if I did, I'll be damned if a bunch of internet do-gooders are going to take my right to not have to type a password for pictures of cats+Arial bold away from me!!

  37. Arthur 1


    Is this really new? Malware that harvests the password databases of your web browser goes back as far back as some of the first worms. There's a reason you're offered the 'master password' feature, usually with an explanation of why it's there. Granted, most end users have no clue, but really if you're at the point of harvesting saved passwords you have so many other options to totally compromise a user it probably doesn't matter anymore..

  38. User McUser

    This is why...

    the first setting I turn off on a new browser install is "remember passwords" and why I won't log in to anything on a friend's browser outside of that browser's porn mode.

    A password is a secret, and if two people know something, then it isn't a secret any longer. Especially when the second person is your web browser.

    Obligatory related XKCD link:

  39. Shell

    Never understood why browsers didn't password protect this feature. OS X has a similar feature in keychain, but requires your password to display the requested field - which seems fair enough to me.

  40. John Savard


    In order to fish a saved password out of a browser, a hacker should need to:

    1) Mock up a duplicate of the site the password was used to log in to, and

    2) Spoof the DNS or IP address of the site in question

    to get the browser to disgorge that password.

    Not click 'show password'. Yes, maybe getting rid of 'show password' does lead to a false sense of security, since those passwords are potentially accessible, but they should be hard to get at.

    However, there is another side of it, illustrated by the IE case. It's not as if browsers can get by only storing one-way hashes of the passwords; they need to actually have the password itself to use it for a site. So, even if it's encrypted, the key is just lying around as a constant.

    So to change the false sense of security into a real one, you would have to use your master password every time you started browsing, not just when displaying passwords. That might be too much to ask.

    1. Arthur 1

      Re: Ridiculous

      It's nothing to do with 'show password'. The problem is that the password is stored somewhere in order for the browser to know it. And if the password is encrypted, then the encryption key is stored somewhere in order for the browser to know it, and if THAT key is encrypted, then... Get the idea? Your browser is usually never involved in the compromise at all, the password gets read right off the password cache stored on your hard drive by the relevant malware.

      You can't really secure something that lives in userspace from other things that live in userspace, so if the browser has the ability to recall the password, any third party program whose author has reverse engineered the browser also has that ability. You could potentially create an area that only the processes with a certain privilege can read, but it's only a small complication since injecting into another process's' memory space is normally trivial.

      The use of a master password feature, btw, is available in many browsers, and that will secure your passwords against this kind of attack. There are also many addons that provide this functionality.

  41. AndrueC Silver badge

    I use Chrome and I'm more concerned that it had three passwords saved. I've never told it to save them. I never want my browser to save passwords. I've always thought it was risky and the more often I type them in the less likely I am to forget them.

  42. InfoSecuriytMaster

    Saved Passwords

    Saving passwords? should get a warning from browser. Master Password (which encrypts local store) is a real simple solution, so why not default? better yet, use a password manager.

  43. Dan 55 Silver badge

    A bit confused here

    Why is Firefox being tarred with the same brush as Chrome in this story?

  44. raving angry loony

    Physical access?

    If someone has physical access to your computer (either in person or through some sort of remote control software), then you have FAR greater problems than them doing "see passwords" in Firefox or Chrome. That said, I don't keep my passwords in Firefox or Chrome, because it's just one browser and I have to use 3-4 during the course of session. So I use Keepass. Guess what? You can see the passwords there as well.

    There's far greater issues with security (such as websites typically not allowing truly secure passwords, instead demanding hard-to-remember short passwords that are easily cracked anyway). To focus on this is to lose the plot completely.

  45. Pet Peeve

    Stupid non-story

    Should Chrome have a password on their secure store, like firefox does (if you bother to enable it)? Probably. Is this even vaguely a news story? Not in the frigging least.

  46. robarm

    Why are you storing passwords in your browser?!?!?

    For God's sake, use a password keeper. Hell, write them down and lock them up. Either way is safer and more secure that storing them in an application with zero-factor authentication like a browser. Having said that, should they be displayed in plaintext? Probably not, but encrypting them will require another password that the user is likely to forget.

  47. Morten
    Black Helicopters

    Go to, use it in your browser and smartphones and that is it. Safe, secure, fast and flexible.

    1. Dan 55 Silver badge


      I see what you did there.

  48. Bod

    Never used the 'feature'

    First time the option was added to a browser to save passwords, might have even been IE, I disabled it. No way I'm trusting a browser to passwords for every site I visit.

    It forces you to actually remember the passwords also. More so if you disable the cookies on those sites too, though it's become more inpractical the more sites depend on cookies and the wealth of sites that use centralised authorisation through Google, FB, etc. Though at least if you're going for one password to store all your other passwords like in Firefox, then better to have a cookied auth via your Google account to authorise that site as your Google password isn't stored, only that your session is authenticated and that expires from time to time and have to log into Google again, or you can log it out yourself / revoke access to one or all sites.

  49. AlanG

    Silly feature, and silly comment by Justin Schuh

    He says that once someone has physical access to your computer it is game over, so it is a waste of time to put further obstacles in the way.

    This is true if the person is a skilled hacker, but not if they are an ordinary joe. What percentage of the population can crack encrypted passwords?

    The point is that, as things stand now, anyone with average computer skills can open this up in moments, jot down a few useful-looking passwords, and mess up your life. If they were never displayed in plain text, then you are only vulnerable to highly skilled intruders - people who may not even need you to leave the machine unguarded in the first place.

    The "false sense of security" excuse is just nonsense. Up until now we have had a false sense of security because we assumed that people like Justin were doing their job responsibly.

  50. Nasty Nick

    So what? Users are just too lazy - make them pass a test!

    Most users just can't be bothered to use the simple security they already have - ahem there are a few above even amongts the hallowed realms of the El Reg community.

    Basically, security =work. It doesn't come free, even if you don't have to pay cash up front, you'll need to pay in time spent "doing" the security.

    A good rule of thumb is that the more effective the security measures the harder it is to use the things you're securing. The "easiest" security is often overlooked / ignored by the user because your average 'puter punter just isn't bothered / educated enough even to use the basic security features their OS and software already offers.

    Going from the most basic:

    PW protecting OS access / hardware access</li>

    Once the OS is running, have a different user account for each user and enforce use of these with a decent PW policy (and remember any password is better than none).

    Logout / lock the OS whenever you leave the machine - it takes 2 secs max. There is no excuse for not doing this - especially for the more techie amongst us. Leaving your desk? Lockit. At least use an automated screenlock.

    Use a browser that has usable secuirty options including a Master password for saved pw lists.

    I also think it is an issue that Chrome doesn't offer a Master pw feature, but every user has a responsibility to educate themselves enough to safely use the common web tools, even though this is not very straightforward for most people.

    Whose job is it to educate computer users about using sensible security measures for all their PC activities?

    Given how much of our lives are dependant on and conducted via the Internet, and the fact that Government is now forcing us to use it to interact with it's various departments, we're probably at the stage where some kind of compulsory education is in order

    Maybe the long forgotten computer driving licence should be brought back, to lfe, and only those who have "passed" should be let loose with a "proper" PC which you set up and configure yourself.

    All those unable to pass the test should be only allowed to use a special, "authorised" pre-configured device designed especially for Internet "Learners".

    Maybe that device will have a real, proper physical key they have to insert in order to use the machine, and maybe they have to turn the key if they want to do anything at all risky. And it should come with a lockable paper notebook to write all the passwords in.

    Er, that's it.

  51. R.P.Charlie
    Big Brother

    Passwords are kept

    in my head, not in the browser.

This topic is closed for new posts.

Other stories you might like