W3C home > Mailing lists > Public > www-archive@w3.org > August 2013

Re: Showing stored passwords Re: Tweet about Passwords

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 28 Aug 2013 19:50:28 +0000 (UTC)
To: Tim Berners-Lee <timbl@w3.org>
cc: www-archive <www-archive@w3.org>
Message-ID: <alpine.DEB.2.00.1308281926400.28417@ps20323.dreamhostps.com>
On Thu, 22 Aug 2013, Tim Berners-Lee wrote:
> On 2013-08 -15, at 23:54, Ian Hickson wrote:
> > On Thu, 15 Aug 2013, Tim Berners-Lee wrote:
> >> 
> >> Only Chrome, AFAIK.  FF, Safari both ask for a password.
> > 
> > Firefox doesn't ask for a password for >90% of users.
> Fair point.
> > Chrome, IE, and Safari all use the OS system password service.
> > 
> > I don't understand what you think is the difference between the 
> > browsers here.
> Only Chrome allows a passer-by to see the passwords in the clear without 
> any challenge.

No, that's not accurate.

* it's not just passers-by, it's only people to which you give physical 
access to your machine -- the same people who would have the trivial 
ability to install keyloggers, snoop through your personal files, and 
anything else you can do to your own machine.

* it's not just Chrome. All browsers let you access autofill passwords, 
some just make it more involved than others (but none require you to enter 
a password). You just go to the site for which you want the password, the 
browser prefills the password, and then you just take it out of the 
password field (e.g. using built-in debugging tools).

* even if we're only talking about the passwords configuration page -- and 
I don't know why we would -- Firefox has the same UI for >90% of users.

In any case, Chrome _does_ have a "master password": it's the same master 
password as your computer account. If you lock your screen, or log out, 
the passwords are protected. (Note that this is not the case currently for 
over 90% of Firefox users, where the passwords are unencrypted at rest, 
which means that they need only get access to the disk, e.g. from another 
user account, to read the passwords. You can't do that with Chrome, which 
uses the system keychain service.)

> > Or, even without such software, you can just go to the relevant site, 
> > have the browser automatically log you in,
> Well, in a lot of places with say teenager culture or work groups, if 
> you leave your computer open you know people will read your facebook and 
> may even send messages as you largely for fun.
> It is a different damage level of security failure for someone to get 
> hold of the password and be able to log in and stalk them at any time in 
> the future.

I don't understand why you are concerned about these untrustworthy people 
accessing your passwords but not worried about them installing keyloggers 
or reading your e-mail.

> There are two levels of social impediment here.
> One, even a trivial bookmarklet or software out there on the net a huge proportion 
> of computer users won't know or care about and wouldn't think of using.
> It may be simple but it is not "trivial" in the sense of "effectively zero"  to load a bookmarklet.  

A huge proportion of computer users won't know or care about the advanced 
settings passwords page either. Case in point, you presumably didn't know 
about it until you saw the blog post.

Why is the advanced settings of Chrome less of an impediment than a quick 
Web search for "key logger"?

> The second level is social.  If a person have borrowed a colleagues computer
> and looked at passwords using the feature for that purpose they may
> feel that they were not doing anything very seriously wrong,
> as the user didn't really have any expectation of privacy in that case,
> as the password was not hidden.

The password is hidden, you have to go deep into settings and click a 
button to show it.

Are you seriously arguing that people think it's ok to go into settings, 
then advanced settings, then view passwords, then ask to see the 
passwords, and that that's not less ethical than going to someone's e-mail 
provider and reading their e-mail?

> > Fundamentally, if you have physical access to the machine, asking for 
> > an additional password doesn't do anything to stop you.
> That's not quite accurate.
> It clearly does do *something* to stop you.
> We are talking a question of degree.
> It asks for an additional password.
> That is an impediment.

It's really not. You are deluding yourself if you think this is providing 
any extra security.

And that's the whole point: that's why Chrome _doesn't_ ask for a 
password. Because asking for one deludes people into thinking it's 
providing any sort of security, which it isn't.

Asking for a password here is *actively harmful* because it gives the 
illusion of security.

> I haven't tried to use Firefox without a master password. I haven't 
> tested whether they are stored encrypted on the disk. I know that using 
> the basic UI in my case Firefox prompts me for a master password at the 
> start of a session for using them, and once every time before revealing 
> them. Which is what I want.

Then you are asking for the illusion of security.

That's your choice, for sure, but it would be helpful if you could not 
make public statements shaming specific browsers for being more 
transparent in not giving you that illusion.

> > If you don't trust your colleagues or family members to not snoop on 
> > you, you _really_ shouldn't be giving them access to your computer.
> That sort of statement is emotional and not practical.

On the contrary, it's a reality.

> What do you mean by "trust"

Have confidence.

> what to you mean by "access"

Physical control.

> which do you mean by "colleagues"?

Anyone, really.

If you don't have confidence that someone is not going to snoop on you, 
then it is the height of recklessness to give them unsupervised physical 
control over your computer.

> > It doesn't take a "hardened black hat". The software you need to do 
> > this kind of thing is widely available online, and one's sister would 
> > have no trouble finding it.
> The fact that it is available to anyone online is true. An arbitrary 
> user taken off the street would probably not dream of downloading and 
> using it.

An arbitrary user taken off the street would probably not dream of 
snooping into people's passwords either.

> Of course , if you say Google has done the studies and got the data and 
> most users stopped in the street and asked about his would say "Sure, 
> I'd just grab a keystroke recorder or grab a bookmarklet to look at the 
> DOM a-- i know how to find it seconds", Sure but I'd like to see the 
> study.

Do you have a study showing that people think a key logger is unethical 
and they wouldn't do it, but that going into a browser's advanced settings 
and snooping on someone's passwords is fine and dandy?

> But maybe it turns out that the majority of users haven't the faintest 
> idea what a bookmarklet is and tilt their head on one side when you 
> start talking about settings menus.

If they "tilt their head on one side when you start talking about settings 
menus", which I will happily concede, then they couldn't get your 
passwords in Chrome, whether or not there was a password prompt. So this 
implies your concern isn't valid in the first place.

> > Pretending that you have protected the system by asking for an 
> > unnecessary password doesn't improve security, it's just security 
> > theatre. Indeed, it is probably counter-productive: it makes the user 
> > think it's safer to hand the machine to someone else than it actually 
> > is.
> And the users who have never yet gone to the Chrome password settings, 
> they have used Safari for most of their lives to date?  You have made 
> their machine without letting them know.

This is false. Chrome doesn't have access to your system keychain unless 
you explicitly give it access to the system keychain. (If it did, then 
that would imply there was a security bug with the keychain service.)

I would request that you please post a retraction of your tweet, or even 
an apology, or at least post a clarification that explains that:

 - If you're giving users unsupervised physical control of your computer,
   them having access to your passwords is the least of your troubles,

 - By your own admission, people are not likely to know how to do this in 
   the first place, and so this is a non-issue,

 - Every browser gives any user access to their passwords if you just
   go to the relevant site anyway (password autofill).

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 28 August 2013 19:50:53 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:44:22 UTC