Re: Tweet about Passwords

• From: Tim Berners-Lee <timbl@w3.org>
• Date: Thu, 15 Aug 2013 23:29:12 -0400
• To: Ian Hickson <ian@hixie.ch>
• Cc: www-archive@w3.org
• Message-Id: <D0FA2EAF-8CBC-4571-B29C-F2B2812B0053@w3.org>

I don't think I really need to elaborate on my tweet.
It pointed to a blog post by Eliott Kimber
which describes how Chrome specifically allows a
user to see their stored passwords at amy time
without any extra verification that it is not somone
else, such as a family member, with temporary access to the computer.

Only Chrome, AFAIK.  FF, Safari both ask for a password.
The attack is by colleauges, members of family, etc, not by hardened black hats.

I was very surprised both by the bug and the tone of the response
from the chrome team.

Tim


How to get all you big sister's passwords http://blog.elliottkember.com/chromes-insane-password-security-strategy … and a disappointing reply from Chrome team.


http://blog.elliottkember.com/chromes-insane-password-security-strategy :



_______________________________


Elliott Kember

Chrome’s insane password security strategy

Aug 6, 2013
Chrome does something interesting when you first run it.


The other day, I was using Chrome in development for an Ember.js app. I use Safari for day-to-day browsing, but it has a habit of aggressively caching files when I least expect it, so from time to time I switch to Chrome.

I decided to hit Chrome’s “Import bookmarks now” link and see whether I could import my bookmarklets from Safari, so things would be nice and consistent between the two browsers. I didn’t expect this:



This struck me as particularly odd. Why is “Saved passwords” greyed out, and mandatory? Why have a check-box? This is the illusion of choice. I think it’s deeply misleading, and this is why:

This is a page in Chrome’s settings panel:



See that “show” button? It does what you think it does.



There’s no master password, no security, not even a prompt that “these passwords are visible”. Visit chrome://settings/passwords in Chrome if you don’t believe me.

There are two sides to this. The developer’s side, and the user’s side. Both roles have vastly different opinions as to how the computer works. Any time I try to draw attention to this, I get the usual responses from technical people:

	• Just use 1Pass

	• The computer is already insecure as soon as you have physical access

	• That’s just how password management works

While all of these points are valid, this doesn’t address the real problem: Google isn’t clear about its password security.

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market - the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.



This dialog is even more misleading. By using words like “confidential information” and “stored in your keychain”, OSX describes the state of your saved password’s current security. It’s the very security Chrome is about to bypass, by displaying your passwords, in plain-text, outside your keychain, without requiring a password. When you visit a website, Chrome prompts for every password it can find for that domain.

Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click “show” on a few of the rows. See what they have to say.

I bet you it won’t be “That’s how password management works”.

Updates:

Justin Schuh who is head of Chrome security and called me “a novice”, says I’m wrong, and that this is not going to change.

Sir Tim Berners-Lee is with me. Is there a higher authority?

This is Google’s page on “saving passwords”. Nothing about this feature. Why?

Covered in the press by:

	• The Guardian … twice.

	• The Independent

	• The Telegraph

	• Reposted on Mashable and Gizmodo

	• Accidental Tech Podcast nailed it

	• Wired didn’t read the article properly

	• Thomas Fuchs drew an excellent diagram

 
11,082
Kudos
 
11,082
 
	• Now read this:
“Just”
	• Svbtle
	• Elliott Kember Software Developer. Director at Riot.
@elliottkember say hello
	• Full blog »
	• © 2013     
________________________________________________________________
https://news.ycombinator.com/item?id=6166886 :

	
justinschuh 9 days ago | link

I appreciate how this appears to a novice, but we've literally spent years evaluating it and have quite a bit of data to inform our position. And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior. That's just not how we approach security on Chrome.



On 2013-08 -15, at 13:48, Ian Hickson wrote:

> 
> Hey Tim,
> 
> Someone asked me about your recent tweet:
> 
>   https://twitter.com/timberners_lee/status/364839351651274752
> 
> Specifically, they were wondering if your concern is specific to Chrome or 
> if it applies to all browsers. I wasn't exactly sure what your concern 
> was, so I figured I would reach out to you to find out. Can you elaborate 
> on your tweet?
> 
> Cheers,
> -- 
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
> 

Received on Friday, 16 August 2013 03:29:20 UTC