We can do better – Please fix plaintext credential storage in Chrome (opens in new tab)

(medium.com)

13 pointsshayanjm10y ago6 comments

6 comments

This article is simply incorrect. The passwords are only stored in plaintext when there are no OS-level or desktop environment options available to protect them.[0] In the absence of such a system where exactly do you expect Chrome to store the encryption key for the list of passwords?

[1] https://code.google.com/p/chromium/wiki/LinuxPasswordStorage

edit: Apparently there are people that run either incredibly old versions of chrome or don't run a keystore daemon and actually upload all of their dotfiles to github so I guess that part is technically accurate.

shayanjmOP10y ago

Off the back of a napkin - the key should never be stored anywhere first of all. In the absence of keyring/keychain/etc., it'd be trivial to introduce a masterpassword implementation in the browser client which is XOR'd with secret credentials and stored as such.

Obviously not a 'secure' system by any stretch of the imagination but it's an order of magnitude better than storing in plaintext.

sbierwagen10y ago

Okay, so it's possible someone might accidentally publish their passwords with an unwise git commit, but has anyone actually done this? Can anyone point to a real life example?

shayanjmOP10y ago

Yes! There are tons of accidentally-uploaded profiles on github, for instance. Search for the readme string and you'll see a number of very dangerous commits.

ufoolme10y ago

Once the attacker has the username, password and access to the computer, the game is already over. I can't see how adding anything on top is nothing but smoke and mirrors.

shayanjmOP10y ago

As addressed in the post - there are no mitigating factors in the scenario of accidental exposure. The lowest hanging fruit would be a dumb hashing function which uses some master password.

If you've been hit with an OS compromise you're pretty much SOL, but it shouldn't be so easy to grab highly sensitive data from accidentally exposed profiles.

j / k navigate · click thread line to collapse

6 comments

mukyu10y ago

[1] https://code.google.com/p/chromium/wiki/LinuxPasswordStorage

shayanjmOP10y ago

Obviously not a 'secure' system by any stretch of the imagination but it's an order of magnitude better than storing in plaintext.

sbierwagen10y ago

Okay, so it's possible someone might accidentally publish their passwords with an unwise git commit, but has anyone actually done this? Can anyone point to a real life example?

shayanjmOP10y ago

Yes! There are tons of accidentally-uploaded profiles on github, for instance. Search for the readme string and you'll see a number of very dangerous commits.

ufoolme10y ago

Once the attacker has the username, password and access to the computer, the game is already over. I can't see how adding anything on top is nothing but smoke and mirrors.

shayanjmOP10y ago

As addressed in the post - there are no mitigating factors in the scenario of accidental exposure. The lowest hanging fruit would be a dumb hashing function which uses some master password.

If you've been hit with an OS compromise you're pretty much SOL, but it shouldn't be so easy to grab highly sensitive data from accidentally exposed profiles.

j / k navigate · click thread line to collapse