Have you ever saved a password in your browser — Chrome, Firefox, Internet Explorer, or another one? Then your passwords are likely viewable by anyone with access to your computer while you’re logged in.
Chrome and Firefox’s developers think this is fine, as you should be preventing people from accessing your computer in the first place, but this will likely come as a surprise to many people.
How Anyone With Access To Your Computer Can View Your Passwords
Assuming you leave your computer logged in and someone else uses it, they can open Chrome’s Settings page, go to the Passwords section, and easily view every single password you have saved.
You can plug chrome://settings/passwords into Chrome’s address bar for easy access to this page. Click a password field and click the Show button — you can see any password saved in Chrome with no additional prompts.
With Firefox’s default settings, you can open its Options window, select the Security pane, and click the Saved Passwords button. Select Show Passwords and you can see a list of all the passwords saved in Firefox on your computer.
Firefox allows you to set a “master password” that must be entered before you can view or use saved passwords, but this is disabled by default and Firefox doesn’t prompt users to set one up.
Internet Explorer provides no built-in way to view its saved passwords. However, this apparent security is misleading. With a utility like the free IE PassView, you can view all saved IE passwords for the current user account. You can also view passwords without installing any software — just visit a website where the password is automatically filled and use something like the Reveal Passwords bookmarklet to reveal the password that was automatically entered.
What’s Going On Here? Is This a Security Vulnerability?
There has been a debate raging among geeks as to whether this is really a security vulnerability. Should Chrome’s developers (and the developers of other browsers, like Internet Explorer and even Firefox with its default settings) change this behavior? Have users been betrayed by developers, given that browsers don’t warn users about this behavior?
On the one hand, there are some good arguments for the current behavior.
- Chrome and Internet Explorer both secure your saved passwords with your Windows user account password. If you’re not logged in, your passwords are inaccessible. If an attacker changes your Windows account password, your passwords become inaccessible. Assuming you use a strong Windows password and lock your computer when you aren’t using it, you’re theoretically secure.
- If an attacker has physical access to your computer or a malicious program is running in the background, it could log your key strokes and gain any “master password” used to secure your passwords in Firefox or a dedicated password manager like LastPass. A master password in Chrome would provide a false sense of security.
- A master password is an additional security method that would inconvenience average users, who would opt to disable it anyway. Users wouldn’t want to have to enter a master password before using their saved passwords.
- If your browser was already logged into an account on a website, the attacker could gain access to your account on that website if they have access to your browser.
On the other hand, users don’t follow perfect security practices in the real world:
- Many people share Windows user accounts, set their computers to automatically log in, or let guests use their computers without looking over their shoulder the whole time. This makes accessing saved passwords trivial. Anyone even remotely curious could glance at the passwords.
- A master password would allow users to further secure their password database, allowing them to save passwords without worrying about guests using their computer and being tempted to glance at them.
- Many Windows user account passwords are extremely weak, so the passwords would have little protection. Many people also don’t lock their computers every time they step away.
- Chrome provides multiple user profiles, encouraging users to share Chrome profiles on a single user account, but provides no method of isolating these profiles and preventing other Chrome user profiles from accessing other account passwords
- If an attacker gained access to an already-logged-in website but didn’t have your password, they wouldn’t be capable of changing your password or deleting your account.
- Average users probably expect that their passwords are harder to view. There’s no warning informing them that anyone with access to their computers can view their saved passwords, or that they should set a strong Windows password and lock their computers when they step away from them.
So which side is right? Well, Chrome does secure your password if you follow ideal security procedures. That said, Chrome (and IE and Firefox in its default configuration) also doesn’t provide enough information to users about what it’s doing. In the real world, a master password could be useful to many people.
How to Protect Your Saved Passwords
If you’re worried about your saved passwords, here are some tips you can use to secure them from prying eyes:
- Use a dedicated password manager, like LastPass. These password managers work with every browser and provide a master password that locks access to your passwords when you’re logged out. Chrome’s developers might not want to give you the master password feature, but you can add it yourself by using LastPass in the place of Chrome’s default password manager. It’s an all-around more powerful option, as are other password managers like KeePass.
- If you use Firefox, enable the master password feature. This is off by default because Firefox’s developers don’t like the user experience, but a master password allows you to “lock” your password database with a single main password. You can then share your user account with other people and they won’t be able to glance at your passwords. Sure, they could install a key logger while you aren’t looking, but many people who might be tempted to peek at your passwords wouldn’t want to go all the way with a key logger. This is why we lock our doors — the locks aren’t perfect, but they keep honest people honest.
- If you use Chrome or Internet Explorer and want to keep using the built-in password manager, ensure you exercise good security practices. Set a strong Windows user account password and lock your computer whenever you step away from it. Someone with access to your computer while it’s logged in could quickly glance at your passwords — especially with Chrome.
Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.
- Published 08/11/13