You would think that at a time when our personal information seems more vulnerable and readily accessible than ever before, those in charge of securing our software would be reassuring and tactful. At the very least, you'd think they would try to make users aware that their passwords and personal accounts are of the utmost priority and that developers tasked with protecting that information are doing everything in their power to keep it from being exposed.
But upon being notified of a glaring security hole in Google
(NASDAQ:GOOG) Chrome wherein saved passwords are accessible by anyone and can be read in plain text, Google security engineer Justin Schuh was anything but reassuring or tactful.
It all began when software designer Elliott Kember stumbled upon a settings panel in Google Chrome
that stores our saved passwords. (Those using Chrome, head to "chrome://settings/passwords" to see for yourself.) But rather than bury that panel behind a master password or even encrypt each individually saved password, Chrome developers allowed them to be easily viewable by clicking "Show" next to each line of dots.
That means that anyone who has access to your machine can easily open up Chrome, fire up that panel, and have access to every single online account with a saved password.
Now, as Kember says, there are a number of valid reasons why this isn't or shouldn't be a concern. After all, you leave yourself open to attack simply by allowing access to your computer, password management is similarly handled by other browsers, and you'd be foolish to keep important passwords saved in a Web browser.
But as soon as Schuh caught wind of the issue and posted a series of messages on a Hacker News discussion board
, the defense against providing a master password began to sound shaky at best and condescending at worst.
Schuh argued that Google Chrome developers are relying on protection at the OS level, meaning that the user is responsible for the granted access to their computer as soon as they log into a Windows
(NASDAQ:MSFT) or Mac OS X
(NASDAQ:AAPL) account. If they don't want their information to be vulnerable, they should log out from their account every time they're finished.
But as other responses point out, is that really feasible? How quickly would that requirement become a problem for family members who share computers?
As the discussion continued and Schuh was pressed on the issue, that's when things started getting a little testy.
"I appreciate how this appears to a novice," Schuh wrote to Kember, "but we've literally spent years evaluating it and have quite a bit of data to inform our position. And while you're certainly well intentioned, what you're proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior. That's just not how we approach security on Chrome."
Yeah, that's how developers should regard a legitimate complaint: Call the user a "novice" and give him the virtual equivalent of a head pat.
So Schuh and his team didn't want to "provide users with a false sense of security" and "encourage risky behavior." But hold on a second. They've already done that by allowing users to think that their saved passwords are completely protected. If users were prompted with a message saying, "All your saved passwords will be visible with the click of a button on the chrome://settings/passwords panel" as soon as they tried to save one, only then would that argument be valid. The average user doesn't expect to find every single one of their saved passwords in plain text just by opening a settings panel.
There's your false sense of security right there.
After refusing to waver from his position or acknowledge any opposing view, Schuh put the kibosh on discussing the matter further with a brusque tweet:
Well, so much for an open debate.
It appears that the Google Chrome security team has no intention of protecting saved passwords behind a master password or even removing the ability to see them in plain text. That leaves little recourse for Chrome users but to memorize every single password we use, vary them between sites, and never ever trust a piece of software to handle any kind of personal information or its developers to display an ounce of courtesy when questioned about shoddy levels of protection.
We wouldn't want you lulled into a false sense of security, would we?
No positions in stocks mentioned.