Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 11 users
Status: WontFix
Owner: ----
Closed: Mar 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment
Chrome asks for "Windows Password" when displaying saved password, but those passwords are available with no protection via other methods anyway.
Reported by anonymou...@gmail.com, Mar 19 2014 Back to list
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.149 Safari/537.36

Steps to reproduce the problem:
1. Go to Chrome Settings > Advanced > Manage saved passwords.
2. Click "Show" to display any of the passwords.

What is the expected behavior?
Password should be displayed.

What went wrong?
Chrome prompts for the Windows password.

Did this work before? Yes It was working fine before version 30

Chrome version: 33.0.1750.149  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 12.0 r0

For many years we have requested you to add a Master Password to protect Chrome data, similarly to what Firefox offers.

For many years you have refused to do so, arguing that a Master Password provides a false sense of security, and that in order to protect our data we should lock our Windows session.

Now you come up with an even worse sense of security that is not only extremely annoying (as the Windows password is prompted again every few seconds) but that also offers NO PROTECTION AT ALL, as the saved passwords are available anyway through other user-accessible methods!!!

I have the "Web Developer" Chrome Extension installed (https://chrome.google.com/webstore/detail/web-developer/bfbameneiokkgbdmiekhjnmfkcnldhhm), and whenever I go to a page where my password is auto-filled, I can simply click "Forms" > "Display passwords" in the "Web Developer" panel and BOOM my password is shown right away, no Windows password asked this time.

As far as I know, anybody could install the "Web Developer" extension from the Chrome Web Store, no Windows password required to install an extension, and therefore all my passwords are easily recoverable with no protection at all.

So why create an even worse false sense of security by asking for the Windows password when displaying saved passwords in the Chrome Settings, while those passwords are very easily accessible by manually visiting all the listed domains? Again the Web Developer extension (for example)) can be installed by anyone...

Either implement a real Master Password to lock all private data (logins/history/bookmarks/etc.) and MAKE IT OPTIONAL, either keep with your old philosophy of letting the Windows session take care of that. 

In any way, the current prompt for the "Windows password" is misleading, time-consuming, annoying, it cannot be disabled, and most and for all it provides a false sense of security for which you argued for a long time.
 
Project Member Comment 1 by clusterf...@chromium.org, Mar 19 2014
Labels: Cr-UI-Browser-Passwords
According to this forum (http://www.sevenforums.com/browsers-mail/323249-chrome-asking-windows-password.html) and to this issue (https://code.google.com/p/chromium/issues/detail?id=347825) there is a possible workaround by going to:
chrome://flags/#password-manager-reauthentication

and then click "Enable" next to "Disable Password Manager Reauthentication".

Unfortunately it doesn't work for me. Chrome keeps prompting me for my Windows password all the time. Very, extremely, super annoying.

Please drop this "feature", PLEASE! Or at least make it optional... 
I know I'm repeating myself but this is just a huge fail to the long debate regarding the "sense of security" this kind of technique provides...

Either implement a real, optional Master Password, either keep with your old strategy of letting the Windows session handle security, but please don't create more and more time-consuming problems that are not only useless but are also very annoying to deal with, report, complain and work around...

Now we need a fix, and we need it fast! Until then we're putting back Chrome 30 and will lock any further updates (UpdateFreezer is a good tool for that).
Comment 4 by jsc...@chromium.org, Mar 19 2014
Cc: wfh@chromium.org
Labels: -Restrict-View-SecurityTeam
Status: WontFix
The current OS re-authentication behavior was chosen to address user concerns over casual snooping, while promoting the security best practice of proper OS account use (e.g. setting an OS password). Future changes to this feature will involve better surfacing when passwords are being stored on a system that appears shared or insecurely configured. This is important because the OS user account is the only security boundary available to to protect the user state (including any stored passwords) against local access.

So, to reiterate, unless you properly lock your OS account you have no protection against a local attacker, regardless of whether you are using the Chrome password manager, the Firefox master password feature, or anything else. An attacker with direct access to your OS account can steal all the data at rest on your machine--including all authentication cookies and tokens for any website. And the attacker isn't bound to just stealing the data available during the exposure window. He or she can leave behind a backdoor or a keylogger, or any other mechanism for persistent surreptitious access to your system.

However, if you set an OS password, Chrome can safely protect persistent credentials from a local attacker or even in the event of a lost or stolen computer. This is because Chrome encrypts both your passwords and your session cookies on disk using OS-provided credential storage (which normally uses a key derived from the OS account password).

So please, for your own safety, set an OS account password, a reasonable screen lock timeout, and don't share your OS account with people you don't trust.


@wfh - Please verify that disabling OS re-authentication works both with the command line switch and the flag. Although, this may be a simple issue of the user failing to restart Chrome after changing the flag.

@jschuh@chromium.org:

I'm already and perfectly aware of all that you say. Sorry to ask, but did you actually read and tried to understand my description? 

There is a huge mistake that you make regarding the Firefox Master Password, is that it actually acts similarly to Chrome, but instead of using the OS credentials, it uses the Master Password to encrypt data. 

Chrome encrypts data using the OS credentials, while Firefox encrypts data using the "Master Password".

The difference in Firefox is that even if the user is logged-in (at the OS level) and that a Master Password is set in Firefox, then he won't be able to access any of the saved data in Firefox, no matter how (auto-filling won't work, etc.). Firefox will prompt for the Master Password in order to unlock/decrypt the saved passwords. Of course I agree with you about key-loggers etc. but this is not the topic right now. 

What you're doing in Chrome, is that the passwords are ALREADY unclocked/decrypted when you prompt for the OS password, which is ridiculously pointless! Password ARE ALREADY AVAILABLE (i.e. decrypted, available in clear, whatever you call it) and you still prompt the user to unlock/decrypt them a second time? How is that even possible? It's magical! It doesn't make any sense, only for you it does!

I am a java developer and I must say that in 15 years in the industry this is the first time that I see an application ask for a password when it doesn't actually need it. Doing so is a pure lie in the face of the user! This is a monstrous lie to the end-users, by prompting for the Windows password you're clearly saying that the passwords are safely encrypted, BUT THEY ARE NOT! While their OS session is open, their passwords are in their unlocked/decrypted state, so you should be honest and let end-users know about this security fact!

Get your act together because this is really pure craziness!

Lambda end-users will understand from this Windows-password-prompt that passwords are safely encrypted in Chrome, and that they can leave their OS session open, and share their computer, etc. without worrying about anything. YOU ARE RESPONSIBLE FOR THIS! If you are forced to argue on this and forced to stay on your position and not allowed to remove this terrible "feature" by your employer THEN YOU SHOULD QUIT YOUR JOB AND LET YOUR BOSS KNOW WHY.

What the hell!

WontFix? OK then we WontUse and WontRecommend!
Comment 6 by wfh@chromium.org, Mar 19 2014
 Issue 353890  has been merged into this issue.
Comment 7 by wfh@chromium.org, Mar 19 2014
As I mentioned in the other similar bug raised a few minutes after this one, the password manager reauthentication disable flag does indeed function correctly after a browser restart - as clearly explained in the wording 'Your changes will take effect the next time you relaunch Google Chrome.' at the bottom of the chrome://flags page next to the convenient 'Relaunch Now' button.
@#7: Thank you, I was able to disable this "functionality" after 2 reboots, it did not work on the first attempt.

Nevertheless, this issue is not about disabling this "feature" via a flag, it's about removing it from Chrome completely in order to not mislead regular users about the security of their saved passwords. In other words, this Windows-password-prompt provides a false sense of security to unaware end-users, as there is no warning that passwords are still available to anything/anyone, nor is there any notification or advice to lock the OS session, nothing!

This issue is about removing this insanity from Google Chrome.

In addition, I don't want to rely on flags, as they are unstable and can be removed at any time with no pre-notice from your part, like you did with the NTP flags recently. In addition to that, flags are unavailable to common users without searching the web.

Either remove this thing completely from Chrome, either add an option in the Chrome settings to enable/disable it (i.e. make it OPTIONAL to ANYONE, not just the advanced users who will look for flags) and make sure to disable it by default. Optimally the new checkbox in the Chrome settings to enable/disable the OS-password-prompt should provide a warning that it doesn't protect saved passwords from anything but ignorant people.

Thank you.
Hi,

Apart from the technical and security pointlessness of Google Browser asking the user to type her OS password to show browser stored password there is another important angle.

A mere application that asks a user to type her OS password for some functionality trains users to see it as normal that mere applications ask for and should get the god password.

This is extremely bad, especially in a browser, because it strengthens the attack vectors that webpages have in displaying some popup on their page requesting the OS password with some excuse.

I will add here that when I was presented with this question, I did not enter my OS password, and instead lived with not being able to get to my own passwords.  Why?:
1. I was honestly unsure if the question was legit, só bizarre is it to have this.
2. Even assuming it was legit, I simply refuse to give in to such a security design disaster.

I have to agree on all the arguments mentioned already to kill off this improvement, with lighting speed please.  This is indeed so bad that the word insane is fully justified.


Comment 10 by dwilc...@gmail.com, Nov 10 2014
Hello,

In my Chrome when I try to see one of the stored passwords it asks me for my Windows password, after I enter it, Chrome simply pops the message-dialog again asking me for the Windows password. It seems to enter kind of a loop and never accepts the correct Windows password.

This happens now in two different computers, with 2 different local accounts.
I used the method to disable this feature by using the flag and after restarting Chrome it was fixed, but I would like to keep this feature and make it work properly.

My Chrome version is: 38.0.2125.111 (Official Build 290379) m

Thanks.
dwilches: Can you please file a new bug for that behavior, if it's something you can reproduce consistently?
Comment 12 by dwilc...@gmail.com, Nov 10 2014
Hello.
Yes, it is a consistent behaviour. I already opened the new bug.
Thanks
Comment 13 by Deleted ...@, Nov 13 2014
I disagree a bit with some of the items stated above. I've asked for a master password before as well, and this seems to be exactly what users have been asking for.

Even the original poster says "For many years we have requested for you to add a master password"

However, I would request two different things that accomplish the same goal as the user above, instead of saying "Get rid of the master password" that has been requested since at least 2008.

A) Add the option to "Ask for Credentials before AutoFilling passwords" with an optional timeout of "each time", 5, 15 or 60 minutes that is reset each time an AutoFill is used. So if a user hasn't used the password manager in 15 minutes, they'll have to reauthenticate.
B) Add the option to use a separate Credential in Windows from the User Password using the Windows Credential Manager. If an entry exists for vault.retrieve("chrome-password-manager", "windows-username"), have the user authenticate against that, else have the user authenticate against their Windows account.

I'm not sure when the Credential Manager was added to Windows, so this may or may not apply to certain versions, but progressive enhancement is all the rage these days.
Comment 14 by wfh@chromium.org, Feb 4 2015
Cc: jsc...@chromium.org jww@chromium.org
 Issue 455175  has been merged into this issue.
Comment 15 by Deleted ...@, Nov 17 2015
Hello all,
I was having this same problem on my new windows 10 desktop... it was asking me for my windows password to access my Microsoft password I had saved in Chrome.  I read lots of forums and many people think that it is asking for the computer password and they say they don't have one... well I do and it wasn't working either. Then I finally had a brain fart and realized the "windows" password you must enter to access your saved passwords is the password to your Microsoft account. So I had to get into my old computer's Chrome and look in my old saved passwords there to find it and thankfully I was able to access it and get into my new chrome saved passwords, so it turned out it was asking me for the same password I was asking it for... geez! I guess the only other easy fix would be to change your Microsoft account password, what a pain in the bum!
Comment 16 by mgt...@gmail.com, Nov 30 2015
Actually on my windows 10 it also prompts me but the microsoft account password is not accepted. it just reprompts me ... 
I love how everyone is saying chrome gives users a false sense of security because it doesn't tell people to lock their sessions. You realize that chrome like all the other browsers have no control over their users or their OS's only the browser itself. If anything i do agree to prompting for a master password before auto-filling. But all this other BS needs to stop. Also chrome / chromium dev team you need to fix your damn browser. Atm EDGE and firefox are the 2 best browsers because for the past year now chrome has been steadily breaking shit that used to render perfectly before. If you're trying to fix security exploits from flash i suggest you undo all those changes and just REMOVE flash, its a PITA software that should have died 20 years ago.
Project Member Comment 18 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 19 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
This may help some people...
Check DNS settings.
I had this where the password prompt in google was not accepting the windows password but the DNS was pointing to external.
Changed to internal DNS server and is now working OK.
Please note this was in a domain environment so not sure about home users.
maybe try setting the DNS to the router?
Google's idea of "security" is to ask us to give out our Windows password in order to manage the passwords that we allow Chrome to save? FU!
Sign in to add a comment