New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 29 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug

Blocking:
issue 474954
issue 503959



Sign in to add a comment

Remove OS X Keychain integration for saved passwords

Project Member Reported by rsesek@chromium.org, Mar 12 2015 Back to list

Issue description

Starting in OS X 10.9, Apple introduced the iCloud Keychain. This manifests itself as the “Local Items” keychain in Keychain Access. Items in this keychain are only accessible to applications with the keychain-access-groups entitlement [1][2]. This, like other iCloud entitlements, is “available only to apps submitted to the App Store or to the Mac App Store” [3].

The effect of this is that on 10.9 and 10.10, passwords stored in Safari are not accessible to Chrome (but passwords originated in Chrome are still shared to Safari):

1. User logs into a website with Safari and saves the password
2. User opens Chrome and goes to same website
3. Chrome cannot autofill the password from (1), since it does not have the entitlement to access the iCloud keychain

Starting in 10.10, passwords stored in Chrome and accessed in Safari are duplicated, preventing updates from being shared:

1. User logs into a website in Chrome and saves the password
2. User opens Safari and goes to the same website
3. Safari fills the password and copies it from the “login” keychain to “Local Items”
4. Any updates to the password in Safari are not shared to Chrome, since Safari has duplicated the item

Given that Safari no longer makes password sharing possible, and Firefox does not integrate with the keychain, there seems to be very little value to continuing to store individual password items in the Keychain. The integration regularly causes confusion and problems when using multiple profiles and Chrome Sync, since passwords are not isolated per-profile.

In addition, the new kSecAttrSynchronizable is only usable via an entirely new set of Keychain APIs, which would require rewriting all the Keychain integration code anyways. Given that Chrome on OS X is not currently submittable to the App Store (nor are there any intentions of making this possible), on the latest OS (10.10) password sharing is completely broken, and that Keychain integration can cause issues for users, I think we should consider removing it. Instead, I think we should use Chrome’s encryptor for saving passwords and only place the encryptor key in the Keychain.

If we decide to do this, we should figure out what the migration path needs to be.

[1] https://developer.apple.com/library/ios/documentation/Security/Reference/keychainservices/#//apple_ref/c/func/SecItemAdd
[2] http://opensource.apple.com/source/Security/Security-57031.1.35/Security/sec/ipc/server.c SecTaskCopyAccessGroups()
[3] https://developer.apple.com/library/mac/documentation/General/Conceptual/iCloudDesignGuide/Chapters/Introduction.html
 
Cc: erikc...@chromium.org
Sigh. I phear you may be right. 

Does Mavericks/Yosemite remove the previous ability to sync passwords via Keychain sync (not chrome sync) between machines using iCloud? Has iCloud Keychain entirely removed the old functionality?

One thing is that we can hold our heads high and say Chrome lets you easily take your passwords out if you want to switch browsers, but that's a pretty weak reason to do continue this.

Comment 2 by rsesek@chromium.org, Mar 12 2015

I think Apple removed keychain syncing with the initial iCloud release (post MobileMe) [1], and then iCloud Keychain was reintroduced as its replacement.

[1] http://appleinsider.com/articles/11/08/06/apple_officially_killing_mobileme_sync_for_keychains_widgets_accounts_preferences
As the long-standing very vocal advocate of Keychain integration, I agree. With interoperability with Safari (and any new browser written for the App Store) impossible, there are almost no advantages to users to keeping it to weigh against the disadvantages stemming from multi-profile interaction.

Takeout functionality for passwords is nice, but not sufficient as a reason, especially given the 10.10 behavior where switching back and forth between browsers will cause drift making it only sort of work. (And if that's the only reason, a better solution would be an explicit cross-platform takeout solution.)

For migration, I can see two options:
1) On launch, if there's been no conversion yet, do a one-time walk of all items, reading the passwords from Keychain and writing them back into the DB via encryptor.
  - Pro: Gets it out of the way
  - Con: For users with locked keychains, triggers a sync-like cascade of permission dialogs
2) Store migration state per-item, and convert each item as it's being used anyway
  - Pro: Seamless for users with unusual configs
  - Con: Drags it out, and at some point we'll need to do 1 anyway as a final cleanup 

Comment 4 by vabr@chromium.org, Mar 12 2015

Cc: vabr@chromium.org engedy@chromium.org
+engedy, who worked on export/import for passwords in the past: maybe a good time to bump the priority?

As for the options in #3: If 2) is invisible to the user, we should keep doing it for some time. That might spare at least some users of the shock of 1) once we need to do that.
Right, that's the idea. But the number of users for whom (1) would trigger dialogs in the first place is small, and unless those users use most of their passwords in the time we did (2) it wouldn't help appreciably (e.g., a user who would get 50 dialogs getting 30 instead isn't a qualitative improvement).

So it's not clear to me that (2) has enough user benefit to warrant the added complexity it would require.

Comment 6 by dxie@chromium.org, Mar 19 2015

Status: Available (was: NULL)

Comment 7 by Deleted ...@, Apr 8 2015

Is there a solution to completely discard using KeyChain and use Chrome to manage and save my passwords??

Comment 8 by vabr@chromium.org, Apr 8 2015

Blocking: chromium:474954
> Is there a solution to completely discard using KeyChain and use Chrome to manage and save my passwords??

The solution is to wait until the work tracked by this bug is completed and shipped, at which point it will happen automatically. There's no runtime way to change Chrome's password storage.
Owner: vasi...@chromium.org
Status: Assigned (was: NULL)

Comment 11 by norb...@rittel.de, Jun 18 2015

Currently Chrome does write ALL password items stored in passwords.google.com to the local keychain as soon as you have logged into Chrome.

This exposes all user credentials to local access including the now public 0-day from  crbug.com/456009 

As an admin who needs to setup Chrome Remote Desktop on customer servers this is already a major headache for me as I have to cleanout the local keychain after I'm done setting up and I have to make sure that Time Machine (or other backup software) does not kick in in the meantime creating a copy of the keychain file including all my credentials.

Therefore I also welcome if Chrome no longer wrote any credentials into the Mac's keychain services and would very much prefer if it pulled them from the cloud individually only when actually needed for a current login process.
The option to get a local copy should be offered under google.com/takeout instead.

Read access as outlined under #3 is welcome but should also happen only with user interaction. I see too many users log into Chrome under other local accounts either leaving their crednetials behind in the local storage or pulling credentials from a different user's account this way.
> This exposes all user credentials to local access including the now public 0-day from  crbug.com/456009 

An app that's running locally (unless it's sandboxed, which as noted in the other bug is not particularly common on OS X) can read all your passwords if they are stored in the profile directory too (assuming it can successfully attack the keychain to get the encryption key), so the security impact of this change is minimal at best.

> Therefore I also welcome if Chrome no longer wrote any credentials into the Mac's keychain services

There's no need to advocate for a change that we are already making.

> and would very much prefer if it pulled them from the cloud individually only when actually needed

If you want to fundamentally change the way password sync works on all platforms, please file a new bug. It's totally unrelated to this bug, and thus off topic.

> Read access as outlined under #3 is welcome but should also happen only with user interaction.

Comment 3 is describing one-time migration to prevent users from losing all their passwords.

Comment 14 by norb...@rittel.de, Jun 19 2015

@stuartmorgan:

I've filed new security bugs as requested, including a working attack to the encryption key for the profile directory.
Summary: Remove OS X Keychain integration for saved passwords (was: Consider removing OS X Keychain integration for saved passwords)
Retitling the bug for clarity, as we have decided to remove Keychain integration, a design doc has been created, and work is underway.
Project Member

Comment 16 by bugdroid1@chromium.org, Jun 22 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/19209e174a4249faac3f6ee9051399f5b8639515

commit 19209e174a4249faac3f6ee9051399f5b8639515
Author: vasilii <vasilii@chromium.org>
Date: Mon Jun 22 15:01:24 2015

Implement PasswordStoreProxyMac and SimplePasswordStoreMac.

They aren't instantiated yet in the code base. SimplePasswordStoreMac is a PasswordStore implementation on Mac in the future. PasswordStoreProxyMac is a proxy used for migration from PasswordStoreMac to SimplePasswordStoreMac.

BUG= 466638 

Review URL: https://codereview.chromium.org/1192963002

Cr-Commit-Position: refs/heads/master@{#335502}

[add] http://crrev.com/19209e174a4249faac3f6ee9051399f5b8639515/chrome/browser/password_manager/password_store_proxy_mac.cc
[add] http://crrev.com/19209e174a4249faac3f6ee9051399f5b8639515/chrome/browser/password_manager/password_store_proxy_mac.h
[add] http://crrev.com/19209e174a4249faac3f6ee9051399f5b8639515/chrome/browser/password_manager/simple_password_store_mac.cc
[add] http://crrev.com/19209e174a4249faac3f6ee9051399f5b8639515/chrome/browser/password_manager/simple_password_store_mac.h
[add] http://crrev.com/19209e174a4249faac3f6ee9051399f5b8639515/chrome/browser/password_manager/simple_password_store_mac_unittest.cc
[modify] http://crrev.com/19209e174a4249faac3f6ee9051399f5b8639515/chrome/chrome_browser.gypi
[modify] http://crrev.com/19209e174a4249faac3f6ee9051399f5b8639515/chrome/chrome_tests_unit.gypi
[modify] http://crrev.com/19209e174a4249faac3f6ee9051399f5b8639515/components/password_manager/core/browser/password_store.h
[modify] http://crrev.com/19209e174a4249faac3f6ee9051399f5b8639515/components/password_manager/core/browser/password_store_default.cc
[modify] http://crrev.com/19209e174a4249faac3f6ee9051399f5b8639515/components/password_manager/core/browser/password_store_default.h

Cc: gcasto@chromium.org mkwst@chromium.org bauerb@chromium.org
 Issue 397687  has been merged into this issue.
Project Member

Comment 18 by bugdroid1@chromium.org, Jun 25 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d76cd87932e59af30da4ad138722ed4c8b54fe3c

commit d76cd87932e59af30da4ad138722ed4c8b54fe3c
Author: vasilii <vasilii@chromium.org>
Date: Thu Jun 25 12:00:28 2015

Integrate PasswordStoreProxyMac instead of PasswordStoreMac.

For now PasswordStoreProxyMac is just a wrapper around PasswordStoreMac.
The goal is to remove the Keychain integration on Mac. Design doc: https://docs.google.com/a/google.com/document/d/1A8ZG16bLuUH1u21K0GoABKz_wpz1kchXMnMlpmq_ecA/edit?usp=sharing

BUG= 466638 

Review URL: https://codereview.chromium.org/1200603003

Cr-Commit-Position: refs/heads/master@{#336130}

[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/chrome/browser/password_manager/password_store_factory.cc
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/chrome/browser/password_manager/password_store_mac.cc
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/chrome/browser/password_manager/password_store_mac.h
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/chrome/browser/password_manager/password_store_mac_unittest.cc
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/chrome/browser/password_manager/password_store_proxy_mac.cc
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/chrome/browser/password_manager/password_store_proxy_mac.h
[add] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/chrome/browser/password_manager/password_store_proxy_mac_unittest.cc
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/chrome/chrome_tests_unit.gypi
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/components/password_manager/core/browser/mock_password_store.h
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/components/password_manager/core/browser/password_store.cc
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/components/password_manager/core/browser/password_store.h
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/components/password_manager/core/browser/password_store_default.cc
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/components/password_manager/core/browser/password_store_default.h
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/components/password_manager/core/browser/test_password_store.cc
[modify] http://crrev.com/d76cd87932e59af30da4ad138722ed4c8b54fe3c/components/password_manager/core/browser/test_password_store.h

Blocking: chromium:503959
Is there a test plan? Should these CLs have a TEST= line?
At the moment the new logic isn't running. Though it's covered by unit tests.
I'll write a separate doc for testing as a part of the launch process.
Project Member

Comment 23 by bugdroid1@chromium.org, Jul 8 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5fb5dc4138715d9d19d0ac67f44cbfbc59815eba

commit 5fb5dc4138715d9d19d0ac67f44cbfbc59815eba
Author: vasilii <vasilii@chromium.org>
Date: Wed Jul 08 13:56:26 2015

Change the passwords warning on Mac as the Keychain becomes deprecated.

BUG= 466638 

Review URL: https://codereview.chromium.org/1218293020

Cr-Commit-Position: refs/heads/master@{#337811}

[modify] http://crrev.com/5fb5dc4138715d9d19d0ac67f44cbfbc59815eba/chrome/app/chromium_strings.grd
[modify] http://crrev.com/5fb5dc4138715d9d19d0ac67f44cbfbc59815eba/chrome/app/google_chrome_strings.grd

Project Member

Comment 24 by bugdroid1@chromium.org, Jul 8 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b312da5608ac316b7e49459c906b5a5d72332776

commit b312da5608ac316b7e49459c906b5a5d72332776
Author: vasilii <vasilii@chromium.org>
Date: Wed Jul 08 16:54:40 2015

Start the migration of passwords from the Keychain.

Design doc: https://docs.google.com/a/google.com/document/d/1A8ZG16bLuUH1u21K0GoABKz_wpz1kchXMnMlpmq_ecA/edit?usp=sharing

BUG= 466638 

Review URL: https://codereview.chromium.org/1213043003

Cr-Commit-Position: refs/heads/master@{#337842}

[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/chrome/browser/password_manager/password_store_factory.cc
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/chrome/browser/password_manager/password_store_mac.cc
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/chrome/browser/password_manager/password_store_mac_unittest.cc
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/chrome/browser/password_manager/password_store_proxy_mac.cc
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/chrome/browser/password_manager/password_store_proxy_mac.h
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/chrome/browser/password_manager/password_store_proxy_mac_unittest.cc
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/chrome/browser/password_manager/simple_password_store_mac.cc
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/chrome/browser/password_manager/simple_password_store_mac.h
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/chrome/browser/password_manager/simple_password_store_mac_unittest.cc
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/components/password_manager.gypi
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/components/password_manager/core/browser/BUILD.gn
[add] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/components/password_manager/core/browser/keychain_migration_status_mac.h
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/components/password_manager/core/browser/password_manager.cc
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/components/password_manager/core/browser/password_store_default.h
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/components/password_manager/core/common/password_manager_pref_names.cc
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/components/password_manager/core/common/password_manager_pref_names.h
[modify] http://crrev.com/b312da5608ac316b7e49459c906b5a5d72332776/tools/metrics/histograms/histograms.xml

Project Member

Comment 25 by bugdroid1@chromium.org, Jul 8 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f

commit 5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f
Author: Antony Sargent <asargent@chromium.org>
Date: Wed Jul 08 18:28:44 2015

Revert "Start the migration of passwords from the Keychain."

This reverts commit b312da5608ac316b7e49459c906b5a5d72332776.

This was causing failures on the Mac Asan 64 bot. See  crbug.com/508227 
for details.

BUG= 508227 , 466638 

Review URL: https://codereview.chromium.org/1211253015.

Cr-Commit-Position: refs/heads/master@{#337864}

[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/chrome/browser/password_manager/password_store_factory.cc
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/chrome/browser/password_manager/password_store_mac.cc
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/chrome/browser/password_manager/password_store_mac_unittest.cc
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/chrome/browser/password_manager/password_store_proxy_mac.cc
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/chrome/browser/password_manager/password_store_proxy_mac.h
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/chrome/browser/password_manager/password_store_proxy_mac_unittest.cc
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/chrome/browser/password_manager/simple_password_store_mac.cc
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/chrome/browser/password_manager/simple_password_store_mac.h
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/chrome/browser/password_manager/simple_password_store_mac_unittest.cc
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/components/password_manager.gypi
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/components/password_manager/core/browser/BUILD.gn
[delete] http://crrev.com/09c15a5ed0a511f3144a4487a315866ec12e1f9e/components/password_manager/core/browser/keychain_migration_status_mac.h
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/components/password_manager/core/browser/password_manager.cc
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/components/password_manager/core/browser/password_store_default.h
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/components/password_manager/core/common/password_manager_pref_names.cc
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/components/password_manager/core/common/password_manager_pref_names.h
[modify] http://crrev.com/5b4ea4b1fa1a7b66f73f971ad05ea3693818ca8f/tools/metrics/histograms/histograms.xml

Project Member

Comment 26 by bugdroid1@chromium.org, Jul 9 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4c711b5767ccea7095621defa2fb77580a132cca

commit 4c711b5767ccea7095621defa2fb77580a132cca
Author: vasilii <vasilii@chromium.org>
Date: Thu Jul 09 10:35:37 2015

Start the migration of passwords from the Keychain.

Design doc: https://docs.google.com/a/google.com/document/d/1A8ZG16bLuUH1u21K0GoABKz_wpz1kchXMnMlpmq_ecA/edit?usp=sharing

This is a reland of https://codereview.chromium.org/1213043003/

BUG= 466638 
TBR=isherman@chromium.org

Review URL: https://codereview.chromium.org/1226303003

Cr-Commit-Position: refs/heads/master@{#338010}

[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/chrome/browser/password_manager/password_store_factory.cc
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/chrome/browser/password_manager/password_store_mac.cc
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/chrome/browser/password_manager/password_store_mac_unittest.cc
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/chrome/browser/password_manager/password_store_proxy_mac.cc
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/chrome/browser/password_manager/password_store_proxy_mac.h
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/chrome/browser/password_manager/password_store_proxy_mac_unittest.cc
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/chrome/browser/password_manager/simple_password_store_mac.cc
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/chrome/browser/password_manager/simple_password_store_mac.h
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/chrome/browser/password_manager/simple_password_store_mac_unittest.cc
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/components/password_manager.gypi
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/components/password_manager/core/browser/BUILD.gn
[add] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/components/password_manager/core/browser/keychain_migration_status_mac.h
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/components/password_manager/core/browser/password_manager.cc
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/components/password_manager/core/browser/password_store_default.h
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/components/password_manager/core/common/password_manager_pref_names.cc
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/components/password_manager/core/common/password_manager_pref_names.h
[modify] http://crrev.com/4c711b5767ccea7095621defa2fb77580a132cca/tools/metrics/histograms/histograms.xml

Did any of these changes (or similar changes) make it in to Chrome yet? I'm running 45.0.2454.15 and it no longer seems to be saving passwords to the Keychain.

FWIW, I find storing passwords in keychain very handy:
- can look up passwords easily
- can move passwords (keychains) between machines
- more flexible UI for searching/sorting
- allows for future possibility of Safari/Firefox playing nice
- can see Safari password and Chrome passwords in one place, making it easy to update them to keep them in sync

Can you make it possible to opt out of this new behaviour / allow saving to Keychain?
All the changes hit the 45 release. The plan is to get rid of the complicated Keychain code, thereby improving the robustness of the Chrome Password manager.
It seems that most of your concerns are around the customary user experience. If the current Chrome UI/UX doesn't seem convenient for you, please submit your suggestions and ideas so we could improve.

- you can look the passwords up in chrome://settings/passwords or on passwords.google.com
- you can use Chrome Sync for moving them between machines
- chrome://settings/passwords also has a search box
- Safari/Firefox will not play nice. Safari stopped sharing its passwords with Chrome. It was the main reason to drop the Keychain integration.
- Chrome should update the password automatically if you log in with a new one.
> - allows for future possibility of Safari/Firefox playing nice

On the Firefox side: the feature request to add Keychain integration is 14 years old; at least one attempt to add it was actively blocked by product leadership. The theoretical possibility that they might change course is not worth the complexity of the code and the UX issues that have come up over time. (Especially given that they are much less likely to do so given that they'll face the same inability to interoperate with Safari in 10.9+)
> passwords.google.com

Shows me this message: You have secured your Chrome data with a sync passphrase. You can access your data within Chrome on your syncing devices, but not from this website.

> chrome://settings/passwords

doesn't have feature parity (dates, sorting) with Keychain. Can we keep keychain support around until this is fixed? If not, what's the best bug to comment on to address fixing the password UI.

---

With this change, keeping passwords in sync between chrome + safari becomes even harder, because I can't copy & paste between them in one app.

Where are passwords stored on disc? How can I ensure I have them backed up / can move them between machines without Chrome Sync?

Is there an API I can use to manage Chrome passwords?

Is there a plan to call this out conspicuously when Chrome 45 hits the stable channel? This will definitely confuse a lot of people.
> doesn't have feature parity (dates, sorting) with Keychain. Can we keep keychain support around until this is fixed? If not, what's the best bug to comment on to address fixing the password UI.

Please create a new bug for these. You can apply Cr-UI-Browser-Passwords label.

> Where are passwords stored on disc? How can I ensure I have them backed up / can move them between machines without Chrome Sync?

They are stored in <Profile directory>/Login Data. Note that they are encrypted and the key is stored in the Keychain (Chrome Safe Storage). Therefore you may try to back up both the file and the key. The official way to move the passwords is Chrome Sync. It seems that you already use it with a custom passphrase. Note that we are currently working on import/export feature for compatibility with other password managers.

> Is there a plan to call this out conspicuously when Chrome 45 hits the stable channel? This will definitely confuse a lot of people.

We'll update the help article. However, we think that most of the users won't notice anything in M45.

Comment 33 by sla29...@gmail.com, Nov 28 2015

I've been wondering for weeks what it was that broke about Chrome and keychain passwords.
Aha.  Clearly I am not most of the users.
Hahaha, I couldn't echo comment #33 any louder, "most of the users", what a joke...

Comment 35 by fle...@gmail.com, Dec 3 2015

Does this mean the new behavior I'm seeing in Chrome 47 where integration with keychain access on OSX 10.9.5 is completely broken (yet it keeps updating items my local keychain) is expected? If Chrome is no longer going to integrate with local OSX keychains, shouldn't it stop trying to read & write values into the local keychains? Now even when I save usernames & passwords in Chrome and I can see the entires in keychain access, I am still being prompted repeatedly to re-input those usernames & passwords.
If Chrome keeps using the Keychain then you were not successfully migrated and nothing has changed for you. The plan is to drop the integration completely for everybody even if we can't get access to some of the passwords in the Keychain.
Before the code was removed the OSX keychain was working just fine for anyone who was not using iCloud with the keychain.  Of course I'm the sort who was manually exporting and importing keychain entries between devices with no trouble.  I'm also the sort who believed that the ability of the passwords in the keychain to be seen by all Chrome profiles was a feature, not a bug.  All of that is broken now, my passwords are scattered between keychain and all my profiles.

I also relied on the ability of OSX keychain to sort the keys by date so that I could go and look at what keys I had been changing.  This was especially important in cases where the website login is done via some third party server with a different domain name than the new site where I had just created a new account and password.

If the OSX keychain is gone forever from Chrome then at the least, please enhance the Chrome password manager so that it can sort the passwords by date.
Also please update https://www.chromium.org/developers/design-documents/os-x-password-manager-keychain-integration to clarify how (non)relevant it now is.
I filed  http://crbug.com/567050  for the date sorting.
The removal of the Keychain support is extremely frustrating. 

I'd be very happy if someone could post here an alternative.

It should be doable via an extension, like the excellent "Keychain Services Integration" for Firefox. 

I too had the impression that I somehow broke Keychain support and am feeling the same pain as #37. Introducing such a major change without informing users makes me question my browser-choice.

Comment 42 by sla29...@gmail.com, Feb 22 2016

We understand that chrome can no longer write new passwords into Mac OS X keychain, but does chrome still retain the code which can delete passwords from Mac OS X keychain?  If I am not mistaken I have just seen the current version of chrome do a delete.  That is completely unexpected.  If chrome cannot add new passwords to keychain then it also should have no code which can delete passwords from keychain.
Most of the users were migrated and they don't add/delete passwords to the Keychain. The minority is still using the Keychain like before. Though the code will be removed soon.

Comment 44 by sla29...@gmail.com, Feb 23 2016

In my case I think most of my profiles were "migrated", but some profiles were not.  Is there a way  to tell whether a profile is "migrated"?  If not, removing sooner is a really good idea.
Fortunately, I know where the keychain lives and where my backups are.
You can go to chrome://version/ and find a path to the profile. In the directory there is a 'Preferences'. Find 'keychain_migration' preference. The value can be one of 
// Migration wasn't tried yet.
NOT_STARTED = 0,

// Migration finished successfully.
MIGRATED = 1,

// Migration failed once. It should be tried again.
FAILED_ONCE = 2,

// Migration failed twice. It should not be tried again.
FAILED_TWICE = 3,

From 2 or 3 you can set it to 0 and restart the browser to try again.
Project Member

Comment 46 by bugdroid1@chromium.org, Feb 26 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2

commit bf29a1600f626b2c334ea6f4e346fda89f1cd5a2
Author: vabr <vabr@chromium.org>
Date: Fri Feb 26 08:29:39 2016

Remove PasswordStore::AuthorizationPromptPolicy

The only value of this enum used in production code since we dropped the MacOS
Keychain support was "DISALLOW_PROMPT". This CL removes the whole enum.

The connection to  bug 582087  is that this CL simplifies the signature of GetLogins, which is related to fixing that bug.

This CL also fixes two missing braces pointed out by git cl lint.

R=vasilii@chromium.org
BUG= 582087 , 466638 

Review URL: https://codereview.chromium.org/1730313004

Cr-Commit-Position: refs/heads/master@{#377853}

[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/password_manager/password_store_mac.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/password_manager/password_store_mac.h
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/password_manager/password_store_mac_unittest.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/password_manager/password_store_proxy_mac.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/password_manager/password_store_proxy_mac.h
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/password_manager/password_store_proxy_mac_unittest.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/password_manager/password_store_win.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/password_manager/password_store_win.h
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/password_manager/password_store_win_unittest.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/password_manager/password_store_x.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/password_manager/password_store_x.h
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/chrome/browser/sync/test/integration/passwords_helper.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/credential_manager_password_form_manager.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/mock_password_store.h
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_form_manager.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_form_manager.h
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_form_manager_unittest.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_manager.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_manager_client.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_manager_client.h
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_manager_unittest.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_store.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_store.h
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_store_default.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_store_default.h
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_store_default_unittest.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/password_store_unittest.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/test_password_store.cc
[modify] https://crrev.com/bf29a1600f626b2c334ea6f4e346fda89f1cd5a2/components/password_manager/core/browser/test_password_store.h

Comment 47 by vabr@chromium.org, May 23 2016

Vasilii, I just noticed that on Mac the password manager checkbox in settings has this label:
"On Mac, passwords may be saved to your Keychain and accessed or synced by other Chrome users sharing this OS X account."

Should we remove this sentence?
With the word "may" it's correct. We will drop it when everybody is migrated.

Comment 49 by and...@gmail.com, Aug 17 2016

For the people out there, which don't use keychain sync, but want still sync passwords between Safari and Chrome: Is it possible to extract the code into an optional extension?
Project Member

Comment 50 by bugdroid1@chromium.org, Sep 13 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a1600bfcbef4ee302d6ef4be1437fe97d580a6cf

commit a1600bfcbef4ee302d6ef4be1437fe97d580a6cf
Author: vasilii <vasilii@chromium.org>
Date: Tue Sep 13 17:40:07 2016

Stop using the Keychain for passwords finally and clean up the Chrome entries there.

Design doc: https://docs.google.com/a/google.com/document/d/1dZEBkuRqW_I8KqAYbo5-RpJxSOx7JGoslmgBVzqr98A/edit?usp=sharing

BUG= 466638 

Review-Url: https://codereview.chromium.org/2323893002
Cr-Commit-Position: refs/heads/master@{#418286}

[modify] https://crrev.com/a1600bfcbef4ee302d6ef4be1437fe97d580a6cf/chrome/browser/password_manager/password_store_mac.cc
[modify] https://crrev.com/a1600bfcbef4ee302d6ef4be1437fe97d580a6cf/chrome/browser/password_manager/password_store_mac.h
[modify] https://crrev.com/a1600bfcbef4ee302d6ef4be1437fe97d580a6cf/chrome/browser/password_manager/password_store_mac_unittest.cc
[modify] https://crrev.com/a1600bfcbef4ee302d6ef4be1437fe97d580a6cf/chrome/browser/password_manager/password_store_proxy_mac.cc
[modify] https://crrev.com/a1600bfcbef4ee302d6ef4be1437fe97d580a6cf/chrome/browser/password_manager/password_store_proxy_mac.h
[modify] https://crrev.com/a1600bfcbef4ee302d6ef4be1437fe97d580a6cf/chrome/browser/password_manager/password_store_proxy_mac_unittest.cc
[modify] https://crrev.com/a1600bfcbef4ee302d6ef4be1437fe97d580a6cf/components/password_manager/core/browser/keychain_migration_status_mac.h
[modify] https://crrev.com/a1600bfcbef4ee302d6ef4be1437fe97d580a6cf/components/password_manager/core/browser/password_manager.cc
[modify] https://crrev.com/a1600bfcbef4ee302d6ef4be1437fe97d580a6cf/tools/metrics/histograms/histograms.xml

The last CL migrates the last users (2.5%) to the internal password store.
For all the others, the passwords stored in Chrome are cleaned up from the Keychain.
Chrome 54.0.2840.98 (64-bit) on mac os X Sierra 10.12.1 on a MacBook Pro 15".

I just deleted my Max OS X login keychain to resolve some sort of Sierra specific problems with 'secd' burning 100% cpu.  (man do i hate iCloud)

After rebooting and starting Chrome back up, I had to login to gmail, and to the chrome profile.  Both times I was asked for both password and security key touch (for gmail I even had to provide my user/email account).

As soon as I resolved the "Sync Error: Update Sync Passphrase..." yellow exclamation mark (by providing my sync passphrase) Chrome started dumping my 'google cloud sync' passwords into the mac os x keychain (ie. accounts _AND_ passwords become visible in 'Keychain Access').

Why is this happening?  This bug seems to imply that keychain integration should be long gone from Chrome...
A few reboots, keychain wipes and an upgrade to Version 55.0.2883.87 (64-bit) later and it seems to no longer be happening...
Can this bug be closed out (marked as fixed)?
The Keychain isn't used for passwords but I still have some refactoring work associated with this bug.
Project Member

Comment 56 by bugdroid1@chromium.org, May 30 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/efe5baba2d156238707d6d8303b2055ddb246fe2

commit efe5baba2d156238707d6d8303b2055ddb246fe2
Author: vasilii <vasilii@chromium.org>
Date: Tue May 30 16:08:14 2017

Delete PasswordStoreMac and SimplePasswordStoreMac.

Keychain usage for passwords is finally deprecated. The only functional change for the users is that we stop cleaning up the passwords in Keychain. PasswordStoreMac wasn't instantiated before this CL.

BUG= 466638 

Review-Url: https://codereview.chromium.org/2909283002
Cr-Commit-Position: refs/heads/master@{#475547}

[modify] https://crrev.com/efe5baba2d156238707d6d8303b2055ddb246fe2/chrome/browser/BUILD.gn
[modify] https://crrev.com/efe5baba2d156238707d6d8303b2055ddb246fe2/chrome/browser/password_manager/password_store_factory.cc
[delete] https://crrev.com/6a65f61585fb64600e3d9c80d29572c2a439478b/chrome/browser/password_manager/password_store_mac.cc
[delete] https://crrev.com/6a65f61585fb64600e3d9c80d29572c2a439478b/chrome/browser/password_manager/password_store_mac.h
[delete] https://crrev.com/6a65f61585fb64600e3d9c80d29572c2a439478b/chrome/browser/password_manager/password_store_mac_internal.h
[delete] https://crrev.com/6a65f61585fb64600e3d9c80d29572c2a439478b/chrome/browser/password_manager/password_store_mac_unittest.cc
[modify] https://crrev.com/efe5baba2d156238707d6d8303b2055ddb246fe2/chrome/browser/password_manager/password_store_proxy_mac.cc
[modify] https://crrev.com/efe5baba2d156238707d6d8303b2055ddb246fe2/chrome/browser/password_manager/password_store_proxy_mac.h
[modify] https://crrev.com/efe5baba2d156238707d6d8303b2055ddb246fe2/chrome/browser/password_manager/password_store_proxy_mac_unittest.cc
[delete] https://crrev.com/6a65f61585fb64600e3d9c80d29572c2a439478b/chrome/browser/password_manager/simple_password_store_mac.cc
[delete] https://crrev.com/6a65f61585fb64600e3d9c80d29572c2a439478b/chrome/browser/password_manager/simple_password_store_mac.h
[delete] https://crrev.com/6a65f61585fb64600e3d9c80d29572c2a439478b/chrome/browser/password_manager/simple_password_store_mac_unittest.cc
[modify] https://crrev.com/efe5baba2d156238707d6d8303b2055ddb246fe2/chrome/test/BUILD.gn
[modify] https://crrev.com/efe5baba2d156238707d6d8303b2055ddb246fe2/components/password_manager/core/browser/login_database.cc
[modify] https://crrev.com/efe5baba2d156238707d6d8303b2055ddb246fe2/components/password_manager/core/browser/login_database.h
[modify] https://crrev.com/efe5baba2d156238707d6d8303b2055ddb246fe2/components/password_manager/core/browser/login_database_unittest.cc
[modify] https://crrev.com/efe5baba2d156238707d6d8303b2055ddb246fe2/components/password_manager/core/browser/password_store_default.h

Status: Fixed (was: Assigned)

Sign in to add a comment