New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 53 link

Starred by 427 users

Comments by non-members will not trigger notification emails to users who starred this issue.

Issue metadata

Status: WontFix
Owner: ----
Closed: Sep 2008
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature



Sign in to add a comment

No Master Password Option

Reported by maxthe...@gmail.com, Sep 2 2008

Issue description

Product Version      : 0.2.149.27 (1583)

Needs an option to set a Master Password
 
Showing comments 61 - 160 of 160 Older

Comment 61 Deleted

Comment 62 by clr...@gmail.com, Jun 5 2010

Chrome it's my default browser, but, sadly, I still have to use Firefox to store my 
passwords. When will this change?
This feature it's the last one missing to the retirement of my Firefox.

Comment 63 by djda...@gmail.com, Jun 9 2010

Having just bought a low power netbo0k, I thought I'd try Chrome since it is said to be less resource intensive than than Firefox. Then I ran into this issue. Without a master password, I'm sticking with Firefox. Please reconsider.

Comment 64 Deleted

I agree with cmsoko and grinapo, this issue should be fixed, having a master password is very useful (especially as when you try and view your stored passwords in FireFox you have to reenter it), and yes it is a slight inconvenience to users (less so if you don't close chrome and just hibernate or suspend your PC) but not letting Chrome store any passwords (so know one can see them) is even more of a inconvenience!

Please Google sort this out it really can't be that difficult (um... maybe I should have a look at the chromium code and implement it myself!)
ok tl;dr past the halfway point, but i saw no one touch on this point, which differs entirely from the "everybody being able to see your passwords if they want" angle; when i set chrome to save a password, it's saved, right?  teh next time i visit that site, the password is pre-filled for me.  OR FOR ANYONE ELSE WHO VISITS THAT SITE ON MY BROWSER.

with ff, true - if you cancel the enter master password prompt, it comes back.  boo hoo for the poor soul at my house, having to use my internet and clicking "cancel" three or four times.  

which do i care more about, the fact that my friend has to use his click finger a little more than necessary, or the fact that he can get into my facebook, bank, email account, etc just by visiting the site?  

this issue is keeping me with firefox as well.  

Comment 67 Deleted

Comment 68 by Deleted ...@, Jul 21 2010

I totally agree with nghtvsion. This ISSUE is also keeping me with firefox. Example: my laptop has it's HD encrypted, is password protected, and would log you out after 5 minutes of inactivity. Still, I find useful to be able to let someone use it and walk away, without him beeing able to access all my login-protected websites.

Comment 69 by aus...@gmail.com, Jul 22 2010

This is not really a problem for MacOS users, Chrome uses the built-in Keychain access which has pretty fine grained access control.
Cool news ausman. I will buy a Mac in order to use Chrome browser to store my passwords.  Thanks for the good news. I already see the advertisement : "Try Google's advanced browser. It's free. And if you need your passwords secured is easy : just buy a Mac ." LOL

Comment 71 by Deleted ...@, Sep 23 2010

I concur. It's not that hard to implement, don't be douchebags like Apple, and listen to your users. That was why i loved you guys in the first place.

Comment 72 by gerar...@gmail.com, Sep 23 2010

Good to know it is fine with MacOS. Wondering what is doing IE on this issue? They use Crypto API and they don't show saved passwords on IE preferencies. And i really think that doing that it's JUST FINE. 

It will take a lot more time to download and execute a cracking tool, rather than clicking on preferences->Show Passwords.

If the developers think they are making it clear that the "save password" is not secure by adding the "show pass" button (instead of putting a warning), then you should know that YOU ARE WRONG. You should REMOVE THE BUTTON and add a warning. Because people save passwords anyway no matter how insecure it is!

If you are a chrome user, you fall in the following categories:
a) You don't know how insecure it is to save a password => so, you use it.
b) You know how insecure it is, but dont care. => so you use it anyway.
c) You know, and dont use it.

In cases a and b, removing the button (and warn them how insecure it is) will somewhat help them from password stealing from "non-technical users". And that is what we want, and what IE does. We don't care there are a billion cracking tools to steal passwords cause we hope our antivirus will prevent them from running.
@72

There's a difference between obfuscating/hiding the password vs. actually encrypting it via a master password.  This issue is really pushing for the latter, which is a lot more secure.  The former would be vulnerable to a cracking tool like you said, but if my laptop gets stolen and my passwords were encrypted with a master password, the thief *needs* that master password in order to access any of the passwords protected by it.  Otherwise, he has years of brute-forcing ahead of him.

Comment 74 by Deleted ...@, Oct 11 2010

DON'T BE EVIL

Just give us what we are asking for.  Most of us are even asking nicely, suppressing our urge to just blurt out what we're really thinking, which would sound something like "What the H-E-double-HockeySticks could they be THINKING?!?!"

Resistance to such a benign request make me wonder if we should audit CHROME code.  Do _their_ servers have access to our saved passwords?

AND . . . is this some of the first anecdotal evidence that the Google-is-positioning-itself-to-one-day-take-over-the-world conspiracy theory might actually have merit?  (How can you not SEE it?! They even have cars that DRIVE THEMSELVES!!!)

Please, Google.  You have the power to stop the wild speculation.  A shroud of doubt and fear is settling upon us.  Make it stop.

Just add the feature already.

It's not that big of a deal.

Comment 75 by looga...@gmail.com, Oct 11 2010

The clear text passwords are also a no go for me. But support for other password managers like gnome-keyring and kwallet is already in the dev version, it's still not perfect, but I am watching it closely. When the code is shipped in stable, I could  be satisfied.

Guys, do you know this upcoming features?

Comment 76 by djda...@gmail.com, Oct 13 2010

I am amazed that this is still getting push-back from Google and it is why I am using Firefox and will migrate to Firefox on my Android as soon as it's stable. Having support for "other password managers" is a kludge. With Firefox my encrypted passwords are automatically synced to every PC I use (and soon to Android). It's easy and I still have local control on each PC.

This is not an issue of evil people remotely stealing my passwords - if that were the case, I would have no problem with Chrome.

This is an issue of me being able to share a computer with my son and not allowing him to access my passwords.

Since there is no tool for us to see how many of us need this master-password must-have implementation, I have created a blog with one pool regarding explicitly this issue. Please vote pro or contra implementing master password in Chrome.
http://securemybrowser.blogspot.com/

Comment 78 by Deleted ...@, Jan 14 2011

I might even go as far to say that the dev is correct: a master password IS actually an 'illusion of security', but that doesn't mean that it isn't adding to security! Local users tries to view password, doesn't have master password. Now they think it's all secure, even though there may be a way for them to hack their way in. It now becomes local access + hard work to get the password rather than just local access. It's an illusion that I'd like to have available.
the problem is, that the passwords can easily be accessed in the browser settings.

sometimes someone else uses my computer. i trust this person not to install a password sniffer on my pc but it is far to easy to get the plaintext passwords. it is too comfortable to get the passwords for all my services, because they are shown in the browser options.
maybe we need no master password. maybe it is enough, when i can protect my stored passwords to be shown in the browser settings easily. please think at least about this.

thanks,
dave
If implemented correctly, a master password is far more than an illusion of security.  The master password can be used to encrypt the passwords that it protects.  With a well-chosen master password, a laptop with stored passwords could get stolen and they'd still be safe.

Comment 81 by akro...@gmail.com, Jan 16 2011

I agree it's not an illusion of security. For example, Mozilla uses its crypto subsystem it generally uses for SSL and other keys and certificates. It encrypts data with a random key, cyptographically secured with a password. The only way to crack it is by brute force or cryptanalysis - not any easier than breaking any other "real" encrypted material. As elsewhere, it all ultimately depends on your password strength: if you chose 'yo' for a password it might be quite easily cracked; if you use 'Agh4!DreE556.wd4' it is very unlikely anyone would crack it within our lifetimes (with _current_ computers it would take a lifetime of the universe, give or take a trillion years...:)

Comment 82 by gerar...@gmail.com, Jan 16 2011

Turns out that you actually can disable the "Show saved passwords" (in case you want to lend your computer to your sister). 

Here is how: http://superuser.com/questions/11977/hidden-features-of-google-chrome/233940#233940

Comment 83 by djda...@gmail.com, Jan 18 2011

Showing is one thing, using is another. Firefox will not allow you to use the saved passwords without entering your master password. That is what Chrome should do.

Comment 84 by Deleted ...@, Mar 9 2011

chrome's password manager is not at all good, anyone using my system can  see all my saved password....

do something about it
Someone please contact news sites and report this security flaw. I think so many users don't even know that a silent-keylogger is working inside their browsers. In fact, Chrome is the best keylogger out there in the market:

1. Its a trusted brand
2. It filters passwords specifically
3. It leaves no trace
4. No brainer approach - even my dog can steal my passwords
5. Most internet cafe users have no idea about this security flaw

Comment 86 by akro...@gmail.com, Mar 20 2011

@85: What are you talking about?

@82 & @84: It's actually better for the password manager to show passwords than to create the already mentioned 'illusion of security'...
Yep.. suckers save their passwords with Google Browsers. Normal people with functional brains are aware that such a quick and awesome browsers are not meant for safe storing of the passwords. 
Developer dudes, why not eliminate this function completely.. If you cannot protect our passwords, why in the name of Science would the browser store them in one place? Please let us know how to completely disable this utterly useless store passwords function from Google Chrome and Chromium browsers. 
 
We really need this feature, but I think this can be an option.

Everytime I start the browser it should ask me for the master password (or in the first time I access a site that has a password saved). This way Chrome will be able to uncrypt the passwords for the current session (or for an amount of time, or both).

Those who don't need this feature (because their users are protected) should disable this function and don't get bored typeing their password everytime they start the browser.

This way, users that need this feature will be safe and happy because we workaround this problem without giving only a 'illusion of security', since it will not be an illusion anymore.
Those users who doesn't need will be happy too, because they will be able to disable this somewhat unnecessary 'double protection'.

We need to be aware that there's not a "common use" of the computer. It is absolutely right that the 'correct way' is to ask everyone to protect their users, but we cannot impose this.

I will borrow my notebook for one week to a coworker to use some software installed in my personal computer. Everything he need to use is configured in my user. If I create another user for him, I'll need to reconfigure everything (what's a pain). So this feature would be handy for me if it exists.

Comment 89 Deleted

How can users wait from Chrome developing team to understand the problems they are facing when they are so bad organized that they have several threads for the same Issue. 
This Master Password Issues is also discuses here (perhaps other threads also.. don't have time to loose with such lack of support team and search for more) http://code.google.com/p/chromium/issues/detail?id=1397 with the same "ignoring users" solution from the part of the developing team.
Google is wondering why Android phones and tablets didn't reached the level of professionalism of Apple's products?  
Dear Google please stop playing the act of being open source and open minded and start being an open source and open minded company ( at least on those places you say you are).

Comment 91 by grin...@gmail.com, Apr 12 2011

Would you all please stop being offensively emotional? Apart from the fact that 

--password-store detect

option detects installed password storage support and seem to use them accordingly? (At least uses my gnome pw backend, and I tend to remember the same for KDE.)
@91:
What about the 99% of internet users who don't use Linux?

Comment 93 by grin...@gmail.com, Apr 12 2011

@92: Apart from commenting the mathematically handicapped I guess I've heard windoze solutions earlier than Linux ones (and spared the snide comments). Pardon me if I don't remember them as I do not use such things, but I guess you can find them if you read carefully. 
But this bug is closed anyway. IIRC other issues run the solutions to the original problem. Feel free to continue. Pardon my intrusion. Have a nice day. :-)
Am a little more confused about what you're saying now than I was before, but you have a nice day too! :-D

Comment 95 by grin...@gmail.com, Apr 13 2011

Let's be constructive. Linux solution seem to work, I have documented that I guess. Isn't there a working windows solution? I tend to remember something about using windoze's own password system... not my field, though.

Comment 96 by alfa...@gmail.com, May 4 2011

If #53 is closed and #1397 is closed, where can we vote on this feature request? 

Comment 97 by tim@chromium.org, Jun 8 2011

Cc: sermin@chromium.org vandanashah@chromium.org
 Issue 85436  has been merged into this issue.
Ditto comment 96. 
If this bug is closed, then how was the issue resolved?
4 clicks continues to display all passwords in plain text.

Whether or not this is an issue for superusers, it is clearly an issue for typical users who makeup the largest user subset. No disrespect. However, if you feel you have already described a resolution, then I will repeat unequivocally that no comment on the page above indicates a solution in a language I can understand. This remains an open question.
If you sync your data with Google, at the very least, you should be required to sign into your account before accessing passwords. 

Additionally, if you entered your an Encryption Passphrase, if one was set. 
Cc: abarth@chromium.org
 Issue 1397  has been merged into this issue.
Labels: -Area-Unknown Area-UI Feature-Passwords
Mergedinto:
Status: WontFix
 Issue 121927  has been merged into this issue.
Isherman...  Maybe you can help:
How do we open this bug again? 

It is an OBVIOUS security failure to not protect the saved passwords from being seen.
A Master Password is DEFINITELY DESIRED by the users, and the fact that there is none is one of the reasons I use Opera now. (The removal of side-tabs is the other reason.)

Thank you for your help.
As somebody who has been CCed on this bug for years and yet still didn't understand it until I talked to Ilya just now, let me try to sum up where we are right now.  There are two different threats that people want to address with a master password:

1. Can somebody logged in as you steal your passwords?
2. Are passwords stored on your hard drive encrypted?

I was worried about #2:  if somebody steals your computer or picks your old hard drive out of the trash, you don't want them to be able to read a password file and get access to all your accounts.

Chrome addresses #2 by storing your password in your operating system's keychain, which is typically encrypted with your login information, which is why you don't get a password prompt when you start your browser.  You can verify that Chrome isn't storing your passwords itself by running sqlite3 on the Login Data file in your config directory.

Other people are worrying about #1.  Hiding your passwords from someone who is sitting at your computer logged in as you *is* illusory security:  it raises the bar only a teeny bit, but for users who don't have a sophisticated understanding of what's going on behind the scenes in a web browser, it can give the false impression that their passwords are safe in this situation.

Someone who calls a solution to #1 illusionary security does not have an understanding of how Firefox deals with this issue.

Firefox effectively addresses that threat because it manages saved passwords itself.  It does not make the flawed assumption that anyone logged in as the user is the user.  Even if an attacker gains access to my machine while it is logged into my user account, Firefox's password store will not be compromised because it is secured independently.  Chrome lacks this safeguard.
That's exactly what they mean by illusory security:  it's not a solution to #1, but it looks like one, so you think you're safe when you're not.  It's raised the bar a teeny bit because a non-technical person doesn't know how to steal your passwords, and that has given you the mistaken impression that it's secure.

If someone is logged into your account, they can copy your Firefox folder and install key-logging software to capture your master password the next time you type it, and they can do it in a matter of seconds without you noticing.  If you don't trust someone with complete access to all your online services, it's very dangerous to let them use your account.

Regarding Comment 104 by AaronDB...@gmail.com:

I think this is a version of the 1st world (techy dev) vs. 3rd world (average user) issue. The disconnect being that very technical people, who tend to own (or at least control many details of) the technology they use are making decisions as if their experience is similar to a typical user with limited control of the technology in their sphere. 

I feel I've laid it out best here:
https://groups.google.com/a/googleproductforums.com/forum/#!msg/chrome/FzXClh-kNcw/Bi8qHM8wptoJ
and
https://groups.google.com/a/googleproductforums.com/d/msg/chrome/-/_uo3nSTE_X4J

Furthermore, I think it is important to recognize that raising the bar a *teeny* bit *is* raising the bar. And, what seems a *teeny* impediment to techies can actually be substantial to unsophisticated or accidental criminals in world at large.
Thanks for reading my 2¢.
I love the way that hundreds (if not thousands) of users have requested this feature (including adding additional feature requests that get merged back to this one), yet the developers steadfastly refuse to do WHAT THE USERS WANT!

I've got friends that use IE because "it's already there," and can't see why Firefox is better. I see thousands of users who use Chrome/Chromium because "it's cool," "it's fast," but won't use Firefox because I've learned *it's more secure* (the latest Pwnium proved that easily.) I won't use Chrome/Chromium or its derivatives *until this feature is added* because I prefer to use the "portable" version that doesn't install itself into my user directory (which is the only thing that would keep my Chrome passwords safe!)

Maybe SRWare will implement this in Iron and submit the patches back here...if there is no work to do (SRWare would maintain that code), would that change your mind?
This isn't illusory security at all, but rather a bias on the part of techies that recognizes computer crime only when committed by techie means. Similar to saying that cash in pockets are no safer than cash on an unattended desk, because you won't even know a *proficient* pickpocket has taken your money either way. Which completely misses the mark, because no pickpocketing skills were required to notice some spare $$ on your desk at just the time when...I seem to have run out of money for the candy machine. And, no harm right, because I'll replace it tomorrow morning before anyone misses it. Or, maybe it's easier to forget the whole thing. You won't actually miss it... ;)

The result is the same, cash casually borrowed and not returned or a quick peek at password protected content that leads to credential borrowing, snooping or downright theft. This 'accidental' or 'opportunistic' crime seems like a far more likely threat to most users than that of the master criminal. Perhaps we could even put a little math and gross estimation to this problem.

Assuming we're guarding against opportunistic crime, which is what I'm reading as the concern for most posters. Let's do a tiny bit of math and estimation. Consider the number of literate people in your sphere of influence (~75% of adults globally), you probably compute around people in which this is an underestimation. Now consider the percentage of people you know that can open a web browser or office suite but have no additional computer skills. Devs at Google are probably surrounded by people more technically inclined than this, but surely still have friends and family with minimal computer skills. Perhaps 10% or even 20% of people they interact with typically would have the capability to deploy a data logger to discreetly steal their passwords. If I were to make the same estimate of people I interact with the number however, would be quite a bit lower, perhaps 1% at best. Which I suspect is accurate for the general population. Additionally, the prospective data logger thief must be premeditated, or at least intentional. They don't simply open a page and accidentally log someones data.

So, what we are really comparing is protecting users from opportunistic/accidental criminals who are literate (75% of population) vs highly technically savvy intentional thieves (1% or far, far less of population for most computer users). Tech folks, please do the math. By my estimation and back of the napkin calculation hidden passwords protect against at least 75 times more potential crime than security measures directed at hardened key-logging criminals.
Please read Peter's comment here: http://code.google.com/p/chromium/issues/detail?id=1397#c108

Excerpting the relevant part: 
> If you're concerned about merely "casual snoopers", then you should lock your desktop (it's two keys!)

(The two keys are, on Windows, Win-L.  Other OSes have other simple & quick ways to lock the screen -- e.g. hotcorners on Mac OS X.)
Keylogging is not a "hardened criminal" thing:  someone who wants to snoop and knows how to do a web search can have it going within less than a minute.  There are many good reasons corporate security policies forbid sharing accounts and encourage locking your screen, and this is one of them.

To continue with the colorful physical metaphors:  setting a master password and sharing your account is not like putting your wallet in your pocket;  it's like leaving it on the table, closed with a zip-tie, while you leave the room.  It doesn't take any special skill to steal your money---just a moment of time and a tool anyone can pick up pretty much anywhere.

Comment 112 Deleted

Comment 113 by Deleted ...@, Apr 11 2012

What is it with you techies running the show here? In your infinite wisdom and intelligence, you don't seem to get the fact that your users want a feature, therefore you should provide it. Yes, some of us understand that the security is just illusionary, that it is very simple to install all kinds of malware and do all kinds of things if given access to someone's computer. I just wonder how you guys could be so smart and yet so dumbfoundedly blind that most no one is talking about the types of malicious users that you keep referring to! What is being referred to is how to take away the opportunity for someone to be tempted to use your password, who would otherwise not be so inclined if it were not just there staring them in the face!!!

And yes, we understand that you use Windows security that means that anyone who is logged in to my account is authenticated to see the password file. Some would argue that this is a design shortcoming that should be overcome - perhaps by providing a second level of authentication as Firefox does it according to some comments. Or, you could implement your own better solution, which is evidently in the works according to one of the developer comments.

What none of this excuses is the fact that for the past 4 years you have been proclaiming things from your lofty perch, whereas you could have done what most user-focused companies would have done and provided your users with something that they had requested - as non-optimal and illusionary as their resulting security would have been. You could have even gone the extra mile when they set a master password to let them know that they should not lull themselves into falsely believing that the extra password is anything but superficial security. Or better yet, you could have provided them with a better solution and be done with it!!!
I aggree with Comment 113....suppose I want to let someone use my desktop and/or my browser, but don't want them snooping in my passwords, or logging into my accounts? I can do that with Firefox, but not with Chrome (and I will *never* use IE).

As a lot of people have said...this is a feature they want added to the browser, and not entirely difficult to do for your talented devs. Instead of being arrogant and stonewalling your users who care enough to comment on this, just write the #@&*!~ code or let someone submit it as a patch and be done with it!
 Issue 128907  has been merged into this issue.
Status: WontFix Closed: Sep 2008  Issue 128907  has been merged into this issue.

Why no explanations as to the 'difficulties'? Is it impossible?

Why is it a seemingly complete waste of time for anyone who posts on this password issue?

Comment 117 Deleted

I really find all this a laugh towards users. The feature we are requesting is dead easy to implement and really handy if you don't want friends (or worse...) peeking around in our passwords.

Fixthis already.
Status: WontFix Closed: Sep 2008  Issue 128907  has been merged into this issue.

Odd that something that isn't necessary, isn't "doable" and isn't secure is being requested over and over by users.

Never mind, I'll just keep using a different browser instead. Maybe the Iron devs will listen to what users are clamoring for...
I agree that this should be added. It's one of the reasons I switched back to FFox. Two thoughts though:
1) It forced me to find another solution. I found lastpass that manages passwords securely across multiple browsers and, stores them securely on the WEB. Of course, I would recommend you never save any passwords to important accounts like bank websites
2) Chrome just unseated IE as the top web browser so they must be doing something right...not everything of course.
This is nothing more than the Chrome developers pretending that ChromeOS and ChromeBrowser are identical... they don't want to implement a master password on the browser because they imagine that the browser IS your OS, and they "already that" on ChromeOS.

If you use ChromeOS, you would have to log into the OS (I hope...) before using the Web (and there simply ISN'T anything else you can do).

If they implement a master password in ChromeBrowser, there is no reason to use ChromeOS, and they can jeer at how "hard" it is to keep your non-chrome OS secure, while it is "simple" to create another login on ChromeOS for another user.

They conveniently "forget" that when you run a REAL OS and have dozens if not hundreds of applications installed other than your browser, it really is NOT simple to create a user ID for another user and let them log in and use anything... it is MUCH simpler to allow them to use your own user account briefly.  (On the other hand, if you use the crippled ChromeOS, you get just a browser... no other apps to manage).

The Devs also "forget" that despite the fact that you could watch over their shoulder to make sure they don't delete all your private documents, it STILL only takes a couple of clicks and they can SEE ALL YOUR PASSWORDS... and what they see for an instant can't be erased from their mind.

Basically, the Devs are saying 'Don't use ChromeBrowser; Use ChromeOS. If you want a full featured browser but don't want our OS, we don't care about you.'

Comment 122 Deleted

Oh? How come I missed that this was already closed in 2008. 

Funny, all these nerdy comments over 4 years after final closure *chuckle* What a waste of time - please take me to the bright and happy future *whooooow is this fast? it must be chrome, I do not care about anything, I am so - whooooow! I fly!
If a "master password" isn't important, then why are people creating new issues that keep getting folded into this one? Devs, you must be NUTS to keep ignoring USERS!
 Issue 130906  has been merged into this issue.
I'm using LastPass to store my passwords. It has a master password and you have your passwords sync across different browsers. It seems chrome doesn't care about our password security. It's a pity.
Let's say your spouse or children want to use the family machine, but you still have some expectations of privacy vis-a-vis personal accounts.  Does "Win+L" solve this problem?  No it very well does not.  Does "Win+L" prevent casual snooping when you leave the room while a friend checks e-mail or his banking statement or whatever?  No it very well does not.

The simple reality is that this is an easy-to-implement solution that solves a lot of real world problems, and the Chrome developers talk over the heads of their users and claim that it's "false security".  It ISN'T.  At all. 
http://www.howtogeek.com/70146/how-secure-are-your-saved-chrome-browser-passwords/

The password file is encrypted based on your Windows account password (your master password for all intents and purposes).  Even if Chrome asked for a master password that wouldn't prevent another program from being used instead to read the password file and capture your password.
 Issue 136126  has been merged into this issue.
@ nepper@chromium.org

"Part of the issue is that if you leave your computer to other people, there are so many ways in which a determined attacker could get hold of your personal data".

Why not starting with making the "determined attacker"'s task more difficult? Say, with the insertion of a master password? Better a master password than all of our passwords here in plain air, don't you think?

I really don't get what's the big issue here. "False sense of security"? Well, you can turn the problem the way you want, but I strongly prefer A master password RATHER THAN NO master password at all.

Regards.
" Issue 136126   has been merged into this issue."

Gee, doesn't it appear that users WANT this feature if they keep requesting it over and over?

I won't use Chrome as my default OR secondary browser until this is fixed.
 Issue 144599  has been merged into this issue.
Why are we now *FOUR YEARS* later, the issue is STILL not addressed  and now on reve. Version 22.0.X.....

WHY WHY the reluctance to implement one?

If nothing else, how about a solution, enough for a "Rookie Techie"--cause them to move to next--say 128-bit encryption?  Not talking BLOWFISH. 

The entire POINT of having a Master Password, is NOT a jail break solution to keep someone *OUT*--we *ALL KNOW*---if someone wants in, they'll get in. 

Ie CIA/NSA/FBI--(amongst other no name targets). Your Normal/average/everyday user simply wants to keep people from obtaining access with NO EFFORT. Friend at lunch, walk to desk, open Chrome, settings, password, BOOM--have the keys to their checking account. 

For example, people know that when they purchase a home security system, it does *NOT* keep the bad people out, the hope is 2-scenarios---1st, simply because you have the appearance of security, they pick the next house (why bother if an alarm system??)

2nd-IF they do choose to attack your home, they have X-minutes before police are called and arrive.

That is what your average user wants/needs (have you *EVER*--seen an "uproar" over the Master Password in Firefox?? Even *ONE* Hack/News article?

The point is, *MOST PEOPLE*--are tolerant of fault. I mean, how does Twitter keep it's user base, with a "Fail Whale" about one time a month???? With a Master Password, they go to bed saying "Well, least I tried" --if "Hacked"(they don't blame anyone)

*HOWEVER*--once Chrome starts getting attacked, people *WILL* ask, "how was a bad guy able to get my password", When explained, it was held in an unencrypted DB, that a freely available tool was used. Even a non-techie can get your passwords using Nirsoft’s Chromepass to get a full list of all usernames/passwords –saved to a flat file in 10-seconds or less!!! 

Even people like my 95-year old Aunt will ask "well, why don't they have a security system, like the neighbors, to keep the bad guys out". 

A VERY LOGICAL question and VERY LOGICAL solution. 

I find it * EXTREMELY* hard to believe there is a "Mission Critical" decision (involving inability to dev. property security/thus have *NO SECURITY AT ALL*). 

PLEASE that statement is *IGNORANT* at best, and were I to put on my tin foil hat, I might even be convinced to believe *THERE IS* a "MISSION CRITICAL* (whatever it might be)--reason *NOT* to encrypt/deploy password protection. 

It makes NO LOGICAL sense, not to imbed one *OR* not to encrypt saved pw's. 

Dear lord, if you think 2-step PW's are "not important, unless fool proof"--Next time you go to lunch, leave your desktop open/without a pw, see what havoc your "techie friends" do on your DEV computer!

That's the most *LOGICAL* way to explain the need. If Chrome does not need it, then *YOU* do not need to lock your Linux desktop when away, you do not need to lock your car, you do not need to lock your door to your home. I mean, it's not "fail safe"--so why bother?
As somebody who uses multiple different devices in different places, the lack of a master password is just ridiculous. How would google even expect to have something like firefox sync, if all a person has to do to get the passwords is simply open chrome/chromium ?

No thank you. Until this is fixed chromium will just be fancy browser used for incognito sessions.
 Issue 124558  has been merged into this issue.
I tried searching for this issue and made my own that is now merged in. THIS IS A PROBLEM AND NEEDS TO BE FIXED.
Project Member

Comment 137 by bugdroid1@chromium.org, Mar 11 2013

Labels: -Area-UI -Feature-Passwords Cr-UI-Browser-Passwords Cr-UI
Passwords are already encrypted in the "Login Data" file with your OS login information, per issue 99482. This is a problem for two reasons:

1. If you reinstall your OS, you can't migrate your passwords.
2. If you install Chrome on a portable drive, to be used on multiple computers, your passwords will appear blank on all but the original machine.

Would explicit encryption with a master password solve these problems?
 Issue 269914  has been merged into this issue.
 Issue 269914  has been merged into this issue.

Comment 141 by wfh@chromium.org, Aug 8 2013

 Issue 270133  has been merged into this issue.
Seeing as this is something people have been repeatedly asking for for nearly FIVE YEARS, this is something that the Chromium devs should DO?
It should be trivial to encrypt the passwords with the Master Password rather than the OS login information.

Comment 143 by wfh@chromium.org, Aug 12 2013

 Issue 270679  has been merged into this issue.
Since I reported this bug in '08 until Mashable reported on it last week (http://mashable.com/2013/08/07/chrome-password-security/), all Chrome users want is some form of authentication immediately before the "show" passwords functions shows your passwords in plain text. That is all we ask.
IMO, the passwords can be encrypted in the "Login Data" file using the OS login information, but additionally, in Chrome while accessing the "manage passwords" form, uppon the first click on "show", a master password should be requested, it does not have to be something very fancy, but would do the work for instance while at work someone misses to lock the laptop and someone else can sneak in and steal all your stored pwds...
The thing that bites me is that keeping my most important passwords (like my bank password) out of Chrome and the Google system on OS X is a serious PITA due to  issue 43969 . I have to click on 10 "deny" buttons every time I restart Chrome.
Wait, does this mean that I just uploaded all my passwords without encryption onto the Google web-servers?! I got a warning e-Mail from our universities IT department recently that this happens with people pushing their WLAN passwords on Android devices into the cloud.
no, it doesn't mean that at all.  please read the documentation:
http://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html#signin
 Issue 330752  has been merged into this issue.
Hey @vapier, any thoughts on my comment #138?
Looks like the issue has been fixed in the current Dev build in Windows.
When pressing the "Show" button, Chrome asks for the user's OS password.

Chrome version: 33.0.1750.5 Dev


Chrome Flags has a flag to disable this:
Disable Password Manager Reauthentication
Mac, Windows

Since Mac is a supported platform to disable the extra authentication, I guess it also works on Mac and not yet on Linux/Chrome OS.

Chrome password encryption.png
15.8 KB View Download
 Issue 355254  has been merged into this issue.
Version 33.0.1750.154 now has the same pane - and it just shows the selected password not the whole lot. Great work guys. :-)
Hi Guys,

Can someone take a look at this  Issue #355254  ? on https://code.google.com/p/chromium/issues/detail?id=355254

It's totally different with issues  #53 , please take a look at my screenshot for details, and try my steps by for "Inspect Element", you will find the big difference.
Screen Shot 2014-03-22 at 23.12.17.png
297 KB View Download
 Issue 355254  has been merged into this issue.
 Issue 359972  has been merged into this issue.

Comment 157 Deleted

My request has been ignored hence I have unsubscribed from this issue like 3 years ago. Since then the issue has been merged with other issues and each time a merge occurs I receive emails. I don't want to receive any more info about this browser since I stop using it. Stop the spam. Thanks.

And how do I unsubscribe, been so long didn't have too ( ~4-5 moths ) I forgot how to do it. Thanks
 Issue 359972  has been merged into this issue.

Comment 160 by hira...@gmail.com, Feb 24 2018

This is more serious than someone just viewing your password.

In Windows, since no master password is used, any malware that tricks the user to run with admin rights can ask Windows to decrypt and access to all Chrome passwords (see https://www.hackread.com/flight-simulator-lab-chrome-password-stealer-piracy-check-tool/).

This is so easy anyone can write some small code to do this, and there are utilities which already exist (see http://securityxploded.com/chrome-password-dump.php).

You guys seriously need to rethink the policy here. The sense of security is not false if you add a master password - it may very well save a ton of people from getting their passwords hacked.
Showing comments 61 - 160 of 160 Older

Sign in to add a comment