New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 663321 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Email to this user bounced
Closed: Nov 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

Chrome showing saved password irregardless of policy

Project Member Reported by djeche@google.com, Nov 8 2016

Issue description

Version: 54.0.2840.87 m 
OS: Windows

What steps will reproduce the problem?
(1) Implement policy via admin panel
(2) Save password via login form
(3) Go to passwords.google.com and the show password option will be available

What is the expected output?

The expected output is that password should not be visible to user if the policy has been configured to not allow this. 

What do you see instead?

We see that we are able to show the password when we visit the password store.

Please use labels and text to provide additional information.


The image for this particular issue are located at the following google drive folder: https://drive.google.com/drive/folders/0B9BQIK7d0CYNNEMtMndlNTdmOWc?usp=sharing

so far we have only tested on windows but issue seems to spread to all versions.

It appears as though the policy is not applying whether it be GPO or admin console.
 
According to https://www.chromium.org/administrators/policy-list-3#PasswordManagerAllowShowPasswords the policy seems to be deprecated and I think that's a good thing.

A user can always go to a website, get the password autofilled and use DevTools to inspect the value of the password. We get tons of bug reports about this and cannot fix it. https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools-

I suggest to close as won't fix.

Comment 2 by vabr@chromium.org, Nov 9 2016

Labels: Hotlist-Polish
Status: WontFix (was: Untriaged)
Thanks for the report, and for the answer. Fully agree with battre@ here.

Sign in to add a comment