New issue
Advanced search Search tips
Starred by 357 users

Comments by non-members will not trigger notification emails to users who starred this issue.

Issue metadata

Status: Duplicate
Owner: ----
Closed: Mar 2011
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Feature

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment

Profile/login support

Reported by eurydice...@gmail.com, Sep 3 2008

Issue description

Product Suggestion: Allow the user to log into Chrome. Thus I could have 
Chrome on two  different machines and when I log into my Chrome, I get the 
same settings/bookmarks/history, incl. when I use Chrome on someone else's 
computer. 


 
Showing comments 34 - 133 of 133 Older
Yes, they are fundamentally different.

A master password is about protecting the locally stored passwords in a real life 
situation.

Browser sync is about storing your browser data (not just passwords) online.

If this is google's implementation of a master password, I can expect a lot of dissatisfied customers, myself being one of them.
(for my first statment see the design doc for master passwords, 
http://docs.google.com/Doc?id=dhn2skdg_1fwvbb3cb this shows the reasons that it should 
be implemented. Which are completely different to why this feature should be 
implemented)
Summary: Profile/login support
This bug is about implementing the ability to "log in" to the browser.  One potential 
ramification of that is that the login could be used to sync data between remote 
instances.  Another is that the login could be used to protect local data.

This bug implies support for a "guest"/non-login account in addition to the other 
account(s).

This bug may also cover the following additions:
* Auto-login support a la Google Talk, for users who don't wish to type passwords on 
every launch
* Securing the password store with the login password, a la a "master password"

Note that when you combine the above two bullets, you get an equivalent to a "master 
password" w.r.t. the ability to view stored passwords, which is the primary use case 
posited by those who want a master password.  You can also turn off auto-login and 
use the "guest" account for untrusted users of your machine if you need to prevent 
people from using your passwords at all (e.g. for sites where you're logged in via a 
cookie).
Further note: Syncing certain kinds of data is already going in separately from this 
bug.  For example, bookmark sync is a Chrome 4 feature.  This bug covers a particular 
UI implementation of profile support on the client side.
thank you pk, i absolutly agree with your view finally, thanks for listening to users 
and finally clear your intentions. I hope this can land soon, hopefully in mstone4. 
thanks again!
Hi all,

I understand that there are a lot of people who would like to this feature, and get a
good sense for what the needs are from reading this detailed thread.

This being said, I want to set expectations: multiple profile support is something
we're looking into, but we won't implement it unless we come up with a UI we're
really happy with. I'm hopeful this will happen, but I don't know for sure.

It definitely won't happen for mstone4, as our first priority is shipping bookmark
sync. I'll update this bug when we have more progress on this.

-Nick
 Issue 26681  has been merged into this issue.
 Issue 9199  has been merged into this issue.
Using the firefox master password I am able to migrate saved passwords between profiles 
(windows and linux), by copying the signons3.txt (now changed to signons.sqlite) and 
key3.db to the new profile. I could then access my saved passwords on the new machine 
or OS (using the same master password). This has proved to be very convenient. The only 
improvement I could want would be keeping the encrypted passwords on-line in my google 
account (only decrypted in the browser). In this way, newly added passwords / sites 
would be available to all my browser profiles on different machines / OS.

Comment 43 by Deleted ...@, Nov 6 2009

To Gregor Larson: on Firefox you have Weave to do just that, synchronise passwords
(and more) with all your browsers. Though, this topic is about Chrome.

To all, especially Chrome devs: the login feature should allow decrypting the saved
passwords (just like the 'Master password' on Firefox) but there *MUST* be a way to
timeout the sessions IMHO, that is to wipe the session after xx minutes, or
hibernate/suspend/switch user etc. This has to be configurable and activable/deactivable.
@sforestier that is the way it is with the current Bookmarks Sync, which this feature 
is based on.
The sessions ends after a while and you need to re-login. Right, it does not happen 
after a few hours, but after a few days, but still.
I guess you will have the option to configure that, for increased security.
I know some users do not want to be bothered by being asked for the credentials over 
and over again (like me, once is definitely enough), but some do.
My personal complaint was limited to the ability to go to the options menu and access 
all of the passwords. At the bare minimum, I think it prudent to require the user to 
enter a master password to be able to view the passwords. An alternative would be: Just 
don't show the passwords in the options menu. Only show stars, or any mask.
if this one will be fixed it would be epical for browsers history!

- you logon and you have:
your theme;
your extensions;
your bookmarks;
your NTP;
your stored account/passwords.

so you can access to YOUR browser everywhere! no more problems beeing in another 
house, accessing the network from another pc. if you will support this... you'll 
change what a browser is!! think about it... ;)
I think stored accounts/passwords really need special handling. If you think about
it, passwords are the most sensitive information most users handle on a day-to-day
basis. Because of the exposure and risk a list of accounts and passwords represent,
they deserve an extra layer of protection against disclosure and loss. The reason
stand-alone password-safes are popular is because they allow users (who are not IT
professionals) control their data. The master password from firefox provided a
similar level of control. Even if the computer, or a backup of the computer, was
stolen, the master password, like the password to their password-safe, will protect
their sensitive information.

As far as protecting the password-safe with their regular login password, this is
problematic. There are some instances were regular login passwords are disclosed or
reset which would result in the disclosure or loss of the password-safe. If the
trusted IT person needs my login password to fix something, he will probably get it
(I will just reset it before / after he is done). If asked for their password-safe or
Master Password, that would raise the suspicion of most users.

Again, this is not about computer science and technical feasibility of protecting
data with the login password. It is about creating a mechanism that *is* safe and
with which the average user can understand and *feel* safe and in-control.
In regards to this particular line in Gregor Larson's post:
"It is about creating a mechanism that *is* safe and with which the average user can 
understand and *feel* safe and in-control."

Whilst I'm not disputing that security measures need to be put in place, a false 
sense of security is just as dangerous as no security in a lot of situations.

Users need to understand both the benifits, and the dangers, of saving their 
passwords locally. It's not about making them FEEL safe. It's about trying to keep 
them as safe as possible, whilst still informing them of the danger so they can make 
an informed decision.
The truth of the matter is that security is not binary (on or off) there are many 
levels. I suggest we take a step back from digital security and looking at physical 
home security.

It is well known that locking your door is not enough to keep anyone from entering 
through that doorway. The door may always be broke down with brute force and a more 
skilled individual may be able to pick the lock. Even with this knowledge, and with 
stronger security measures in place, I still lock my door because I know there are 
those who are relatively trusted and allowed past the stronger defenses, but would 
consider an unlocked door an invitation to enter an area they normally would not. 
Thus, while still a form of security, the lock is only meant as a stern suggestion to 
turn away. (Just think of the lock on a household's bathroom door.)

While a master password does not truly secure the data it protects, I want a password 
vault without a master password as much as I want a front door without a lock. I do 
understand the feeling that providing a master password may be misleading, but it is 
not useless. I would ask that a master password be provided for the password vault 
regardless of whether there was some prior login. Add a disclaimer if you feel you 
must, but please provide the option.
Securing the passwords with a master password is stupid and useless.
It has nothing to do with locking the front door. Your firewall/antivirus/OS Securety 
is the front door of your house.
Is someone just broke down a 10 inch steel door they wont stop at a locked filing 
cabinet :-)

50th comment forced me to comment first time in this thread, by making most stupid 
comment on this thread. Do you mean to say every other password is also useless? 10 
inch steel door has nothing to do with a password protected profile. It is just like 
any other password protected software, and it has meaning.
If i have access to your computer all the password protected files in the world wont 
save you. The first time you use a password in your browser (and thus type the master 
password) i have access to all your password.
Any virus / spyware / mallware can do this
A master password in a browser is giving stupid users a stupid and false sense of 
securety. Nothing else.

Password porotecting and encrypting files can be very useful for preventing data 
theft if someone physically steals your computer or usb key.
A password protected file still provides some securety on a compromised system, as 
long as you dont use it (type the password).
But password protecting browser passwords is utterly useless. You would end up typing 
that password several times every day and if your system was ever got compromised the 
password would provide no protection at all.

Comment 53 by estma...@gmail.com, Nov 10 2009

Obviously if your system is compromised then no passwords are going to save you, but I don't think the 
master password is meant for that. It's supposed to keep my passwords safe from the casual user who 
has access to my computer but has no bad intentions. I have no problem sharing my computer with my 
friends, but I don't want them to be able to see my passwords with two mouse clicks. 
#53 makes a good point: For me, too, it's about someone browsing through the Chrome 
menus and "accidently" seeing my passwords in plain text; not so much about perfect 
security in case the computer is lost or stolen. (Anyway, the file IS encrypted 
already if I understand the discussion correctly. And resetting the Windows user 
account password from outside of windows makes encrypted files inaccessible, as far 
as I know.)

Scenario: My laptop is being used as a jukebox on a party. No one knows my windows-
password, because I logon myself. However, several people shall be able to adapt the 
playlist, so locking the system is no option. People with bad/funny intentions 
should not be able to see passwords with only a few clicks. I don't care too much if 
someone wants to read my mail or to logon to facebook as me, because the damage one 
can do there is limited - especially in a situation where you don't have infinite 
time. But knowing my plaintext passwords allows someone to read my mail continously 
without me knowing it, or even change my password and making me lose access to my 
mail. And gettig the password is easy at the moment, 4 or 5 clicks in the menu, 
pretending you are looking for cookie options (which is only 1 click away) in case 
you are caught in action.

What about this: Leave everything as it is, but make the user need to enter his 
Windows password in order to view all passwords in plain text (or delete them). 
Autologin to websites using stored passwords should still work without any entering 
of passwords.

Advantages:
- no bothering in normal surfing
- no Chrome-internal password management necessary
- no additional password to remember for the user
- harder for keyloggers to record the password, as it is typed in very rarely (who 
NEEDS to view his passwords in plain text on a regular basis, anyway?)
- no false sense of security: People either won't notice that their passwords are 
encrypted and protected (because they are never asked for a password at Chrome 
installation), or they know it's only protected by their Windows password. People 
SHOULD know better than to give other people their Windows password. Especially 
since on Windows 7, the Users' folders are auto-shared within a private network, and 
accessible with the user account's password.

Disadvantages:
- I don't see any, compared to the current situation.
I have a better idea - when you want to share your computer, have them use the Guest account... It 
saves you from all these hassles.
I'm surprised this is even being discussed as I feel it is a near-necessary feature. Just use the 
Windows password as a default master password, or if they have none, let them specify. Or just make 
password saving an option they must manually enable.

Personally, I wasn't even aware you could see my passwords in plain text, and sometimes I let others 
use my computer real quick--and this just scared me. The only option for me was to disable password 
saving, delete them all, and just let the cookies do the work. I'm fine with that, but I think a 
"Master Password" would be a better solution.

Comment 57 by jaysc...@gmail.com, Nov 11 2009

Comment 50's author needs to read up on the concept of a password safe. Using a master 
password to secure multiple passwords isn't "useless" or "stupid". It combines the 
security of a unique (preferably machine-generated) password for each online account 
with the convenience of only having to remember one password.
 Issue 29877  has been merged into this issue.
I want master password too... Those who don't want please need not comment. Chrome is
so cool to use but I have to switch to firefox now & then when I can't remember the
password for a particular forum. For virus & malware attacks we have good antivirus
programs.
I am really  tired of this talk... Some people want masterpasword, some people say is 
useless. What about make it optional and stop all this nonsense talk? For me would be a 
step ahead. Also must find a way not to receive news on this issue. Is boring that in 
one year is just kindergarten talk (good for me... no you are stupid, is no good...).
Best Regards.

Comment 61 by stols...@gmail.com, Dec 10 2009

People saying a master password is useless have NO CLUE WHATSOEVER about security. 
NONE. It's that simple. Please just shut the fuck up already, will you?

Make it optional - this is how Firefox behaves, is it not? (If you have blank 
password, it is "off").

Encrypt the passwords on disk using some nice algorithm employing only the password 
as key. If you loose your password, you're fscked - unless it was simple, in which 
case you can feasibly brute force it. Get some actual crypto-folks on this, helping 
out with the intricacies, of which there are many.

Comment 62 by Deleted ...@, Dec 10 2009

A master password is nice, but I don't think it's *necessary*.  Nor do I think that 
people who believe it isn't necessary are clueless.

You are already logged into the machine and have already authenticated.  Adding another 
layer of security to that security is largely redundant, given the passwords are stored 
encrypted using a hash based on the current user's credentials.  

This simplifies the system and allows users to use password recovery techniques that 
are well known and built-in to the various OSes they are using currently.  
Reimplementing the various pieces that are already available in their native flavors on 
each OS in the browser itself is just additional risk and bloat.

As an aside, this conversation is valuable otherwise it wouldn't be discussed.  You 
should be careful to say that parts of it are not valuable... it's all valuable :)
@stolsvik: Please keep a civil tone.  There's no need for personal attacks or foul
language.

Comment 64 by stols...@gmail.com, Dec 10 2009

Read all the comments above. It has been argued THOROUGHLY why such a second layer of 
security is very much in demand. I don't understand why one whine more about it.

All arguments have been presented. It is silly to keep this open. I'm very fed up by 
the people arguing against 100% valid points with points that I, personally, feel is 
utter BS.

If the @chromium'ers WILL NOT DO THIS, optional or not, then just tell us and close 
this damn issue already. And then we, that are waiting for it, will have to decide 
whether we feel this browser is secure enough or not - and then consider other 
browsers, or hopefully someone will step up and fork a secure version of this 
otherwise nice browser! :-)

Comment 65 by estma...@gmail.com, Dec 10 2009

Comment 39 states that they'll look at implementing this only if they get a good ui, 
and that they have other features as a priority.

The problem, to me, is that they've merged what are actually two separate issues. One 
is support for multiple profiles (which is the original issue) and the other is a 
master password (about 4 requests for that have been merged with this issue). The 
last 15 or so comments are all talking specifically about the master password with no 
mention of profiles. I for one have no need/desire for multiple profiles in my 
browser. I don't use them in Firefox and I wouldn't use them in Chrome. I do very 
much want a master password though.

I understand that implementing the profile feature could also take care of the master 
password concern, but to me the master password should have a much higher priority. 
It should be implemented regardless of when/if profile support is added. I'm not 
saying there aren't any, but I can't think of any other program that lets you view 
passwords in plain text without some sort of authentication (or at least the option).
Roaming profile (bookmarks, etc.) is cool - you can save this under your google 
account - so no need for "master password" here...

Also, in my opinion, I don't see the point of having "other passwords" if you need a 
"master password"... Use the same password then for your forums or whatever else... 
or use cookies instead...

I don't believe in "saving password" anyways so if you do, why do you need an extra 
one?
Everybody knows what happened with "the one to rule them all" :-)

Cheers

Comment 67 by stols...@gmail.com, Dec 11 2009

Incredible. Just incredible. And one have to argue against such complete brilliance?

In other news, I wholeheartedly agree with @esmatic at comment #65: I indeed argued 
against the mangling together of these two rather unrelated features at comment #33, to 
no avail.

Comment 68 by estma...@gmail.com, Dec 15 2009

At least the mac version uses OSX's built-in keychain for stored passwords. You have to 
authenticate before it'll show you the password in plain text.
@64: A master password was  issue 1397 .  That issue is closed.  We will not implement 
a master password.  Not now, not ever.  Arguing for it won't make it happen.  "A 
bunch of people would like it" won't make it happen.  Our design decisions are not 
democratic.  You cannot always have what you want.  (Not that swearing at people and 
denigrating anyone who disagrees with you would help your case any, either...)

This bug is about doing other things which may address the same use cases.  If you 
are unsatisfied with that, you are free to use Chrome extensions that keep a 
protected, cloud-based password store, or to use Firefox.  But stop trying to hijack 
this bug to be about master passwords.  We closed  issue 1397  for a reason, not to 
have the discussion migrate to here.  Don't make us lock the bug to further comments 
or delete all the off-topic ones above.

Comment 70 by stols...@gmail.com, Dec 18 2009

@pkasting: You were the exact one that ***merged***  issue 1397  into this issue. Don't 
you come arguing here with "that issue is closed", because that is complete and utter 
BS - you *merged* it into this issue. Several people found that not very helpful (aka 
"absurd"), but *you* were the one that did it.

"Comment 31 by pkasting@chromium.org, Oct 20, 2009
  Issue 1397   has been merged into this issue."

However, if you say that Google/Chrome/Chromium will never have a *master password 
for the password store*, then that is fully okay with *me*, I'll just have to factor 
it into my use of this browser.

I really have no idea what this issue is about, so I'll just get the fuck outta here.
Staff, what are the extensions?
Stop troubling!

If engineers Chrome don't want to work it, do extensions.
This also serves to  Issue 8022 .
@pkasting
This is same attitude like Apple and Microsoft. You are write, this is not democracy.  This is the way of Google... walk with us of shut up.

I want to unsubscribe from this thread since I didn't subscribe to this - you subscribe me without even asking . You say people try to hijack this bug to be about master passwords. If you are so clever, when you merge   
   Issue 1397    into this one, why didn't you give people possibility to subscribe or unsubscribe to the new Issue? I see no unsubscribe option, I just find myself waiting news on master-password then you dictatorial 
comment . Maybe this is also no democracy, once in , no way out.... 

Comment 73 Deleted

For people who want chrome master-password, seems that you can give your suggestion here http://www.google.com/support/chrome/bin/static.py?page=suggestions.cs&issue=107378&bucket=15652
If we are enough suggesting, maybe some day will be implemented. So this falls from bug-issue category to suggestion category.
@70: Yes,  issue 1397  was merged in precisely because, as I said above, "This bug is 
about doing other things which may address the same use cases."

@72: Click the little star near the top of the page by " Issue 812 " to turn it off, and 
stop receiving mails.
thanks... 
I don't want dictatorship too so I log off from this issue. Thanks pkasting.

Comment 78 by stols...@gmail.com, Dec 18 2009

@pkasting: Moron. Bye.

Comment 79 by oritm@chromium.org, Dec 18 2009

Labels: -Area-BrowserUI Area-UI-Features
Area-UI-Features label replaces Area-BrowserUI label

Comment 80 by Deleted ...@, Jan 4 2010

i bet if the media jumped on this master password issue, they would implement it in a 
day...

heres another thought... lets try get in the google offices and get their passwords... 

again, after that, master password would be implemented in a day...


 Issue 33355  has been merged into this issue.
@69: since you seem to be a really smart guy, have you ever tried to think to what 
could happen if, say in three months from now, a bug is discovered in Chrome that 
allows an attacker to remotely retrieve the content of a local file ?

This is only one of the (many) possible scenarios where a master password, stupid as a 
security measure as it surely is, can help saving your life. So, why can't you put off 
your pride for a second and try to understand what people is trying to tell you ? 

Comment 83 by dhw@chromium.org, Feb 1 2010

 Issue 33999  has been merged into this issue.
I really don't see why 'Master password' issue was merged with this one, but that 
could just be me.

Since that issue has been closed, I'll post my comment here also.


I don't see why there should be so much fuss about this issue. Just implement the 
damn master password and 
those who want it can use it and those who don't care won't use it. 

It can't be that simple to view someone's stored passwords, just clicking a button! 
And it's at plain sight 
on Chrome's options!

We're not asking for much here (at least not me) Just a simple master password to 
make it a bit more 
difficult for person X using my PC to see all my stored passwords. Of course there 
are ways to circumvent 
this, just as there are ways to circumvent a lock on someone's door. That doesn't 
mean we shouldn't use 
locks!!

I just can't believe this issue hasn't been addressed yet.
Because chrome os will have similar feature, which is to load all your data with a 
single login.

Just wait until they worked out this feature on chrome os. it'll be here soon 
afterward.

Comment 86 by dav3m...@gmail.com, Feb 13 2010

Like gabrielperren (comment 84) I too see no reason to confuse the very 
straightforward "master password" feature with this one.

When at home, I log in on my laptop as local admin (using a default company 
password). When at work, I log in using my domain login & password.

Other family members use this PC for browsing (only) - requesting that I create a 
separate user account for each family member is unrealistic and would be a huge step 
backwards in speed terms for multiple people using the same PC for browsing.

Will whoever the security tit in Google is get off their high horse and just 
implement the friggin feature. Excuse the anger - but not implementing this is 
inexcusable.

This *can* be done easily and securely:

1. Enforce a complex password (>=8, upper+lower+digits+puct)
2. Use the password as the basis of a 256-bit AES key
[E.g. SHA-256 hash a combo of the user password with logged in username and 
computername]
3. Use this key to encrypt a hash of the password (for verification of master PW).
4. Use this key to encrypt the passwords before storing in the OS crypto mechanism.
5. Provide options to:
a. Prompt for master password every time it could be used
b. Time-out master password after xx minutes

I installed and evaluated Google Chrome today for the first time. I'm very impressed 
with UI and performance. However, I will be uninstalling and going back to Firefox 
(maybe I'll have a quick look at Opera).

I'll come back once Master Password is implemented.

All the best.

Dave

Comment 87 by grin...@gmail.com, Feb 17 2010

Opera does use master pw and times it out properly. Actually better than FF.
Labels: -Area-UI-Features Area-UI
guys, just use lastpass 
(https://chrome.google.com/extensions/detail/hdokiejnpimakedhajhdlcegeplioahd?hl=de) 
or any other similar extension for chrome and stop hijacking the thread please..
Chrome already save our bookmarks in our Google account... If the dev-team is ok, it 
would be an interessant feature...

If not, a plugin will be good too... ^^

Comment 92 by grin...@gmail.com, Feb 18 2010

re Comment #90: No. Their unaudited hidden code stores your credentials on their 
servers. Maybe encrypted. Maybe not even decryptable by them. This method is as 
trusted as the company is. Not at all, that is. 

All this about is to store passwords locally, encrypted, using strong master pw, and 
timeout it properly. Extension or not. But as any encryption sane people would use it 
have to have open source to review. (Or you could use "wonder" and "ultimate" 
solutions from any windows shareware collection using XOR. :-D)

Comment 93 Deleted

Comment 94 by grin...@gmail.com, Mar 1 2010

By the was it's been nice to have  Issue 53  and  Issue 1397  closed, but just as a 
sidenote they are still accumulating comments. And it seems to be pretty hard to 
track what is happening master-password-wise around. 

I mentioned in  Issue 53  (among the lack of results of the debate) FireFox and its 
FIPS mode, which uses master password while keeping FIPS vertification, which means 
it's possible to have gov't grade security with MP. Ignoring that isn't constructive 
in this debate (though why do we have to debate that is beyond me). 

I'm not familiar with internals, but master password seem to be consisting of:
- implementing [strong] encryption module to encrypt password site data and password 
data
- implementing its saving and retrieval
- implementing master password interface (and preventing deadlocks between 
threads/tasks of chromium requesting it)
- implementing master pw expiration

Of course I see there are many small issues (like trying master pw not to enter swap 
and other files) but many of those can be peeked at firefox's implementation as a 
cheat sheet. 

But yes, I have to repeat that I wouldn't save _any_ credentials in Chromium/Chrome 
unless it's encrypted with password, which means basically not using it seriously.

Comment 95 by grin...@gmail.com, Mar 1 2010

By the way (um, seems I don't really trust to change the flow of events here, so just 
thinking aloud)  Issue 25404  (encrypting passwords),  Issue 31087  (enable FIPS), Issue 
8205 (password manager) and  Issue 12351  (password management) is related as well.  
Probably even more I didn't notice.

Comment 96 by grin...@gmail.com, Mar 1 2010

Wouldn't it be just nice to *reopen* master password issue and handle these 
separately, by the way? 
 Issue 37282  has been merged into this issue.
Just to illustrate this issue. I had just converted my friend to using google chrome 
because it is faster. Last week, a group of friends (including myself) were in her 
room, she went to get a drink, logging out of facebook before leaving, however we 
just hit refresh to have the password field filled out for us. Her facebook details 
were edited within about three seconds of leaving the room.

She is now using firefox again.

I know that this problem really doesn't affect the developers as they see it as a 
'theoretical' security risk, due to the problems implementing storage for saved 
passwords. However the current system is a 'real life' security risk, and a lot 
easier to bypass in real life and therefore a lot less secure!

When will developers realise that this is something that people actually look for in 
a browser! People look for functions like this above speed and a nice UI! You must 
have access to some market research in this field?

Best regards, Philip Bembridge
In response to the person commenting that we should just use lastpass; this is third 
party code which hasn't been reviewed, tested and it still stores your passwords on a 
central database.
From now on comments by non-members will not trigger notification emails to users who 
starred this issue.
@philipbe...@gmail.com - you are talking about a whole other issue. File a new issue for it.

Comment 102 Deleted

Since currently the passwords are encrypted with the windows credentials, does that 
mean there is no way to recover the list and export if the windows crashes and needs to 
be reinstalled?
 Issue 40314  has been merged into this issue.
Please implement a master password system. I'm thinking about writing a few articles on 
this issue and the general response/comments made by chromium developers along with the 
dismissal of the views of their users etc.
 Issue 42083  has been merged into this issue.

Comment 107 by risc...@gmail.com, Apr 21 2010

I'm still waiting for better protection on Chrome Internet & OS in such way it does 
not store unencrypted banking details or account (ebay/paypal for example) within 
history or stored password manager section. I have previously proposed to encrypt the 
password manager, only accessible by admin or parent, this avoid other too smart kids 
to buy XBox without informing parent(!). It seem they preferred to talk talk talk and 
do nothing do far.
I cannot turn off the password as it is needed to access so many website requiring 
user logon.
 

Comment 108 Deleted

Comment 109 Deleted

Comment 110 Deleted

 Issue 45523  has been merged into this issue.

Comment 112 Deleted

Comment 113 Deleted

Comment 114 Deleted

Comment 115 Deleted

On a software discussion group I moderate, a number of people have indicated that they won't use Chrome or Chromium due to its lack of a master password to protect stored passwords. Their lack of use of the browser means they won't participate in bug reports, so I thought I would add their objections here myself.

Comment 117 Deleted

Since there is no tool for us to see how many of us need this master-password must-have implementation, I have created a blog with one pool regarding explicitly this issue. Please vote pro or contra implementing master password in Chrome.
http://securemybrowser.blogspot.com/
It is indeed way to easy now to view someones saved passwords. If you leave your computer alone for just one minute, someone could easily write down your passwords and log in to all your accounts at their own computer. With a master password they can only log in at your saved sites in the one minute you are gone, and not at their own computer.
Although this doesn't provide maximum security, it increases it a lot.
Chromium don't hide the stored passwords in the option panel !!! Why encrypt passwords on the hard drive ?

My solution :
It's not mandatory to put the possibility to show them. Just show the url and login only in this panel. Don't forget in every site there is a password recovery link !

In the current context if someone use my pc he can see all my passwords without install some keyloggers or specifiq programs !!! It's very dangerous for our privacy !

So if Chromium mustn't have Master Password, please you should to hide them ! I think  it's the best answer to resolve this problem !

I like chromium but this problem is a Master Problem !!!!!

:)
BUMP from  issue 9199 : 
Does the "Mergedinto: 812" [for 9199] mean that resolving 812 will provide a way to legitimately migrate saved passwords onto a new machine under same user's control, and onto a fresh installation of OS on the same old machine?
In case this helps, it seems like you can configure (enable or disable) the "Show passwords" button from the registry.
For more information, see this page -
http://dev.chromium.org/administrators/policy-list-3#PasswordManagerAllowShowPasswords

Comment 123 Deleted

Thanks phist...@chromium.org ! I will test this when I will come back home

Comment 125 by Deleted ...@, Nov 14 2010

I think Google just wants to control all of the accounts of user, just like facebook won't give access to parts of the facebook graph. Google does not want someone having control over all the "accounts" of a user. In Web 3.0, accounts are the centerpoint of linking a user to multiple account points. Hence, the functionality is disabled. If you use firefox, Google has an exclusive agreement with mozilla. If you want to reset your master password, you have to type: chrome://pippki/content/resetpassword.xu   interesting if you ask me. 

This is just my take. I vote yes, with some sort of security restrictions.

Comment 127 Deleted

Comment 128 Deleted

Comment 129 Deleted

Comment 130 by lea...@gmail.com, Mar 4 2011

#125 If it's a concern to you, just don't configure it.
Mergedinto: 60105
Status: Duplicate
Project Member

Comment 132 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
Mergedinto: chromium:60105
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 133 by bugdroid1@chromium.org, Mar 11 2013

Labels: -Area-UI Cr-UI
Showing comments 34 - 133 of 133 Older

Sign in to add a comment