New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 824575 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
rbasuvula@chromium.org
mastiz@chromium.org
tschumann@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Feature



Sign in to add a comment

"Never Save password" list

Reported by planet...@gmail.com, Mar 22 2018 
UserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36

Steps to reproduce the problem:
*Accidentally* save a critical password.

I connect to a multiple systems using high level passwords, eg my sysadmin password.  The password database gets copied to any machines where I use Google Chrome.  Some of these have weaker security.  While I would endeavor to never save critical passwords mistakes happen.

Typical case would be where a user (eg me) uses the same Google identity in a work environment and on various home computers.  

What is the expected behavior?
Desired behaviour: 

Google refuses to save a password that has been added to a Never Save Passwords encrypted list. 

What went wrong?
From a security perspective it would be desirable to be able to add key passwords to an encrypted list of never-to-be-saved passwords.  Since only a secure hash is stored the background password database copy does not compromise these passwords.

Did this work before? N/A 

Chrome version: 64.0.3282.140  Channel: n/a
OS Version: 6.3
Flash Version:

Comment 1 by krajshree@chromium.org, Mar 22 2018

Labels: Needs-Triage-M64

Comment 2 by rbasuvula@chromium.org, Mar 28 2018

Cc: rbasuvula@chromium.org
Components: Services>Sync
Labels: -Needs-Triage-M64 M-67 Target-67 FoundIn-64
Status: Untriaged (was: Unconfirmed)
Considering this as a feature request and making the status to Untriaged so that the issue would get addressed.

Thank you.

Comment 3 by treib@chromium.org, Mar 29 2018

Components: UI>Browser>Passwords
Labels: -Pri-2 -M-67 Sync-Triaged OS-Android OS-Chrome OS-Linux OS-Mac Pri-3
Summary: "Never Save password" list (was: Suggestion: Never Save password list)
I think this is mostly a feature request for the password manager, adding appropriate label.

Note that you can delete the accidentally-saved password via chrome://settings or via passwords.google.com. That will cause it to be removed from all synced Chrome instances. Alternatively, you can also turn off syncing of passwords in particular at chrome://settings/syncSetup.

Comment 4 by battre@chromium.org, Mar 29 2018

Status: Available (was: Untriaged)
Marking this as available. The feature sounds reasonable but it won't be anything we build any time soon due to prioritization.

Comment 5 by elawrence@chromium.org, Jun 1 2018 

There's also a list of sites on which passwords should never be saved at chrome://settings/passwords; since passwords should be unique per-site, you should be able to use that.

Sign in to add a comment