15 comments

[ 3.3 ms ] story [ 47.8 ms ] thread
So the master password is not used to encrypt the password database? What is it used for then?
The headline appears to be misleading.

If you use Firefox, the Master Password for the Software Security Device that must be entered on each restart of Firefox is certainly used to encrypt the passwords.

I believe the steps outlined in the article for Chrome are accurate but the word “Firefox” appears only in the headline.

It doesn't seem to be used if you use the firefox sync feature though, from my experiments, at least, I could sync my account and then open the passwords without the master password.

That was about when I stopped using 'save password' and also disabled password syncing.

https://support.mozilla.org/en-US/kb/using-master-password-s...

“When using Sync, your Firefox Accounts login is stored with your saved passwords in the password manager. Your master password must be entered so Sync can access your Firefox Accounts login. Once the master password has been entered, Sync can also access your other saved passwords and sync them between your devices.”

It looks like a master password has to be enabled separately, just having Firefox sync won’t encrypt passwords on disk from what this is saying.

My point is that I found I could enter my firefox sync password and my master-pw-protected passwords were brought down from firefox without any trouble, ergo bypassing my master-pw completely.

My expected behaviour would be that the master-pw would be used to encrypt the passwords, and this encryption would be carried to the sync'ed passwords such that knowing my sync password would be insufficient alone to get my cleartext passwords - which is, afaik, how almost all other (online/syncable) password managers work.

I don’t think it’s safe to post a slightly blurred image of your usercodes and passwords.
Moreover, if you use "Security" and "Cybersecurity" tags. I'm sure, it's possible to find the written ML script for "unblurring".
This should be reported to the Google Team and perhaps they should award the author some compensation as part of their bug bounty program.

This is alarming.

I thought this was known. In fact KeePass has a plug in which will automatically grab all chrome passwords and import them into KeePass. I used it about two years ago to do this.
it’s pretty old, for instance this is a description of the same issue from 2013:

https://www.howtogeek.com/70146/how-secure-are-your-saved-ch...

The link to the “why isn’t there a master password?” question is now dead, but from memory of the disucssion at that time, it was basically said that browser passwords are inherently unsecure as they end up in plain text in the password field, and trying to add layers upon layers of encryption was just distracting from that fact. That position explains a lot about how Chrome handles these passwords.

there’s a difference between reading one password out of a password field being actively used, and your entire archive from cold storage.

that said, as i commented otherwise, the report is still bogus.

This is not a bug. Nor is it news. It's an intentional design decision from years ago. The alternative is requiring users to manually enter a "vault" passphrase every time they start chrome, to unlock both the password vault and the cookie store (remember, your cookies are effectively passwords too).

This has been tried, and the overwhelming consensus from users is "DO NOT WANT". So encrypting to the data at rest, and unlocking it with user login is generally accepted as a reasonable compromise.

i have to admit, I have tired of this type of amateur hour, alarmist analysis.

> Well, no. If a hacker has managed to get access to your computer, whether it be through an unprotected port or a botnet-type trojan that you’ve managed to get infected with, then the hacker already has your Windows credentials ...

If the hacker has your Windows credentials and local access, nothing Chrome does matters. It’s game over for you. (local 2fa aside, ie touch ID mediated keychain access, that kind of thing.)

Had the author reported it to google before declaring his brilliance over GOOGLE’s obviously deliberate choice here, he might have gotten some valuable insight and not embarrassed himself with this post.

I don't agree. Lets say someone steals your computer and is able to log in: if you save all your passwords in Chrome this way, you're done. Every password to every site you've ever logged into will be compromised. You've lost all control over your online identity. However, if you had used a password manager with the passwords encrypted with your master password at rest, it would be fine.

This doesn't just apply to physical thefts: if you get malware on your computer, fetching all your Chrome passwords is trivial. Fetching your password manager passwords is not: it would only be possible to do if you actively used the computer while it was infected (and entered your master password), and even then it's not trivial. You'd have to either keylog every keystroke and figure out which ones are the master password (if a master password was even used, you can log into 1Password with TouchID and Windows Hello) or try and go digging into the memory of the password manager to try and fish out any passwords. Not an easy task, and one that is very difficult to automate.

Compromising a password manager, even when the computer itself is compromised, is difficult. It takes dedication and personal attention from the hacker. Browser passwords, on the other hand, can be trivially harvested the second you compromise a computer. It needs no personal attention, a bot could easily do it on a massive scale.

The advice is correct: don't save your passwords using any system that doesn't properly encrypt them.

EDIT: to be clear, this is not because Google's engineers are stupid. It's because they want the Chrome password management system to be convenient, and they don't want to require a master password. If that's the case, then there's not much you can do to prevent this sort of thing.

the original sin was storing them in the first place