It might be convenient to save your Facebook or e-mail password in your Chrome browser so you don't have to repeatedly type it in, but you might want to think twice before you use that setting.
Web designer Elliott Kember noticed a security flaw in the Google Chrome browser earlier this week. When he went to transfer the bookmarks from his Safari browser to Chrome, he went digging into some simple Chrome settings only to find that when you go to import bookmarks from another browser, the software automatically defaults to bringing over your saved passwords. While there is a check mark to disable the password import, it can't be unchecked on a Mac, something ABC News was able to confirm.
- Passwords stored in Chrome are very easy to view
- Security experts discourage users from storing passwords in browsers.
Google plans to fix that specific problem soon, confirming to ABC News that the automatic syncing of passwords from Safari browsers was a bug in the Mac version of Chrome.
"Thanks to our users, who discovered a bug in Chrome's import interface, which improperly represents how passwords are handled upon import from other browsers," Google said in a statement provided to ABC News. "We developed a fix to better represent how passwords are handled across platforms, which will roll out to all users soon."
However, that fix won't solve another problem Kember found. He went a step further to point out that if you do import those passwords to Chrome they, and any other passwords you have saved in the browser, are completely unprotected. By typing in chrome://settings/passwords in Chrome address bar, you are able to see the saved passwords and usernames for the websites you visit.
"There's no master password, no security, not even a prompt that 'these passwords are visible,'" Kember wrote on his blog. Essentially, anyone who was able to use your computer could see the passwords you have saved.
Google did not have an official comment about why it doesn't do more to protect saved passwords. However, Google's Head of Chrome Security, Justin Schuh, took to technology site Y Combinator to explain why Google doesn't require a master password in order to get at those other passwords.
"We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security and encourage risky behavior," Schuh wrote. "We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because, in effect, that's really what they get."
Competing browsers like Safari and Internet Explorer require you type in the system password to view those passwords. While Google has provided a number of password security tips over the last few months at its Good to Know website, ultimately, security experts say, Chrome has always had this security vulnerability and people should use encrypted password managers to save passwords.
"Bottom line: The public should not be using their browser to manage their passwords," McAfee security expert Robert Siciliano told ABC News. "Password managers have now evolved to a point where they have military grade encryption and they work across browsers, across devices and store your data locally and in the Cloud."
Siciliano recommended McAfee's All Access password manager.
He also reminded people to use two-factor authentication for e-mail and other important accounts, which requires users to confirm their identity with two pieces of log-in information, and to make all passwords strong with a mix of upper- and lowercase letters and numbers.