Chrome has a reputation for being the most secure browser available, but controversy has been raised this week about the way Chrome stores passwords. How can you make sure the accounts of your teachers and students are secure?

Chances are you’re viewing this article in Google Chrome. Try something. Open a new tab and enter chrome://settings/passwords in the address bar.

You’ll be presented with a window that looks like this:

chrome-password-1Now click the Show button, any password you’ve stored will be revealed in plain text. It’s not difficult to see the security issues raised.

There’s been huge controversy across technology websites this week about how easily accessible stored passwords are in Chrome, but the truth is this “feature” has been accessible for a number of years. The page to view passwords is also accessible through the settings page, so it’s not as though this is something Google has tried to hide — this feature is by design.

Google’s rationale for this is that no locally stored password is secure, so obfuscating accessonly promotes a false sense of security. Google’s Head of Security, Justin Schuh, makes the point that whether Chrome’s password store was hidden or not, someone deliberately attempting to recover passwords can easily do so regardless of any additional security.

Google’s Head of Security, Justin Schuh, had this to say:

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.

While Google’s point of view is technically correct it doesn’t reflect the way people are using Chrome in the “real world.” A person knowledgeable in IT and with intent may be able to easily access your data but this doesn’t address potential abuse in a normal domestic or business situation.

Few people in my experience use multiple user accounts on their home PC or laptop, it’s not unusual for several family members to share the same device. If your passwords are just a few clicks away anyone with access to your machine — a student, for example — can access your information easily.

Google could address this issue by simply removing this feature from Chrome. It wouldn’t resolve the overall security issue, passwords would still be accessible by someone intent on accessing your data, but it would add a hurdle over which most people could not climb.

I’ve spent some time this week, after rolling out Chrome to all of our desktops, considering how this will affect our staff and students. Fortunately, because we use mandatory profiles for our students, once they log off any stored passwords are cleared. Staff, however, have roaming profiles. If a teacher uses Chrome, logs into their bank account, personal email, or Google Apps account and the password is stored, it is only a case of visiting the URL above to recover that information. We do, of course, require that staff do not allow others, particularly students, to use their user account, but we know that this advice isn’t always followed.

How to Protect Your Teachers and Students

If you’re using Chromebooks or Chrome managed by Google Apps you can disable the ability to store passwords for all your users through the Google Apps control panel.

To manually disable Chrome storing passwords uncheck the “Offer to save passwords I enter on the web” option on the settings menu:

chrome-disable-password

 

Source: Elliot Kember

Share.

About Author

Profile photo of Karl Rivers

Karl is an award winning Director of IT for the Royal Grammar School Guildford, based near London, England. He has been working in education for more than ten years and founded ClassThink in 2013 to share technology best practice with other schools. In 2014 he won the NAACE Impact Award for support services in schools, and writes edtech articles for Education Executive Magazine.

Tell us what you think!