Chrome has a reputation for being the most secure browser available, but controversy has been raised this week about the way Chrome stores passwords. How can you make sure the accounts of your teachers and students are secure?
Chances are you’re viewing this article in Google Chrome. Try something. Open a new tab and enter chrome://settings/passwords in the address bar.
You’ll be presented with a window that looks like this:
There’s been huge controversy across technology websites this week about how easily accessible stored passwords are in Chrome, but the truth is this “feature” has been accessible for a number of years. The page to view passwords is also accessible through the settings page, so it’s not as though this is something Google has tried to hide — this feature is by design.
Google’s rationale for this is that no locally stored password is secure, so obfuscating accessonly promotes a false sense of security. Google’s Head of Security, Justin Schuh, makes the point that whether Chrome’s password store was hidden or not, someone deliberately attempting to recover passwords can easily do so regardless of any additional security.
Google’s Head of Security, Justin Schuh, had this to say:
Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.
While Google’s point of view is technically correct it doesn’t reflect the way people are using Chrome in the “real world.” A person knowledgeable in IT and with intent may be able to easily access your data but this doesn’t address potential abuse in a normal domestic or business situation.
Few people in my experience use multiple user accounts on their home PC or laptop, it’s not unusual for several family members to share the same device. If your passwords are just a few clicks away anyone with access to your machine — a student, for example — can access your information easily.
Google could address this issue by simply removing this feature from Chrome. It wouldn’t resolve the overall security issue, passwords would still be accessible by someone intent on accessing your data, but it would add a hurdle over which most people could not climb.
I’ve spent some time this week, after rolling out Chrome to all of our desktops, considering how this will affect our staff and students. Fortunately, because we use mandatory profiles for our students, once they log off any stored passwords are cleared. Staff, however, have roaming profiles. If a teacher uses Chrome, logs into their bank account, personal email, or Google Apps account and the password is stored, it is only a case of visiting the URL above to recover that information. We do, of course, require that staff do not allow others, particularly students, to use their user account, but we know that this advice isn’t always followed.
How to Protect Your Teachers and Students
If you’re using Chromebooks or Chrome managed by Google Apps you can disable the ability to store passwords for all your users through the Google Apps control panel.
To manually disable Chrome storing passwords uncheck the “Offer to save passwords I enter on the web” option on the settings menu:
How to get all you big sister’s passwords http://t.co/CpytKWH9aT and a disappointing reply from Chrome team.
— Tim Berners-Lee (@timberners_lee) August 6, 2013
Source: Elliot Kember