Aug 8, 2013

Storing Passwords In Your Browser? Time to Stop.

The latest controversy to make the rounds on tech news outlets and social networks surrounds the lack of security features built into Google’s Chrome browser, leaving user passwords and form fill data at risk.

Web developer Elliot Kember questioned Google’s security practices after showing that anyone with physical access to the computer will have immediate access to the passwords, which can easily be toggled to plain text. Someone can simply go to the URL chrome://settings/passwords or visit a user’s password page in the browser Settings menu to easily view the data. There is no master password or even a generic prompt - essentially, there is no added security for the passwords.

The main concern that Kember raises is the fact that the mass market doesn’t expect it to be that easy for others to get to their data. In his blog post, he calls for Google to either clarify the security policy so users can make a more informed decision, or to add a master password option (as Mozilla Firefox has done).

This “flaw” in Google Chrome is old news to many. However, the fact that Chrome is now one of the three most widely-used browsers in the world means that more and more of the general population is utilizing Chrome and saving their data to the browser, with little information regarding how that data is protected.

Ultimately, the most secure way to store your data is to not store it in a browser at all, where there are minimal security options and a host of possible threats. By storing your data in a password manager, you’re adding at least one authentication layer with your master password, not to mention the encryption technology built into the software itself.

There is also the added benefit of utilizing multifactor authentication and other features to control where and how your data can be accessed. These features include the ability to restrict logins to specific countries or to enable master password reprompts on more sensitive logins. It also ensures that should one computer or browser crash, or be lost or stolen, your data remains securely accessible on your other devices.

While we agree it would be wonderful if Chrome would increase their security options or offer better warnings for users, Chrome users can be proactive today by downloading a password manager like LastPass and migrating their data out of their browsers. LastPass will even help you with that process by automatically importing your passwords for you as you get started - so don't wait until it's too late.

Were you aware of this shortcoming in Google Chrome? What other steps are you taking to protect your data?

30 comments:

  1. OK, so I use LastPass religiously. But I also get prompted by Chrome to save passwords and I have been saying, "OK, sure" assuming that Chrome was at least somewhat secure. Now I find it isn't. So what should I do?

    I assume I need to delete all of Chrome's saved passwords and tell Chrome to not remember passwords anymore. But is there anything that can help me with this? Is there a way to nuke all saved passwords? Is there a way and/or settings I should set to tell Chrome to not store any passwords?

    Answering my own questions here: Yes! Go to Chrome Settings and search for passwords. Select "Clear browsing data" then make sure that only "Clear saved passwords". There all of your Chrome saved passwords. Next notice the two check marks under Passwords and Forms and toggle them off. If you use LastPass like I do and already have all of your passwords there and fill in forms there then you don't need Chrome doing this anymore.

    Oh, and do it to all the other places you use Chrome if more than one.

    ReplyDelete
    Replies
    1. "OK, so I use LastPass religiously. But I also get prompted by Chrome to save passwords and I have been saying, 'OK, sure' assuming that Chrome was at least somewhat secure."

      Why would you even begin to bother with using LastPass if you're going to just let the browser "remember" those passwords? I just can't believe the logical disconnect.

      Delete
    2. I can't speak for Andrew, but I don't leave LastPass logged in all the time. For some things it's nice to have Google just do the password for me, rather than having to go through the extra steps of logging into the LastPass extension.

      Mind you, after reading this I've deleted most of the passwords Chrome saves. The only ones left are for logging into my router, and that's just because it will autofill for me.

      Delete
  2. While I agree, to a point, there's the fact that if a person has physical access to your hardware, it's simply a matter of time before he gets to your data regardless. All you need is a forensic Linux live-environment on a USB-drive to boot your computer on and he can access anything that isn't encrypted.

    I'm mostly nervous about remote access, and if someone could remotely access my browser passwords, that'd be a real issue. I'm not that worried about local access, to be honest.

    ReplyDelete
    Replies
    1. True, more than "physical" in the sense of someone sitting down the biggest threat is something running on the PC - spyware, adware, malware, etc, that is installed with local access and that can mine or record data. LastPass is a tool that will help mitigate risk, but other tools and actions are also critical.

      Delete
  3. But Lastpass browser extension seems also make password easily shown as plain-text when

    1. user does not configure auto session timeout
    2. user does not configure authentication for showing password

    And if I remembered right, both 1 and 2 are the default when extension is installed

    ReplyDelete
    Replies
    1. Those are great points - when a user first installs they have an option to set up autologoff, after that they would have to manually adjust those settings in the LastPass Icon > Preferences, or the LastPass Icon > My LastPass Vault > Settings > Security menu. Being aware of options is crucial.

      Delete
  4. Using in browser password management with unique, per-site passwords is still vastly more secure than what most people do.

    ReplyDelete
    Replies
    1. True, a valid point. To the best of my knowledge though most browsers don't offer a password generator, which is helpful in making unique passwords a reality. Education is a great first step.

      Delete
  5. I am using lastpass on s msc but can't seem to find the app so I can check on my passwords and configure my settings. Where can i find this? Ive serched my app and HD with no luck at all.

    ReplyDelete
    Replies
    1. Sorry to hear of the trouble - be sure you've installed the addon in the browser. You can try reinstalling from here: https://lastpass.com/download - the team's happy to help if you keep running into issues: https://lastpass.com/supportticket.php

      Delete
  6. I could be wrong, but this is what I believe Chrome does with your passwords:

    Your passwords are, in fact, encrypted (either with a key derived from your Google account password, or a key derived from another password of your choice).

    However, that key is encrypted with the Windows Data Protection API which basically uses your Windows password that you entered to log on to encrypt your information.

    The bottom line is that if someone has access to your computer while it's turned off, they would have to crack your Windows password to get to your Chrome passwords.

    Of course, if you auto-logon it's all pointless.

    Anyway, this is how I believe Chrome handles your passwords. I'm sure the LastPass team can verify.

    ReplyDelete
    Replies
    1. Hi John: Thanks for adding these comments. On Windows, they do use CryptProtectData (which is a Windows call tied to your login). It doesn't look like they do anything on Mac or Linux. Bottom line, any software running on your computer (including our installer) can pull all passwords easily. You can demonstrate this to anyone by running LastPass and "pulling" their passwords out of their browsers. This isn't possible when you've stored the data in LastPass.

      Delete
    2. And that's why I use LastPass ;)

      Delete
  7. I used to use Lastpass as my primary password manager. Then the whole Edward Snowden fiasco has colored my views of ALL cloud service providers. As a US-based cloud company, I can't help but worry that you are susceptible to secret subpoenas and national security letters that can compel you to divulge "foreign" data with absolutely no legal restraint. As a non-American, this worries me a lot.

    As such, I have been scaling back onusing US cloud providers, and I am thinking of canceling my LP account. I just don't feel secure trusting you with my most intimate passwords.

    ReplyDelete
    Replies
    1. This is also true for me. As a non-US i can not trust LP.

      Delete
    2. Thanks for bringing this up, Dan. You have some valid concerns - but LastPass has minimal access to data to begin with. We've built it so that your key is not shared with LastPass, which means your sensitive data is encrypted and decrypted locally, and synced securely. We're happy to address any follow-up questions or concerns: security[at]lastpass.com - thanks for reaching out.

      Delete
    3. Dan, really the issue existed long before Snowden. The paradigm is host-based security.

      You're trusting the host with your crypto. When you go to LastPass's website, you have no guarantee that the JavaScript they serve you this time to handle the crypto is the same as what they gave you last time. So, under a US government order, they could change their encryption to send your password up to the cloud so they can decrypt your data. This happened to Hush Mail in Canada.

      I do believe that LastPass is very secure, especially against non-government hackers. And the cloud brings convenience. But I wouldn't recommend it if you're planning on overthrowing government regimes ;)

      Delete
  8. Dan makes a valid point. In comparison, 1password is based in Canada, so might see surge in business.

    ReplyDelete
    Replies
    1. Please see my comment to Dan.

      Hush Mail was based in Canada, and they caved into pressure to compromise their crypto.

      The bottom line is if you want absolute trust in your crypto, you have to run it locally with open-source code that you have verified, or an expert has verified and that you can confirm it hasn't changed since then.

      Delete
  9. Have been using lastpass for years now and haven't looked back. Mocked a lot of friends using browser to store their passwords and seen a lot of people eventually moving to lastpass.

    ReplyDelete
    Replies
    1. Thanks, we appreciate you spreading the word on LastPass!

      Delete
  10. This article is disingenuous coming from a security firm. First it implies that lastpass behaves differently. This is not the case. Lastpass browser plugin allows the same access to cleartext passwords by default. Second, as a security firm it is incumbent upon you to know and communicate that there is no security model for handing over your computer to another person while you are logged in. Any attempt to claim to have created something that is "secure" against an attacker who has access to the computer while you are already logged in would be misleading at best.

    ReplyDelete
    Replies
    1. Thanks for the comments, it's true that with physical access and without taking the necessary steps, someone could still access your data. LastPass does offer "master password reprompt" options, though, which ensures they can't "edit" or even "fill" logins without first re-entering the master password. There are also autologoff features so your session can end if you walk away - or forget you're logged in. It's all about mitigating risk, and making it as difficult as possible. Thanks again for bringing up these points, though.

      Delete
  11. I have been using Last Pass for over five years now and am quite happy with it. As someone mentioned before you do need to configure it properly so it logs you off after a certain time of inactivity or after you close your browser otherwise it gives access to anyone who has your computer. I love the Generate new password feature as I hate trying to create new secure passwords. A program like this is essential if you have many passwords you need to remember as it takes the hassle out of it all. It does have it's own hassles that I've had to work through but once you understand how to use it it isn't a problem.

    ReplyDelete
  12. Given the NSA is apparently requesting user passwords and password salts from a variety of US companies I will probably be shutting down my Lastpass account soon. Its a shame as its a great service, but it looks like the all seeing eye of the USA either probably now has access to all my passwords stored with companies like Lastpass, or will shortly.

    ReplyDelete
  13. As apposed to the NSA going to each service you have and requesting your password?

    ReplyDelete
  14. Since the views expressed here are bordering from the naive to the inept. Please pardon my tone, but as researching scholar of cryptology and teaching doctor of mathematics, I can assure you that the NSA does not need to ask at all... they just take the company "X" hashed password DB through compromised (by the former) layers and backdoors (also introduced by the same party) and they crack,or better decode, the hashes by security "bugs/features" and available hidden collisions (also introduced... as above). Every aspects of security layers existing today is to be considered crippled and compromised in either the implementation or even the logic behind it. Some of the very textbook math behind the security and encryption layers in use and taught worldwide today, of which the esposed basics (but not the hidden logic part) you can even freely read on Wikipedia, were introduced by researchers working for and by the RSA and NSA contracts and requirements. Most of the source code and mathematical, logical basis are in need of an audit in their faundations, even the one popularly and academly behold as dogma. My paper that will publish by the end of next trimester by the my my Academy will illuminate the congectures and faults purposedly placed at hands.

    ReplyDelete
    Replies
    1. I don't understand you. Explain like I'm 5 years old please???

      Delete