No, no, no, no, NO! What do you think "store password" means, when you click it? If you can fire up your browser and log in without ever typing in a password how could you EVER assume your passwords are stored in anything but plaintext? I'm sorry, this article just shows stupidity of the user rather than "Chrome’s insane password security strategy".
"Unauthenticated" except for the time you told Keychain to "Always allow" requests from Chrome.
However I'll admit that there's a big difference between what I expected Chrome to be using those passwords for (logging me into websites) and how it's ended up (making those visible to anyone looking at the settings page).
> "Unauthenticated" except for the time you told Keychain to "Always allow" requests from Chrome.
1. that does not make it OK to display all cleartext passwords, Keychain requires the account password before displaying the cleartext. And keychain can optionally require the master password to be entered before providing a password for form-filling as well.
2. an other user notes above that, whether you "allow" or "always allow", Chrome will copy the entry it just got to a new keychain entry which it sets to always allow.
Why can't Chrome do the same thing Safari does in that image? If the user wishes to see the password in plaintext, ask for their master keychain password first.
Users have differing expectations with respect to security. I obviously don't use Chrome's password saving function, because I'm aware that it will give my passwords away with ease.
Still, though, I find Chrome's practices in this respect rather crazy. The security I expect from the password manager is not that it will stop a person who really wants my passwords, but that it will allow me to lend my laptop to Joe Random Untechnical Friendquaintance to look at a web site, without feeling like I can't leave the room for two minutes because it's just that easy to see all my passwords. That's as simple as (say) a reversible hash.
I don't expect chrome's password saver to be secure: I'd just prefer it to not go out of its way to present passwords to the public. Or, at least, to make it very clear to users that their passwords can be seen that easily.
Finally, there's absolutely no reason why an untechnical user would know that chrome will give up their passwords like that - why would they?
No it is not. Without taking any secret information from the user not available/stored in the system itself there is no way to store a password on a system that is not trivially retrievable by someone who has access to the computer.
the OSX keychain encrypts passwords with your login password, and can be set to unload keys/passwords after a timeout, it is very much not stored as plain text.
Why would a non-technical user know that? Even if they could work it out if prompted to think about it, there's nothing to suggest to them that they ought to.
Your password is available in plain text either way. Not displaying it just give users the illusion that someone can't run off with it, whilst making their lives harder if they need to log in somewhere else.
