I'm sorry, but I really do understand your argument. You're claiming that the same novice who can't install a simple application or or follow three steps to reveal a password on the page will be capable of drilling down through the Chrome settings menus and displaying passwords. The corollary to your claim is that the threat of this novice outweighs the damage of encouraging people to leave their computers unlocked in a potentially hostile environment.
Drawing equivalence to sites that email your password is also misguided. The issue with those sites is that, contrary to a password manager, they have no reason to ever retain the cleartext password. And more fundamentally, there's no excuse to ever transmit credentials in the clear over a network. Whereas in this case, we're talking about showing the user passwords that must be retained in a recoverable form, displaying only on user request, and within a security context that can trivially access them anyway.
At this point I think I've repeatedly conveyed the reasons for Chrome's design decisions on this front. Since there's no new information, and the discussion seems to be going around in circles, I don't really see a value in continuing this thread.
The value, I think, is in challenging your own beliefs.
To be honest this reminds me a lot of how Microsoft used to treat issues in their code/software 'Oh, that's a user error. That's not a bug, that's a feature!'. And then when you get pushback you go 'I've discussed this enough, no more talking with the plebes'.
Your axiom seems to be that anyone with access to your computer should be 'trusted'.
In other words, if I hand my laptop to my spouse I am essentially granting her root privileges.
A lot of us are making the point that this isn't true. I may have a wife, children or a roommate who I trust to use my laptop but don't want to make my passwords easily visible.
When I hand my laptop to my wife I have an expectation that without resorting to some special tools she should not be able to find out what my Amazon password is or what my hotmail password is.
Your position seems to be that by making these passwords visible you are encouraging more secure behavior - ie. I will now log my computer into a 'guest' account every time I give it to my wife.
It just seems like you don't get how people ACTUALLY use your product. For many reasons I'm not going to lock my computer every time I give my laptop to my wife or a roommate. I have an expectation that there is SOME obscurity that protects my passwords even if it's just obscurity by not explicitly showing the password. You're not going to change my behavior and frankly most of us are pretty shocked that a) you are so resistant to challenging your own axioms b) you think this is somehow our fault for expecting Chrome to not have a giant 'show passwords' button.
You need to challenge your assumption that the 'attacker' is some malicious agent. Widen the scope to also include the suspicious spouse or the prankster roommate and you'll understand why we think this is a bigger deal than you seem to consider it. Even if it just presents a small barrier I think most of us feel that small 'annoyance' is enough to prevent pranks and snooping spouses.
I can see you don't, which is why I'm trying to pose it variously.
It's a simple one: why make it easier for a user to be compromised than is necessary? Why is it such a problem to ask the user to enter their account password before viewing this prefpane? You've not provided a valid argument against this.
As to lulling users - they already are. All of your marketing screams about how secure chrome is, how you don't need to worry about security, and all the rest, so showing their plaintext passwords just seems... silly.
> Why is it such a problem to ask the user to enter their account password before viewing this prefpane?
You're trying to prevent my friends from fetching my email password to look secretly at my self-nude pictures.
Justin is trying to prevent my enemies from fetching my email password to gain access to my bank account and rob me of all my money.
His point is Chrome preventing the former threat, while useful by itself, can lead me to believe that I'm also protected against enemies with physical access. This belief, as we know, makes preventing the latter threat impossible. As he cares way more about the latter threat, he thinks it's counterproductive to defend against the former.
> All of your marketing screams about how secure chrome is
To be fair, that refers to being secure against remote attackers, which is the primary concern of a browser since there's not much the user can do about it by himself.
Yeah but his point is really silly. He's trying to make the argument that by making it impossible to lock the car we won't leave valuables in it.
His argument is that since a person could just smash the windows and open the car that way there's no point in putting locks on the door.
It's just a very myopic and weirdly out of touch position. He seems to think that he's 'training' users to have more secure practices? This isn't the business world. You don't get to blame the user for not being security experts. He should be doing everything in his power to make it inconvenient and difficult to access a user's passwords.
> Why is it such a problem to ask the user to enter their account password before viewing this prefpane? You've not provided a valid argument against this.
Most users do not have to enter their password when their OS boots, and thus won't know what it is. So offering it in Chrome is an inconvenience for most users, but adds no extra security. Once an attacker has physical access and can run Chrome browser it's game over and they can get everything, even if Chrome asks for a password before showing you the password pane.
Users should be setting up "guest" accounts for their OS and "Guest" user profiles for their web browsers.
Again, missing the point. Both your average attacker and average user have as much technical knowledge as a daffodil, which means even the most trivial barrier would be effective.
As to users who don't set a password - never make the passwords visible.
In that case the most trivial barrier is to lock the screen when you're away from your machine, or to set a guest account for when you lend the machine to someone else.
what makes you think that people that hate to remember passwords will want to remember a password that locks them out of their password? This is stupid. Users that care about security will LEARN about more secure solutions one way or another. Don't treat humans as dumb fucks.
Drawing equivalence to sites that email your password is also misguided. The issue with those sites is that, contrary to a password manager, they have no reason to ever retain the cleartext password. And more fundamentally, there's no excuse to ever transmit credentials in the clear over a network. Whereas in this case, we're talking about showing the user passwords that must be retained in a recoverable form, displaying only on user request, and within a security context that can trivially access them anyway.
At this point I think I've repeatedly conveyed the reasons for Chrome's design decisions on this front. Since there's no new information, and the discussion seems to be going around in circles, I don't really see a value in continuing this thread.