"his stored passwords will be accessible by anyone using his computer with his credentials."
But this is EXACTLY Justin's point: EVEN with a master password, they'd be accessible in other ways by anyone using his computer, because it's just stored in the keychain - and if they add a master password, people will think that makes it more secure.
The solution here is to remove the show button - don't add any kind of master password - because that's just snake oil.
>EVEN with a master password, they'd be accessible in other ways by anyone using his computer
Maybe (there are simple but very effective prevention methods against keyloggers etc.), but the main point is: it's not all black and white.
There are varying levels of security (and varying levels of "hacker skills"). Passwords encrypted with a master password are at least a couple of levels safer than those displayed in plain text.
If they're autofilled, which is the very reason to store them, then it doesn't matter how deep you store them. The browser will dig it for you automatically.
But only after the password store was decrypted after providing the master password, or not? And that is good enough for me. If I let someone to use my computer, of course I will close the browser before. So he can use my computer, launch the browser, but will not be able to access my passwords, since he doesn't know the master password.
But this is EXACTLY Justin's point: EVEN with a master password, they'd be accessible in other ways by anyone using his computer, because it's just stored in the keychain - and if they add a master password, people will think that makes it more secure.
The solution here is to remove the show button - don't add any kind of master password - because that's just snake oil.