I would like to suggest another solution to this problem that can make everyone happy.
The goals are clear:
GOAL 1. avoid giving the user a "false sense of security"
GOAL 2. give the user the best security/convenience tradeoff for her particular needs
The current Chrome behavior fails to achieve GOAL 1 because the user is not informed about the lenient "Show Passwords" behavior (as many posters here noted), nor is she informed about how vulnerable she is when someone has access to her local login account (as Justin described). Avoiding a "false sense of security" really means helping to educate the user, and Chrome has failed to educate the user. Only the user knows what threats she needs to defend against (is it just a naughty little sister at home or a tech-savvy corporate spy breaking into her work computer?). Chrome should inform the user so she can make a choice that is in her interest.
Nearly everyone in this thread is assuming that Chrome has to make the security/convenience tradeoff choice for the user. But Chrome can satisfy GOAL 2 by offering a few options.
My proposal is that Chrome should present the user with a few clear choices in plain English with realistic explanations of the advantages and disadvantages of each, and the user can then pick her own security/convenience tradeoff.
Let me give some suggested text to get the discussion going.
I will suggest three specific behaviors to choose from, but these are just examples. Chrome engineers may decide on a different set of behaviors to offer (perhaps even still only one choice).
The point is that the user MUST be presented with choices in plain English that give her enough information to avoid any "false sense of security." Even if Chrome offers no choices, Chrome MUST still inform the user about what she is getting when she chooses to save passwords.
I suggest that after the user has just installed Chrome and she clicks to save her first password, she should be presented with the following choice (the choice will then persist until and unless she changes it Chrome settings):
-------- BEGIN SUGGESTED TEXT -------------
Saved Passwords Security
Please choose how you would like Chrome to restrict access to your saved passwords:
CHOICE 1: No security: You or anyone sitting at your computer can view saved passwords at any time in the "Managed Saved Passwords" screen of Chrome settings. This option is the most convenient, but the least secure. If you use this option, consider locking your computer every time you leave it so that others cannot view your passwords.
CHOICE 2: Master Password to view passwords only: Chrome will ask you to create a Master Password. You must type the Master Password whenever you want to view your saved passwords in the "Managed Saved Passwords" screen of Chrome settings. But you do not need to type your Master Password in order for Chrome to fill passwords into websites you visit. This option can prevent casual, non-technical users from seeing your passwords (e.g. practical jokes from siblings or coworkers), but it does not offer any meaningful security barrier to an even mildly technical user who has gotten access to your account on your computer.
CHOICE 3: Master Password to view or use passwords: Chrome will ask you to create a Master Password. You must type the Master Password whenever you want to view your saved passwords in the "Managed Saved Passwords" screen of Chrome settings, AND you must type the Master Password every time Chrome is about to fill a password into a website that you visit. This option is the least convenient, but it offers a significantly higher barrier to a malicious, technical user who has gotten access to your account on your computer.
Please be aware that none of these options offer complete protection in the event that a malicious user (or malware) has gotten access to your account on your computer. For example, such a user can always examine your history or install malicious plugins to track your browsing activity, even if you never save any passwords. These Saved Password Security options simply let you choose from amongst practically available tradeoffs of security and convenience.
-------- END SUGGESTED TEXT -------------
In this suggestion, I have provided a #3 option which assumes that, under the hood, Chrome would NEVER store the Master Password in core or on disk, except during the short interval between when the user is prompted for it and when it is used to decrypt the website password. There is NOTHING magical about option #3 that offers 100% security. It is simply a higher barrier for bad guys to jump over (they have to hack into the binary's core at a particular moment to get the Master Password, or use other attacks not related to saved passwords). Option #3 may possibly be too inconvenient for anyone to choose: maybe a "sudo" timeout option is better, with different security/convenience tradeoffs. We can discuss all that....
But the main point is that Chrome must do a better job of informing the user about whatever behaviors it offers, and only then can Chrome truly avoid a "false sense of security."
The goals are clear:
GOAL 1. avoid giving the user a "false sense of security"
GOAL 2. give the user the best security/convenience tradeoff for her particular needs
The current Chrome behavior fails to achieve GOAL 1 because the user is not informed about the lenient "Show Passwords" behavior (as many posters here noted), nor is she informed about how vulnerable she is when someone has access to her local login account (as Justin described). Avoiding a "false sense of security" really means helping to educate the user, and Chrome has failed to educate the user. Only the user knows what threats she needs to defend against (is it just a naughty little sister at home or a tech-savvy corporate spy breaking into her work computer?). Chrome should inform the user so she can make a choice that is in her interest.
Nearly everyone in this thread is assuming that Chrome has to make the security/convenience tradeoff choice for the user. But Chrome can satisfy GOAL 2 by offering a few options.
My proposal is that Chrome should present the user with a few clear choices in plain English with realistic explanations of the advantages and disadvantages of each, and the user can then pick her own security/convenience tradeoff.
Let me give some suggested text to get the discussion going.
I will suggest three specific behaviors to choose from, but these are just examples. Chrome engineers may decide on a different set of behaviors to offer (perhaps even still only one choice).
The point is that the user MUST be presented with choices in plain English that give her enough information to avoid any "false sense of security." Even if Chrome offers no choices, Chrome MUST still inform the user about what she is getting when she chooses to save passwords.
I suggest that after the user has just installed Chrome and she clicks to save her first password, she should be presented with the following choice (the choice will then persist until and unless she changes it Chrome settings):
-------- BEGIN SUGGESTED TEXT ------------- Saved Passwords Security
Please choose how you would like Chrome to restrict access to your saved passwords:
CHOICE 1: No security: You or anyone sitting at your computer can view saved passwords at any time in the "Managed Saved Passwords" screen of Chrome settings. This option is the most convenient, but the least secure. If you use this option, consider locking your computer every time you leave it so that others cannot view your passwords.
CHOICE 2: Master Password to view passwords only: Chrome will ask you to create a Master Password. You must type the Master Password whenever you want to view your saved passwords in the "Managed Saved Passwords" screen of Chrome settings. But you do not need to type your Master Password in order for Chrome to fill passwords into websites you visit. This option can prevent casual, non-technical users from seeing your passwords (e.g. practical jokes from siblings or coworkers), but it does not offer any meaningful security barrier to an even mildly technical user who has gotten access to your account on your computer.
CHOICE 3: Master Password to view or use passwords: Chrome will ask you to create a Master Password. You must type the Master Password whenever you want to view your saved passwords in the "Managed Saved Passwords" screen of Chrome settings, AND you must type the Master Password every time Chrome is about to fill a password into a website that you visit. This option is the least convenient, but it offers a significantly higher barrier to a malicious, technical user who has gotten access to your account on your computer.
Please be aware that none of these options offer complete protection in the event that a malicious user (or malware) has gotten access to your account on your computer. For example, such a user can always examine your history or install malicious plugins to track your browsing activity, even if you never save any passwords. These Saved Password Security options simply let you choose from amongst practically available tradeoffs of security and convenience.
-------- END SUGGESTED TEXT -------------
In this suggestion, I have provided a #3 option which assumes that, under the hood, Chrome would NEVER store the Master Password in core or on disk, except during the short interval between when the user is prompted for it and when it is used to decrypt the website password. There is NOTHING magical about option #3 that offers 100% security. It is simply a higher barrier for bad guys to jump over (they have to hack into the binary's core at a particular moment to get the Master Password, or use other attacks not related to saved passwords). Option #3 may possibly be too inconvenient for anyone to choose: maybe a "sudo" timeout option is better, with different security/convenience tradeoffs. We can discuss all that....
But the main point is that Chrome must do a better job of informing the user about whatever behaviors it offers, and only then can Chrome truly avoid a "false sense of security."