Don’t bother locking your front door: Google’s odd security logic

There’s been a fair bit of debate going on over Google’s decision to make all the passwords saved by Chrome easily visible on one screen.

For example, as ZDNet puts it:

An intruder who has unrestricted access to your computer for even a minute can view and copy all of your saved passwords just by visiting an easy-to-remember settings page: chrome://settings/passwords.

That link opens the local copy of your saved password cache, which is synchronized to every machine where you sign in with your Google account.

And the funny thing is, anyone who visits that page can see the plaintext version of every saved password just by clicking a button.

Other programs, including other web browsers, use a password to protect such information. Why doesn’t Chrome? Because, as their security technology lead explains:

The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.

The problem with that approach is that it assumes the only thing worth protecting you against is a determined, technically savvy and well-equipped hacker. It doesn’t protect you against things such as briefly popping out of the room.

It’s like a housebuilder saying, “We don’t both putting locks on your front door, because a bad guy can pick your lock and get in anyway”. Yes, but it would miss the point – that’s not the only danger worth protecting against.