Chrome stores passwords in plain text

If you use chrome and save passwords head over to chrome://settings/passwords and select any password and click show. Scary, I know. I personally only save passwords for a "spam gmail account" that i also use for youtube etc. but I'd imagine many people who use it for more important accounts. Here's an article on PC world:

Apparently the head of chrome security doesn't thing it's a flaw and there are few arguments he provides but I personally thing he's too smart for his own good and doesn't realise how 90% of the population uses chrome and just "assumes" like i did that the passwords wouldn't be stored in plain text.

What are your guys thoughts?

Your passwords become insecure the second you hand over your computer to someone else, regardless of if they are in plaintext or not. 

This issue goes back far with chrome, and to be honest I think it helps far more people than it harms..........who doesn't forget a password now and then?  

hah, wow.

That's why everyone should use lastpass.

You could just tell Chrome not to remember any of your passwords. I don't think Chrome actually stores the passwords in plain text, it just gives you the option to display them in plain text. So the only way someone could get hold of your passwords is if they actually used your computer.

Prefer KeyPass, myself. Local rather than remote.

1 Like

Yes, but even a master password (like firefox) no matter how secure will prevent a "friend" from accessing your passwords easily. E.g you leave your laptop open to go to the bathroom, you're not going to lock your computer because that would be rude. 

This is correct. Why decrease your security in your web browser by having it save passwords when that's what cookies are for. Its a lot harder to get ahold of your cookies on your HDD unless someone is actually physically at your PC operating it.

Both are good. I just tend to not always be at my actual computer so remote is very useful for me. I beleive I can do keypass on usb but I never carry one around.

Locking your screen is exactly what you should do. If someone considers it rude, consider him harmfull.

I save all my passwords in a keyring which is integrated in ssh, gpg, sudo, encryption tools, firefox and irssi. The keyring is coupled with the login password. So whenever I log in it automatically unlocks the keyring and whenever I lock the screen the keyring also locks itself. I always lock the screen when I stand up.

This might be of interest to you guys. ChromePass.
It has the ability to output all of the passwords stored in Chrome (They also have versions for other browsers) to a .txt file. I remember using it to make a flash-drive with autorun that I could plug in, click a couple of buttons and have peoples passwords. It's really quite scary to think that it is that easy.

(I never used the flash-drive to get into someone's account, and neither should you, don't be a dick.)


Wow, it got all my passwords, I'm deleting them all now. I knew that you could see all your password if you unlocked your computer, but I thought they were encrypted in some way (I have a strong password on my computer)

That's really bad security for a company as big as Google. And this has been around for years, scary stuff.

1 Like

When I was at a dormitory setting I set my BIOS to ask for a password at boot. One individual was reported to have sat there repeatedly pressing the reset button hoping to bypass it. Which might explain why my monitor broke down only a few months after I bought it. (This was back in 1998 I think).

I live in a house now. Where I trust all occupants implicitly. So my pc is set up to take a pin and all my passwords and associated accounts are kept on index cards in a holder. It is about two thirds full now. I really shouldn't be letting programs remember my passwords. I get tired of constantly re-entering them. I don't really know the security risk level when compared to entering the password a few times a day. I figure either way I am SOL if the Computer is compromised. So I will just take convenience.

I have yet to keep a master account database on my computer. In any form. It just doesn't feel right to trust all that to a single program. Even if encrypted with a password. It isn't like my passwords are at all something I can remember any more.

I am slowly upgrading from eight to twelve characters. Setup up to use any one key only once. With at least one symbol, number, letter, capitol (When a site will accept all those, I think playNC and a few others still don'tt). to at least sixteen characters with repeats of at least one character being the newest changes.

I still haven't added non-keyboard characters. One of my friends has been doing that for a long time. I still have yet to pick it up. Something like "Ω" is supposed to really increase the password strength. Using all the ASCII or whatever its called. Instead of just what is on the keyboard.

When I press the show password button it asks me for my Windows password

Nice Necro Guys.