Chrome’s insane password security strategy

Chrome does something interesting when you first run it.


The other day, I was using Chrome in development for an Ember.js app. I use Safari for day-to-day browsing, but it has a habit of aggressively caching files when I least expect it, so from time to time I switch to Chrome.

I decided to hit Chrome’s “Import bookmarks now” link and see whether I could import my bookmarklets from Safari, so things would be nice and consistent between the two browsers. I didn’t expect this:

Chrome asking me to import my content from Safari

This struck me as particularly odd. Why is “Saved passwords” greyed out, and mandatory? Why have a check-box? This is the illusion of choice. I think it’s deeply misleading, and this is why:

This is a page in Chrome’s settings panel:

Passwords in Chrome

See that “show” button? It does what you think it does.

Passwords in Chrome, in plain-text

There’s no master password, no security, not even a prompt that “these passwords are visible”. Visit [chrome://settings/passwords](chrome://settings/passwords) in Chrome if you don’t believe me.

There are two sides to this. The developer’s side, and the user’s side. Both roles have vastly different opinions as to how the computer works. Any time I try to draw attention to this, I get the usual responses from technical people:

While all of these points are valid, this doesn’t address the real problem: Google isn’t clear about its password security.

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market - the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.

"A Google Chrome prompt showing the words 'confidential information', and 'in your keychain'

This dialog is even more misleading. By using words like “confidential information” and “stored in your keychain”, OSX describes the state of your saved password’s current security. It’s the very security Chrome is about to bypass, by displaying your passwords, in plain-text, outside your keychain, without requiring a password. When you visit a website, Chrome prompts for every password it can find for that domain.

Today, go up to somebody non-technical. Ask to borrow their computer. Visit [chrome://settings/passwords](chrome://settings/passwords) and click “show” on a few of the rows. See what they have to say.

I bet you it won’t be “That’s how password management works”.


Justin Schuh who is head of Chrome security and called me “a novice”, says I’m wrong, and that this is not going to change.

Sir Tim Berners-Lee is with me. Is there a higher authority?

This is Google’s page on “saving passwords”. Nothing about this feature. Why?

Covered in the press by:




Now read this


I was reading about PSD.rb the other day. For me, this is one of those really ground-breaking, big big projects. I haven’t had a play yet, but already I’m itching to get stuck into messing with PSDs. I’ve been super-impressed with Slicy,... Continue →