What do you think about Chrome's Password Storage Policy?

When logging on to a variety of websites, we often use different user names and passwords, which may cause a burden on memory. If you are a Chrome user, you will be prompted to save the password when logging on to a new website, and you may have clicked "OK ". In this way, you can log on to various websites automatically and synchronize data on different computers, which is really convenient. But have you considered security issues?

Maybe you will think that Google will encrypt the password and save it in the system, or simply save it on the cloud. If so, be prepared to shake yourself and your friends. The reality is that Chrome didn't encrypt your password. What's more terrible is that anyone can see your password without any hacker technology.

Go to settings, view the "password and form" project, click "manage saved passwords", or directly access Chrome: // settings/passwords ), you will find all your usernames and passwords. Yes, the passwords are displayed in black spots. However, if you click it, you will find the word "show" behind the password. Click it to see the password. That's simple.

Google's talented engineers will make stupid mistakes! Wait, and so on. This obvious security vulnerability cannot be an error. Should it be a function? Congratulations! You guessed it. Because Chrome's security supervisor said it was indeed intentional and they did not intend to make any changes.

Software developer Elliott Kember mentioned this issue in his blog. In his opinion, Chrome's password-saving strategy is crazy. Every time he reports this question to a technical expert, the answer is as follows:

• 1 Pass
• It is no longer safe when someone else has access to the computer.
• Password Management should look like this.

The problem is that ordinary users do not know how to save the password.

Find a technical expert. Borrow their computers. Access Chrome: // settings/passwords and click "show" in the password line to see what they will say. I bet they won't say, "password management is like this ."

Elliott's article on Kember received a lot of attention on hackernews, So Justin Schuh, Chrome's Security Director, also replied.

He said that Elliot Kember was totally a small white user's opinion. They spent many years considering this issue and had a large amount of data to support this decision. In his opinion, if someone invades your system's user account, it is useless to implement more security measures. Although the idea of password encryption comes from good intentions, the Chrome team does not want to give users the illusion of security or encourage dangerous behaviors. That's not how they handle security issues.

Ah? What is the illusion of security "? Do ordinary users know the fact that plaintext is saved in settings? If Chrome explicitly says "the password will be saved in plain text", users may not have the "Security illusion", but without more prompts, instead, users will have the "Security illusion. In addition, according to the logic of Google engineers, once the bad guys enter your house, everything is dangerous, so do not lock any cabinets? Odd logic. In reality, the security problem must come from professional hackers?

We don't know if Google's talented engineers will change their minds. However, if you pay attention to security issues, delete all the saved passwords. Then, when Chrome prompts you to save the passwords, click "no.