How secure is the password stored in Chrome?

On the evening of June 14, a netizen submitted a post on Hacker News about how to view the Saved Password in the Chrome browser "Password Manager, maybe the submitted user did not know this feature of Chrome and the mechanism behind it, so the time for this post to stay on the Hacker News homepage is not short. After the domestic netizens posted related messages on Weibo, they also caused a lot of discussion (link 1, link 2, and link 3 ). Many friends who did not know about Chrome's password saving mechanism have been surprised by Chrome's pitfalls. Bole compiled an article on the howtogeek website online, which should be able to relieve these friends' questions.

 

Google Chrome also has a common question: "Why does it not have a master password )?" An unofficial reply from the Google support forum said Google's position: the primary password provides a false sense of security, the most feasible way to protect sensitive data depends on the overall security of the system.

How secure is the password stored on Chrome? See below.

How to view saved passwords

Chrome Password Manager Entry Method: wrench icon on the right → settings → advanced settings → password and form → manage saved passwords. Alternatively, copy and paste: chrome: // chrome/settings/passwords in the address bar, and press enter to enter.

If you allow Chrome to save the password, it should be rare to see this interface. Maybe you already know this feature. From the perspective of Weibo forwarding last night, many users still do not know this feature.

In the password area, a "show" button is displayed. Click "show" to view the password. If other people can use your computer, they can get your saved passwords.

(The username and password shown in this document are used for testing)

Where is the password data stored?

The Saved Password data is stored in an SQLite database:

[System Disk]: Documents and Settings [user name] Local SettingsApplication synchronized ooglechromeuser DataDefaultLogin Data(This path is Windows XP)

You can use SQLite Database Browser to open this file (the file name is "Login Data") and view the "logins" table, which contains the Saved Password. However, you will see that the value of the "password_value" field is unreadable because the value is encrypted.(PS: Download link of the SQLite database viewer SourceForge)

What is the security of encrypted data?

Chrome uses an API provided by Windows to perform encryption (on Windows operating systems ).OnlyAllow the Windows User Account used to encrypt the password to decrypt the encrypted data. So basically, your primary password is your Windows account password. Therefore, Chrome can decrypt encrypted data as long as you log on to Windows with your account.

However, because your Windows account password is a constant, not only Chrome can read the "primary password", other external tools can also obtain encrypted data and decrypt encrypted data. For example, use NirSoft's free tool ChromePass(Download NirSoft)You can view your Saved Password data and export it as a text file.

Since ChromePass can read encrypted password data, it can also be read by malware. When chromepass.exe is uploaded to VirusTotal, more than half of the anti-virus (AV) engines mark this line as dangerous. However, in this example, this tool is secure. However, Microsoft's Security Essentials did not mark this line as dangerous.

Can I bypass the protection mechanism?

Suppose your computer has been stolen, and the thief reset the Windows account password. If they try to view your password in Chrome later, or use ChromePass to view the password data, the password data will be unavailable. The reason is very simple. The decryption fails because the "master password" does not match.

In addition, if someone copies the SQLite database file and tries to open it on another computer, ChromePass will also display a blank password for the same reason.

Conclusion

The security of the password saved in Chrome depends entirely on the user.. Here are some suggestions:

● Use an extremely powerful Windows account password. Remember that there are many tools that can decrypt Windows account passwords. If someone has obtained your Windows account password, then he can know the password you have saved in Chrome.

● Keep yourself away from all kinds of malware. If the tool can easily obtain your Saved Password, the malware can do the same as those of pseudo-security software. If you have to download the software, go to the software official website to download it.

● Save the password to the password management software (for example, KeePass ). Of course, the browser cannot automatically fill in the password for you.

● Use third-party tools that can be integrated into Chrome (such as LastPass) and use the primary password to manage your passwords. Recommended: Use LastPass to manage your password

● Use tools (such as TrueCrypt) to completely encrypt the entire hard disk.

● On a non-private computer,YesCannot allow the browser to save the password.(The original document does not exist. Additional information is provided)

If you often use your browser to save your logon username and password, it is best to lock the screen when you leave your computer. In a word, the home (operating system) security work should be well done, and the home object security should also be guaranteed.

Additional information:If you allow the Firefox browser to save the site password, you can easily view it.

Although Firefox adopts the primary password mechanism, it is disabled by default. If this feature is enabled, you must enter the primary password each time Firefox reads the stored sensitive data .. You must remember your own master password. Otherwise ......