Google's Chrome Password Security Said To Be Flawed (GOOG)

Google's (NASDAQ: GOOG) Chrome Web browser is one of the most highly touted available for computers and devices. It offers speed, efficiency, and ease of use but for security (at least password security), it might need some work.

Software developer Elliott Kember, in a blog post Tuesday, said he accidentally uncovered a password security flaw in Chrome that allows anyone who has physical control of your computer or device to see all of the passwords you have stored in Chrome.

Related: Google Chromecast Making TV Executives Nervous

What Kember discovered was that in Chrome’s settings under “passwords” there is a button that says “show.” “See that ‘show’ button?” Kember wrote. “It does what you think it does.”

It’s really that simple, according to Kember, and several security commentators and tech media observers referenced by Apple Insider, which reported on Kember’s findings.

To be fair, it’s not completely simple. To gain access, one not only has to have physical access to the computer or device, but must also get past the main OS password on the device, according to Apple Insider.

Mozilla’s Firefox has a similar unprotected password section with a dialog box that pops up asking, “Are you sure you want to show your passwords?”

Apple(NASDAQ: AAPL)'s Safari browser requires that users enter the currently logged in user’s ID password in order to access the password file.

Microsoft Corp.(NASDAQ: MSFT)’s Internet Explorer, according to PC Magazine, is better. Encrypted passwords remain in the Registry where no mechanism exists to display them. However, as the magazine pointed out, plenty of available free utilities will dump the password cache and make the passwords visible.

As Kember noted, developers, in general, say computers are already insecure once someone has physical access. Typically, they suggest using a password manager such as 1Password. Finally, Kember said, developers tend to say, “That’s just how password management works.”

More important than the lack of password security, Kember said, is the fact that Google isn’t clear about password security. He pointed to prompts that show phrases like, “confidential information,” and “in your keychain” which he said fail to make clear the fact that saved passwords are simply not secure.

Google, for its part told Apple Insider "boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater."

PC Magazine suggested a simple four-step plan to protect passwords:

1. Install a password manager.
2. Import all passwords.
3. Delete all passwords saved in the browser.
4. Turn off browser password saving.

At the time of this writing, Jim Probasco had no position in any mentioned securities.