Google Inc (NASDAQ:GOOG) has come under fire recently as news has spread that the Google Chrome password managers stores those passwords in plain text where anyone with access to your computer can see them, but Kevin Poulsen argues on Wired that Google’s theory is sound, even if they should meet users half way.
Google chrome flaw is intentional
Just to be clear, this isn’t a bug or a security flaw, it’s a conscious decision. “The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater,” explains Google Chrome security chief Justin Schuh. “My point is that once the bad guy got access to your account the game was lost.”
According to Poulsen this isn’t just Google doing damage control, it’s a reasonable approach to account security. “By making it easy for you to see those passwords with your own eyes, Google is declining to pretend that the passwords are partitioned off in another compartment,” he explains.
Google chrome passwords safe?
But Google Inc (NASDAQ:GOOG) has a far different perspective on security than most of its users. The company is used to dealing with highly sophisticated, possibly even state-sponsored, cyber-security threats. The typical Chrome user is probably more worried about an overly possessive partner or invasive co-workers than an experienced hacker, and that’s where a master password comes in handy. As long as a few clicks can give you someone’s passwords some people will learn to navigate to them quickly and take advantage of those moments when they can pry with impunity.
Throw a master password into the mix and most of these low-skilled attackers are already out of their depth. It’s the same reason you lock up your bike – not because professional bike thieves can’t break the lock, they can and probably without much effort, but it stops the random passerby from jumping on your bike and riding away. And if Google Inc (NASDAQ:GOOG) does comply, they are setting themselves for another security mini-scandal down the road.
“What’s terribly unfair about this, of course, is that in two years there will be another outraged blogger discovering that this barrier provides no real security, and Google will go through the wringer all over again,” says Poulson.