Chrome Passwords easily revealed – Nexus recommend a password manager
We know that, in the nicest possible way, we are geeks. I present as evidence that fact that we email each other about internal password security, frequently. I promise we wont talk about it too much if we are ever out for a coffee with you, unless you ask us to.
Today, Richard, one of our senior digital publishing engineers and a password maven of the first order, shared this post about … insecure … management of passwords in Google Chrome.
This is well set out in the blog, but the essence of the challenge is that if you (or anyone with physical or proper remote access to your computer) go to chrome://settings/passwords then you can click the “show” button and see what your passwords are. (an aside – this was amongst the more popular posts on nexusnet; for unimportant sites my passwords are long). This is what it looks like, to save you a cut and paste (and if you want to miss the opportunity to see all the passwords you haven’t entered for ages as Chrome does it for you).
There is a response and the usual discussion board semantic nonsense here which doesn’t do much for the argument, for either side, except to point out that all password saving in browsers is insecure, although this is not clear to the casual user. I don’t believe that Chrome is a bad browser or it’s developers misunderstand security – neither is true in my view, and I prefer Chrome. The fact is that allowing a browser to save passwords is a bad practice – the ease with which you can reveal them in Chrome is just a sideshow.
The solution is to use a secure password manager to create and manage passwords. You get real password security as well as the convenience of auto-filling passwords, although there is a lot of mucking about changing passwords and fishing out conformation emails and such – worth it to secure your online identity in our view. Some of the engineers here swear by LastPass but it find it a bit of a pain and will be moving to give 1Password a go. Let me know if there is another practical solution, without an enterprise implementation budget.
