142

Whenever I enter a login into a new site, Chrome asks me if it should store the login details. I used to believe this was fairly secure. If someone found my computer unlocked, they could get past the login screen for some website using the stored details, but if asked for the password again like during checkout, or if they wanted to login to the service from another device, they would be out of luck.

At least, that's what I used to think when I believed the browser did not store the password itself, but a hash or encryption of the password. I have noticed that the browser fills the username and password fields, and the password field indicates the number of characters in the password.

I'm one of those people who when asked to change their password just keeps the same password, but changes a number at the end. I know this is bad, but with how often I am asked to change passwords, I really could not remember the number of passwords expected of me. This results in a lot of passwords that are the same, but sometimes I forget what the end number needs to be for a particular login.

I could not remember the ending number for a certain login, so I went to a website where the password was stored. I deleted the last couple of characters and tried different numbers and viola, knew what was the right ending number.

It seems to me that this is a fundamental security flaw. If I can check the last character of my password without checking any others, then the amount of tries it takes to crack the password grows linearly with the number of characters not exponentially. It seems like a short stride from there to say that if someone came to my computer when it was unlocked, a simple script could extract all of the stored passwords for all of the major websites which I have passwords stored for.

Is this not the case? Is there some other layer of security that would prevent this?

Luc
  • 31,973
  • 8
  • 71
  • 135
Tony Ruth
  • 1,363
  • 2
  • 7
  • 5
  • 53
    I think you'd benefit greatly from using a password manager like LastPass. – Awn Oct 02 '17 at 10:08
  • 4
    The answer to this question will depend greatly on which browser you're talking about when you say "a browser". In this case it's Chrome, but in theory there's no reason a different browser couldn't manage passwords in a much more secure way. Or perhaps a future Chrome update could include functionality which would greatly enhance the security of this feature. Just something to keep in mind when reading the following answers. – Ajedi32 Oct 02 '17 at 15:01
  • 1
    @Awn: Aren’t browser add-ons even worse security threat? Chrome gives the add-on author an unlimited power to “update” it. This allows him to upload malicious code to steal users’ account and password data, then upload benign code again – and no one would know. – 7vujy0f0hy Oct 03 '17 at 12:47
  • For those wondering how _Firefox_ stores passwords, I have an answer detailing it here: https://security.stackexchange.com/a/120666/91904 – Marc.2377 Oct 05 '17 at 17:05
  • Chrome must store the full password (not hashed) so that it can send the password to the website. There is no way around this. – usr Oct 06 '17 at 13:45
  • 1
    Best practice, when you get up from your computer lock it (For Windows OS the keystroke "Windows Key + L" locks it immediately), at the end of the day it's the same as if you have your passwords written down but leave the front door of your house open & unlocked, you've got bigger problems (and probably lost all your expensive items :)). – Stephen Oct 06 '17 at 14:47
  • @Awn - https://www.engadget.com/2017/03/22/critical-exploits-found-in-lastpass-on-chrome-firefox/ – Craig Hicks Oct 06 '17 at 17:32
  • @Awn Yeah, I'm not going back to LastPass because vulnerabilities keep turning up, however, I'm **certainly** not going back to [dumb tricks](https://lifehacker.com/5937303/your-clever-password-tricks-arent-protecting-you-from-todays-hackers) like the one the OP mentioned. BTW, OP, you **need** to machine- (or dice-) generate your passwords, hand-picking them is the worst enemy to security. – NH. Oct 06 '17 at 18:02
  • @NH. "Vulnerabilities keep popping up." Oh child. "Never going back to X, because vulnerabilities keep popping up.", where X = Android, iOS, Chrome, Linux, Apache, * – Awn Oct 06 '17 at 21:35
  • 1
    Chrome password manager is definitelly not secure. Yesterday I get malware infection (by my error) and all of my chrome saved password was dumped in directory of malware in appdata as txt file. – midlan Dec 12 '18 at 12:24
  • Welcome, @midlan - this does seem like it should be a comment rather than an answer. As it stands right now, your answer does not provide any context or proof, other than your personal experience. Either post this as a comment (when you gain enough reputation to do so) or expand your answer to include *how* the password storage can be compromised (yes, it can, but how exactly? Under which circumstances?), please. – Tobi Nary Dec 12 '18 at 12:58
  • 2
    Malware could dump any password storage if it was unlocked at the time, and Chrome's password storage unlocks when you login. That doesn't make it insecure, it just means malware isn't a threat it was designed to protect against (along with every other password vault, if you unlock your passwords while you have malware running there's not really much that can be done). – AndrolGenhald Dec 12 '18 at 14:28

9 Answers9

146

Chrome not only stores your password text, it will show it to you. Under settings -> advanced -> manage passwords you can find all your passwords for all your sites. Click show on any of them and it will appear in the clear.

Hashed passwords work for the site authenticating you. They are not an option for password managers. Many will encrypt the data locally, but the key will also be stored locally unless you have a master password setup.

Personally, I use the chrome password manager and I find it convenient. I also, however, have full disk encryption and lock my screen diligently. Which makes the risk reasonable imho.

You seem to be inconsistent (many are) by both selecting memorable passwords and using a password manager. And I may venture to guess you may even repeat the password or at least the theme across many sites. This gives you the worst of both worlds. You get the risks of password manager without the benefits.

With a password manager you trust, you can give each site a unique random password not memorable at all and gain a lot of protection from many very real attack vectors. In exchange for a single point of failure of your password manager. Even with a less than perfect password manager this isn't an unreasonable trade off. With a good password manager this is becoming the consensus best practice.

Edit to add: please read Henno Brandsma answer explaining how login password and OS support can be used to encrypt passwords, this gives a reasonable level of protection to your passwords when the computer is off/locked (full disk encryption is better) and won't help much if you leave your computer unlocked. Even if the browser requires password to show plain text debug tools will still let you see already filled passwords as @Darren_H comments. The previous recommendation still stands use random unique passwords and a password manager.

Meir Maor
  • 1,652
  • 1
  • 9
  • 12
  • In the latest Chrome version (68), the menu is not in the Advanced section, but in the first section (settings -> People -> passwords) - or simply type "chrome://settings/passwords" in the browser address bar – Sandra Rossi Oct 27 '18 at 08:18
92

Chrome (under Windows) actually does encrypt the passwords when stored. But it does it in a way that only someone knowing your login password (or hijacking your login session) can actually use or view the stored passwords. This is well-documented (it uses the so-called Data Protection API (DPAPI), which is in Windows from NT 5.0 (i.e. Windows 2000) onwards, which nowadays uses AES-256 to encrypt the password data). Google believes that this is enough security, because it has the same level of protection as your whole login. On the Mac or Linux they use the native keychain technology to protect a special Chrome master password, achieving the same effect, essentially. Read the sources for all the details...

Edge and IE (available on Windows only of course) also use this technology, BTW, under a wrapper called the Credential Store, in recent versions of Windows (and before that they used DPAPI data stored in the registry). For more info on DPAPI, see here, e.g.

See https://github.com/byt3bl33d3r/chrome-decrypter for an example on how people extract stored password data, knowing your login credentials.

Recently on Windows the system changed to a system more like the MacOS one: one 256 bit masterkey is stored (in a separate file called Local State in the app directory, base64 encoded and represented in JSON) as a DPAPI secret again and each password item is then a hex encoded, AES-GCM encrypted entry in the sqlite database in that same directory (all under that master key, but each with its own 12 byte nonce, and a 16 byte tag to protect integrity). So still it eventually depends on the user password credentials. Once the user password (or rather its SHA1 hash) is known, all entries are decryptable. As said, this is by design. Even Microsoft's Edge (Chromium edition) uses this system now, as claimed in this blogpost.

Henno Brandsma
  • 1,156
  • 6
  • 6
  • 2
    On typical Linux desktop systems Chrome will use the session keyring (i. e. GNOME Keyring or KWallet which cover the vast majority of Linux desktop installations) which encrypts passwords with a key derived from the user account password for storage. – David Foerster Oct 02 '17 at 06:39
  • 1
    @DavidFoerster indeed, it puts a Chrome random "password" there which derives the key used in the password database. The keychain/wallet has the same level of protection as the login, just as Windows does. – Henno Brandsma Oct 02 '17 at 06:54
  • 4
    Although not selected as the answer, this answer should not be overlooked and seriously considered by one trying to assess the risk of using Chrome's password store and how to minimize the risk. – Thomas Carlisle Oct 02 '17 at 16:34
  • Note on Linux, the place Chrome stores passwords (which keyring to use, or outside of the keyring, unencrypted in Chrome's data folder) can be modified using the [--password-store setting](https://peter.sh/experiments/chromium-command-line-switches/#password-store). – Ben J Feb 05 '19 at 18:09
  • @Uniphonic LastPass can see them because it’s running as you, and the encryption keys are available to you, as Chrome has no “salt” it uses unique to itself, which it could do . But being open source means anyone can go see that “chrome salt” too, so that defeats the purpose. The second issue comes from Chrome syncing passwords across computers when you log in with your Google account. It’s a setting you can disable if you don’t want that to happen. Malware that runs at your user level can indeed also see it, if it’s aware of it. – Henno Brandsma Mar 25 '19 at 18:23
  • @HennoBrandsma OK, thanks! I guess that also explains why Chrome is vulnerable to password dumping, as noted in another answer https://security.stackexchange.com/a/170535/165747 – Uniphonic Mar 25 '19 at 19:48
  • You know all you have to do is copy the Chrome user data folder to another user. Then using that new user account's password, unlock the password from inside Chrome... Chrome will decrypt it even if it isn't the same Windows account, provided the password is correct. – NotoriousPyro May 21 '19 at 23:59
  • @NotoriousPyro No, that won't work, the other account would have to have the same S-ID and masterkey files, which it won't have. It's not *just* the user's login password, but you need to clone much more and having the same S-ID is forbidden between users of the same domain etc. so very hard to realise. Using offline DPAPI-decryption tools is much easier than whay you are proposing. – Henno Brandsma May 22 '19 at 04:13
  • No, you're wrong. I've done it many times and copied a user data from many different systems and had to enter my current users password... You should try it – NotoriousPyro May 22 '19 at 12:12
  • @HennoBrandsma The purpose of salt is to prevent pre-computed rainbow table cracking, so the salt is generally public, but should be changed per password. – NetMage Nov 07 '19 at 20:11
  • @HennoBrandsma Sadly, I checked and Chrome doesn't take the basic step of saving a different salt per password, so the salt is of little value, but I think Chrome's password storage is otherwise reasonably secure. – NetMage Nov 07 '19 at 21:04
  • 1
    @NetMage In Linux they encrypt all the passwords with the same master password (kept in a key chain like system); no salt there, while the Windows DPAPI blobs have different salts “built in” by construction. The Windows system is quite OK, really. The Linux master password is generated to be 128 bit entropy, so not brute-forcable. It does leak which accounts have the *same password*, the Windows system doesn’t show that. – Henno Brandsma Nov 07 '19 at 21:44
29

Please, please, please stop reusing your passwords!

In Firefox you can actually set a master password which will protect your stored passwords from being viewed. This master password will also be required once per session before the browser will start filling in passwords for you.

You could also use a general purpose password manager for example Keepass.

Anyway, for most people the danger of losing a password because one site got hacked is greater than losing it on their own computer. That's because an attacker with access to your computer has many other options for attacking you. One of the main benefits of using a password manager is that you don't have to manually enter the password anymore so you can actually pick completely random and secure passwords.

If you have been reusing passwords for a while there is a neat site for checking some of the more prominent breaches to see if you have been affected: https://haveibeenpwned.com/

If you have to use many different machines you can consider using something like Keepass2Android on your phone.

Elias
  • 1,915
  • 1
  • 9
  • 17
  • 3
    @jiggunjer - so if someone gets access to password A, they have access to your bank & google & hosting & crypto currency & OS. Disaster. At the very least each of these should have two factor authentication OR a unique password. Preferably both. – Katinka Hesselink Oct 06 '17 at 11:27
  • 1
    @Katinka-Hesselink not my bank or Google, and my OS/wallet require physical access. That is two factor. Yeah they can get both my hosting and my VPN, if they know which services I use and which emails are linked to them. Unlikely. – jiggunjer Oct 06 '17 at 13:30
  • @jiggunjer I've learned now that what is unlikely for the user is just an incentive for the hacker. Hackers like challenges and if they see one, they'll go for it. – Buffer Over Read Oct 07 '17 at 15:50
8

You can also view passwords in Chrome by changing the HTML. Change the type of the input field from type="password" to type="text" and you can see pre-filled information in plain text. So if someone at your computer knows a website you are registered on, and Chrome autofills your password, they can see it.

johan
  • 111
  • 4
Teun
  • 97
  • 2
5

Chrome is vulnerable to password dumping. There are many tools out there that will dump Chrome passwords. LaZagne is one of them. You don't even need admin privileges or credentials or anything.

Apparently, this is as simple as connecting to the SQLite database, and then calling Win32CryptUnprotectData to decrypt the password.

https://github.com/AlessandroZ/LaZagne

A malicious user can simply run this password dumper or install malware and then remotely run this tool. However, a non-technical user would not be able to accomplish this task. Therefore, storing passwords in the browser is safe against non-technical people, but ineffective against malware or technical users.

Daniel Grover
  • 872
  • 5
  • 10
  • 1
    If chrome uses AES-256 encryption, how does LaZagne crack the database? – jiggunjer Oct 04 '17 at 05:01
  • 1
    Looking at the source (https://github.com/AlessandroZ/LaZagne/blob/master/Windows/lazagne/softwares/browsers/chrome.py#L82), it seems that because it runs as you, it has access to your protected data. This isn't really an attack that could be used to access other users' data. – Mike Caron Oct 04 '17 at 14:36
  • The question is about someone accessing his computer when he is unattended. Furthermore, with admin privileges gained by UAC bypass or other vulnerabilities such as dll hijacking, all user's data can be accessed. – Daniel Grover Oct 04 '17 at 15:01
  • 2
    @jiggunjer See my answer above, it uses DPAPI whose security ultimately depends on your login password strength (if the attacker cannot dump process memory, where the keys also reside). If you run it yourself Windows does the decryption with CryptUnprotectData because you have access to your own keys. – Henno Brandsma Jun 15 '18 at 07:24
3

The biggest danger is having a browser without a master password and leaving your computer without locking it: Anyone can then quickly take a picture of your stored passwords, it just takes a few seconds. So the obvious: always lock your computer and set a master password, do not reuse passwords or similar patterns ...

  • 3
    In order to get Chrome to display a password in plain text, you have to enter your login password. And it will only do one at a time. As far as I can tell, there's no way to get it to display all your passwords. – Barmar Oct 02 '17 at 14:27
  • So that is more secure than the Firefox default. – Christophe Roussy Oct 02 '17 at 15:29
  • Sounds like a time-based auto logout extension might be a good idea. E.g. logout chrome after 15 minutes of inactivity. – jiggunjer Oct 04 '17 at 05:13
1

It depends on your platform.

On Linux Chrome uses kwallet / gnome-keyring on the KDE or gnome desktop, which should both provide good security. On OSX it uses the OSX keyring, which has good security, too. On windows they implement their own password storage, which is not as secure as the system keyrings on the other OS.

For the specific weaknesses in the windows implementation see the other answers.

allo
  • 3,173
  • 11
  • 24
0

If you are worried about someone accessing your laptop while you are logged in (e.g. you are using it at work or in a public place and occasionally leave it unguarded, or you don't trust a family member), storing the password in a browser is not a good solution. If you are worried about malware on your computer (which might capture your typing) or people seeing what you type, it is pretty secure against that, and those are much more common concerns.

Tgr
  • 668
  • 3
  • 11
  • 1
    This answer is reversed imo. Non-tech savy users are unlikely to be able to get the plaintext passwords, but malware can easily dump them without user interaction. See my answer. You can run the tool yourself if you don't believe me. – Daniel Grover Oct 02 '17 at 19:41
  • Chrome with a master password is IMO about as well protected against password theft as a password manager. (Which is to say, not terribly well. If something is running on your machine and has the same access rights you have, your chances of preventing it from stealing your passwords are fairly limited.) Without a master password, neither browsers nor password managers can provide much defense. – Tgr Oct 02 '17 at 23:15
0

It is pretty certain that no mechanism is 100% safe, but some mechanisms are safer than others. At the simplest level a long password is safer than a short password but is more difficult to remember and type correctly. What you have to decide is where the balance between safety and ease of use lies. Password managers are one answer if the cost/risk ratio feels right for you.

If you do not trust any mechanism that stores your password on your computer, then one way of getting around this is to use an algorithm to generate one for you each time you need it. I happen to use a little program that implements a variant of Playfair (https://en.wikipedia.org/wiki/Playfair_cipher) to generate part of my password for any given site - which has the advantage that I can create it by hand if I have to. However do avoid trivial algorithms (like just reversing the letters in a web-site).

A lot of companies require you to change your password periodically. This used to be standard, but GCHQ now advise against the practice (see https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry), for the very reason you mention. Hopefully this requirement will become less common over time.